Thread (32 messages) 32 messages, 5 authors, 2013-03-29

RE: [PATCH 3/3] powerpc/fsl: add MPIC timer wakeup support

From: Wang Dongsheng-B40534 <hidden>
Date: 2013-03-27 03:21:25 

-----Original Message-----
From: Wood Scott-B07421
Sent: Wednesday, March 27, 2013 1:36 AM
To: Wang Dongsheng-B40534
Cc: Wood Scott-B07421; Gala Kumar-B11780; linuxppc-dev@lists.ozlabs.org;
Zhao Chenhui-B35336; Li Yang-R58472
Subject: Re: [PATCH 3/3] powerpc/fsl: add MPIC timer wakeup support
=20
On 03/25/2013 10:27:24 PM, Wang Dongsheng-B40534 wrote:
quoted
quoted
-----Original Message-----
From: Wood Scott-B07421
Sent: Saturday, March 23, 2013 6:11 AM
To: Wang Dongsheng-B40534
Cc: Wood Scott-B07421; Gala Kumar-B11780;
linuxppc-dev@lists.ozlabs.org;
quoted
Zhao Chenhui-B35336; Li Yang-R58472
Subject: Re: [PATCH 3/3] powerpc/fsl: add MPIC timer wakeup support

On 03/22/2013 12:46:24 AM, Wang Dongsheng-B40534 wrote:
quoted
quoted
-----Original Message-----
From: Wood Scott-B07421
Sent: Thursday, March 21, 2013 5:49 AM
To: Wang Dongsheng-B40534
Cc: Wood Scott-B07421; Gala Kumar-B11780;
linuxppc-dev@lists.ozlabs.org;
quoted
Zhao Chenhui-B35336; Li Yang-R58472
Subject: Re: [PATCH 3/3] powerpc/fsl: add MPIC timer wakeup
support
quoted
quoted
quoted
On 03/19/2013 10:48:53 PM, Wang Dongsheng-B40534 wrote:
quoted
	while (*s) {
		if ('0' <=3D *s && *s <=3D '9')
			val =3D *s - '0';
		else if ('a' <=3D _tolower(*s) && _tolower(*s) <=3D
'f')
quoted
quoted
quoted
quoted
			val =3D _tolower(*s) - 'a' + 10;
		else
			break;	//this will break out to
convert.
quoted
quoted
quoted
Really?  How do you know that the next byte after the buffer
isn't a
quoted
quoted
quoted
valid hex digit?  How do you even know that we won't take a
fault
quoted
quoted
quoted
accessing it?
Under what case is unsafe, please make sense.
char buffer[1] =3D { '5' };
write(fd, &buffer, 1);

What comes after that '5' byte in the pointer you pass to kstrtol?
The buffer is userspace. It will fall in the kernel space.
Kernel will get a free page, and copy the buffer to page.
This page has been cleared before copy to page.
The page has already have null-terminated.
=20
It doesn't allocate a whole page, it uses kmalloc (not kzalloc!).  Even
if kzalloc were used, a larger user buffer could be the exact size of the
region that was allocated.
=20
See memdup_user() in mm/util.c
=20
Did you miss something?

See fill_write_buffer() in fs/sysfs/file.c. It's used get_zeroed_page()...

See SYSCALL_DEFINE3(write,...) in fs/read_write.c

[c0000000f1ff3a60] [c000000000008224] .show_stack+0x74/0x1b0 (unreliable)
[c0000000f1ff3b10] [c00000000002f370] .fsl_timer_wakeup_store+0x30/0x200
[c0000000f1ff3bc0] [c00000000030accc] .dev_attr_store+0x3c/0x50
[c0000000f1ff3c30] [c00000000018c47c] .sysfs_write_file+0xec/0x1f0
[c0000000f1ff3ce0] [c00000000010dfb4] .vfs_write+0xf4/0x1b0
[c0000000f1ff3d80] [c00000000010e360] .SyS_write+0x60/0xe0
[c0000000f1ff3e30] [c000000000000590] syscall_exit+0x0/0x80
  



    
  

  
    

      

        Keyboard shortcuts
      

      

        
          
hback out one level

          
jnext message in thread

          
kprevious message in thread

          
ldrill in

          
Escclose help / fold thread tree

          
?toggle this help