This code is scary from a security perspective. It's old code, we just moved it to staging so we could delete it in a later kernel release. So I'm not going to bother with this warning.
regards, dan carpenter On Mon, Feb 16, 2015 at 06:04:22AM +0800, kbuild test robot wrote: > TO: Alan Cox <a...@linux.intel.com> > CC: "Greg Kroah-Hartman" <gre...@linuxfoundation.org> > > tree: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git > master > head: b8acf73194186a5cba86812eb4ba17b897f0e13e > commit: 2cbf7fe2d5d32a4747c1f8ad163e886dccad930c [7695/9788] i2o: move to > staging > :::::: branch date: 3 days ago > :::::: commit date: 12 days ago > > drivers/staging/i2o/i2o_config.c:255 i2o_cfg_swdl() warn: check for integer > overflow 'swlen' > drivers/staging/i2o/i2o_config.c:334 i2o_cfg_swul() warn: check for integer > overflow 'swlen' > drivers/staging/i2o/i2o_config.c:508 i2o_cfg_evt_get() error: we previously > assumed 'p' could be null (see line 504) > drivers/staging/i2o/i2o_config.c:807 i2o_cfg_passthru() warn: check for > integer over/underflow 'user_msg' > > git remote add next > git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git > git remote update next > git checkout 2cbf7fe2d5d32a4747c1f8ad163e886dccad930c > vim +/swlen +255 drivers/staging/i2o/i2o_config.c > > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 249 > return -EFAULT; > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 250 > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 251 > if (get_user(curfrag, kxfer.curfrag) < 0) > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 252 > return -EFAULT; > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 253 > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 254 > if (curfrag == maxfrag) > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 @255 > fragsize = swlen - (maxfrag - 1) * 8192; > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 256 > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 257 > if (!kxfer.buf || !access_ok(VERIFY_READ, kxfer.buf, fragsize)) > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 258 > return -EFAULT; > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 259 > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 260 > c = i2o_find_iop(kxfer.iop); > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 261 > if (!c) > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 262 > return -ENXIO; > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 263 > a1a5ea70 drivers/message/i2o/i2o_config.c Markus Lidel 2006-01-06 264 > msg = i2o_msg_get_wait(c, I2O_TIMEOUT_MESSAGE_GET); > a1a5ea70 drivers/message/i2o/i2o_config.c Markus Lidel 2006-01-06 265 > if (IS_ERR(msg)) > a1a5ea70 drivers/message/i2o/i2o_config.c Markus Lidel 2006-01-06 266 > return PTR_ERR(msg); > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 267 > 9d793b0b drivers/message/i2o/i2o_config.c Alan Cox 2008-10-15 268 > if (i2o_dma_alloc(&c->pdev->dev, &buffer, fragsize)) { > a1a5ea70 drivers/message/i2o/i2o_config.c Markus Lidel 2006-01-06 269 > i2o_msg_nop(c, msg); > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 270 > return -ENOMEM; > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 271 > } > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 272 > 9d69b7d3 drivers/message/i2o/i2o_config.c Randy Dunlap 2006-12-06 273 > if (__copy_from_user(buffer.virt, kxfer.buf, fragsize)) { > 9d69b7d3 drivers/message/i2o/i2o_config.c Randy Dunlap 2006-12-06 274 > i2o_msg_nop(c, msg); > 9d69b7d3 drivers/message/i2o/i2o_config.c Randy Dunlap 2006-12-06 275 > i2o_dma_free(&c->pdev->dev, &buffer); > 9d69b7d3 drivers/message/i2o/i2o_config.c Randy Dunlap 2006-12-06 276 > return -EFAULT; > 9d69b7d3 drivers/message/i2o/i2o_config.c Randy Dunlap 2006-12-06 277 > } > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 278 > a1a5ea70 drivers/message/i2o/i2o_config.c Markus Lidel 2006-01-06 279 > msg->u.head[0] = cpu_to_le32(NINE_WORD_MSG_SIZE | SGL_OFFSET_7); > a1a5ea70 drivers/message/i2o/i2o_config.c Markus Lidel 2006-01-06 280 > msg->u.head[1] = > a1a5ea70 drivers/message/i2o/i2o_config.c Markus Lidel 2006-01-06 281 > cpu_to_le32(I2O_CMD_SW_DOWNLOAD << 24 | HOST_TID << 12 | > a1a5ea70 drivers/message/i2o/i2o_config.c Markus Lidel 2006-01-06 282 > ADAPTER_TID); > a1a5ea70 drivers/message/i2o/i2o_config.c Markus Lidel 2006-01-06 283 > msg->u.head[2] = cpu_to_le32(i2o_config_driver.context); > a1a5ea70 drivers/message/i2o/i2o_config.c Markus Lidel 2006-01-06 284 > msg->u.head[3] = cpu_to_le32(0); > a1a5ea70 drivers/message/i2o/i2o_config.c Markus Lidel 2006-01-06 285 > msg->body[0] = > a1a5ea70 drivers/message/i2o/i2o_config.c Markus Lidel 2006-01-06 286 > cpu_to_le32((((u32) kxfer.flags) << 24) | (((u32) kxfer. > a1a5ea70 drivers/message/i2o/i2o_config.c Markus Lidel 2006-01-06 287 > sw_type) << 16) | > a1a5ea70 drivers/message/i2o/i2o_config.c Markus Lidel 2006-01-06 288 > (((u32) maxfrag) << 8) | (((u32) curfrag))); > a1a5ea70 drivers/message/i2o/i2o_config.c Markus Lidel 2006-01-06 289 > msg->body[1] = cpu_to_le32(swlen); > a1a5ea70 drivers/message/i2o/i2o_config.c Markus Lidel 2006-01-06 290 > msg->body[2] = cpu_to_le32(kxfer.sw_id); > a1a5ea70 drivers/message/i2o/i2o_config.c Markus Lidel 2006-01-06 291 > msg->body[3] = cpu_to_le32(0xD0000000 | fragsize); > a1a5ea70 drivers/message/i2o/i2o_config.c Markus Lidel 2006-01-06 292 > msg->body[4] = cpu_to_le32(buffer.phys); > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 293 > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 294 > osm_debug("swdl frag %d/%d (size %d)\n", curfrag, maxfrag, fragsize); > a1a5ea70 drivers/message/i2o/i2o_config.c Markus Lidel 2006-01-06 295 > status = i2o_msg_post_wait_mem(c, msg, 60, &buffer); > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 296 > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 297 > if (status != -ETIMEDOUT) > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 298 > i2o_dma_free(&c->pdev->dev, &buffer); > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 299 > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 300 > if (status != I2O_POST_WAIT_OK) { > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 301 > // it fails if you try and send frags out of order > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 302 > // and for some yet unknown reasons too > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 303 > osm_info("swdl failed, DetailedStatus = %d\n", status); > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 304 > return status; > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 305 > } > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 306 > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 307 > return 0; > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 308 }; > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 309 > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 310 > static int i2o_cfg_swul(unsigned long arg) > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 311 { > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 312 > struct i2o_sw_xfer kxfer; > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 313 > struct i2o_sw_xfer __user *pxfer = (struct i2o_sw_xfer __user *)arg; > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 314 > unsigned char maxfrag = 0, curfrag = 1; > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 315 > struct i2o_dma buffer; > a1a5ea70 drivers/message/i2o/i2o_config.c Markus Lidel 2006-01-06 316 > struct i2o_message *msg; > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 317 > unsigned int status = 0, swlen = 0, fragsize = 8192; > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 318 > struct i2o_controller *c; > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 319 > int ret = 0; > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 320 > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 321 > if (copy_from_user(&kxfer, pxfer, sizeof(struct i2o_sw_xfer))) > b1ffdc8f drivers/message/i2o/i2o_config.c Dan Carpenter 2010-04-23 322 > return -EFAULT; > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 323 > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 324 > if (get_user(swlen, kxfer.swlen) < 0) > b1ffdc8f drivers/message/i2o/i2o_config.c Dan Carpenter 2010-04-23 325 > return -EFAULT; > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 326 > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 327 > if (get_user(maxfrag, kxfer.maxfrag) < 0) > b1ffdc8f drivers/message/i2o/i2o_config.c Dan Carpenter 2010-04-23 328 > return -EFAULT; > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 329 > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 330 > if (get_user(curfrag, kxfer.curfrag) < 0) > b1ffdc8f drivers/message/i2o/i2o_config.c Dan Carpenter 2010-04-23 331 > return -EFAULT; > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 332 > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 333 > if (curfrag == maxfrag) > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 @334 > fragsize = swlen - (maxfrag - 1) * 8192; > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 335 > ^1da177e drivers/message/i2o/i2o_config.c Linus Torvalds 2005-04-16 336 > if (!kxfer.buf) > b1ffdc8f drivers/message/i2o/i2o_config.c Dan Carpenter 2010-04-23 337 > return -EFAULT; > > :::::: The code at line 255 was first introduced by commit > :::::: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Linux-2.6.12-rc2 > > :::::: TO: Linus Torvalds <torva...@ppc970.osdl.org> > :::::: CC: Linus Torvalds <torva...@ppc970.osdl.org> > > --- > 0-DAY kernel test infrastructure Open Source Technology Center > http://lists.01.org/mailman/listinfo/kbuild Intel Corporation _______________________________________________ kbuild mailing list kbuild@lists.01.org https://lists.01.org/mailman/listinfo/kbuild