p71924506
/
linux_old1
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

cxgb4: memory corruption in debugfs 

You can't use kstrtoul() with an int or it causes memory corruption.
Also j should be unsigned or we have underflow bugs.

I considered changing "j" to unsigned long but everything fits in a u32.

Fixes: 8e3d04fd7d ('cxgb4: Add MPS tracing support')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Dan Carpenter 2015-08-18 12:31:44 +03:00 committed by David S. Miller
parent 3dc33e2322
commit c938a00344
1 changed files with 6 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c
View File

@ -1289,13 +1289,14 @@ static unsigned int xdigit2int(unsigned char c)
static ssize_t mps_trc_write(struct file *file, const char __user *buf, static ssize_t mps_trc_write(struct file *file, const char __user *buf,
size_t count, loff_t *pos) size_t count, loff_t *pos)
{ {
int i, j, enable, ret; int i, enable, ret;
u32 *data, *mask; u32 *data, *mask;
struct trace_params tp; struct trace_params tp;
const struct inode *ino; const struct inode *ino;
unsigned int trcidx; unsigned int trcidx;
char *s, *p, *word, *end; char *s, *p, *word, *end;
struct adapter *adap; struct adapter *adap;
u32 j;
ino = file_inode(file); ino = file_inode(file);
trcidx = (uintptr_t)ino->i_private & 3; trcidx = (uintptr_t)ino->i_private & 3;
@ -1340,7 +1341,7 @@ static ssize_t mps_trc_write(struct file *file, const char __user *buf,
if (!strncmp(word, "qid=", 4)) { if (!strncmp(word, "qid=", 4)) {
end = (char *)word + 4; end = (char *)word + 4;
ret = kstrtoul(end, 10, (unsigned long *)&j); ret = kstrtouint(end, 10, &j);
if (ret) if (ret)
goto out; goto out;
if (!adap->trace_rss) { if (!adap->trace_rss) {
@ -1369,7 +1370,7 @@ static ssize_t mps_trc_write(struct file *file, const char __user *buf,
} }
if (!strncmp(word, "snaplen=", 8)) { if (!strncmp(word, "snaplen=", 8)) {
end = (char *)word + 8; end = (char *)word + 8;
ret = kstrtoul(end, 10, (unsigned long *)&j); ret = kstrtouint(end, 10, &j);
if (ret || j > 9600) { if (ret || j > 9600) {
inval: count = -EINVAL; inval: count = -EINVAL;
goto out; goto out;
@ -1379,7 +1380,7 @@ inval: count = -EINVAL;
} }
if (!strncmp(word, "minlen=", 7)) { if (!strncmp(word, "minlen=", 7)) {
end = (char *)word + 7; end = (char *)word + 7;
ret = kstrtoul(end, 10, (unsigned long *)&j); ret = kstrtouint(end, 10, &j);
if (ret || j > TFMINPKTSIZE_M) if (ret || j > TFMINPKTSIZE_M)
goto inval; goto inval;
tp.min_len = j; tp.min_len = j;
@ -1453,7 +1454,7 @@ inval: count = -EINVAL;
} }
if (*word == '@') { if (*word == '@') {
end = (char *)word + 1; end = (char *)word + 1;
ret = kstrtoul(end, 10, (unsigned long *)&j); ret = kstrtouint(end, 10, &j);
if (*end && *end != '\n') if (*end && *end != '\n')
goto inval; goto inval;
if (j & 7) /* doesn't start at multiple of 8 */ if (j & 7) /* doesn't start at multiple of 8 */