[PATCH 3/3] powerpc/fsl: add MPIC timer wakeup support

Scott Wood scottwood at freescale.com
Wed Mar 27 04:35:42 EST 2013


On 03/25/2013 10:27:24 PM, Wang Dongsheng-B40534 wrote:
> 
> 
> > -----Original Message-----
> > From: Wood Scott-B07421
> > Sent: Saturday, March 23, 2013 6:11 AM
> > To: Wang Dongsheng-B40534
> > Cc: Wood Scott-B07421; Gala Kumar-B11780;  
> linuxppc-dev at lists.ozlabs.org;
> > Zhao Chenhui-B35336; Li Yang-R58472
> > Subject: Re: [PATCH 3/3] powerpc/fsl: add MPIC timer wakeup support
> >
> > On 03/22/2013 12:46:24 AM, Wang Dongsheng-B40534 wrote:
> > >
> > >
> > > > -----Original Message-----
> > > > From: Wood Scott-B07421
> > > > Sent: Thursday, March 21, 2013 5:49 AM
> > > > To: Wang Dongsheng-B40534
> > > > Cc: Wood Scott-B07421; Gala Kumar-B11780;
> > > linuxppc-dev at lists.ozlabs.org;
> > > > Zhao Chenhui-B35336; Li Yang-R58472
> > > > Subject: Re: [PATCH 3/3] powerpc/fsl: add MPIC timer wakeup  
> support
> > > >
> > > > On 03/19/2013 10:48:53 PM, Wang Dongsheng-B40534 wrote:
> > > > > 	while (*s) {
> > > > > 		if ('0' <= *s && *s <= '9')
> > > > > 			val = *s - '0';
> > > > > 		else if ('a' <= _tolower(*s) && _tolower(*s) <=  
> 'f')
> > > > > 			val = _tolower(*s) - 'a' + 10;
> > > > > 		else
> > > > > 			break;	//this will break out to  
> convert.
> > > >
> > > > Really?  How do you know that the next byte after the buffer  
> isn't a
> > > > valid hex digit?  How do you even know that we won't take a  
> fault
> > > > accessing it?
> > > >
> > > Under what case is unsafe, please make sense.
> >
> > char buffer[1] = { '5' };
> > write(fd, &buffer, 1);
> >
> > What comes after that '5' byte in the pointer you pass to kstrtol?
> >
> The buffer is userspace. It will fall in the kernel space.
> Kernel will get a free page, and copy the buffer to page.
> This page has been cleared before copy to page.
> The page has already have null-terminated.

It doesn't allocate a whole page, it uses kmalloc (not kzalloc!).  Even  
if kzalloc were used, a larger user buffer could be the exact size of  
the region that was allocated.

See memdup_user() in mm/util.c

-Scott


More information about the Linuxppc-dev mailing list