tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master head: d01e7f10dae29eba0f9ada82b65d24e035d5b2f9 commit: 07edff9265204e15c9fc8d07cc69e38c4c484e15 vt: keyboard, reorder user buffer handling in vt_do_kdgkb_ioctl date: 6 weeks ago config: sh-randconfig-s032-20201216 (attached as .config) compiler: sh4-linux-gcc (GCC) 9.3.0 reproduce: wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # apt-get install sparse # sparse version: v0.6.3-184-g1b896707-dirty # https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=07edff9265204e15c9fc8d07cc69e38c4c484e15 git remote add linus https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git git fetch --no-tags linus master git checkout 07edff9265204e15c9fc8d07cc69e38c4c484e15 # save the attached .config to linux build tree COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-9.3.0 make.cross C=1 CF='-fdiagnostic-prefix -D__CHECK_ENDIAN__' ARCH=sh
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <l...@intel.com>
"sparse warnings: (new ones prefixed by >>)"
drivers/tty/vt/keyboard.c:1745:21: sparse: sparse: incorrect type in
initializer (different address spaces) @@ expected unsigned int const
*__gu_addr @@ got unsigned int [noderef] __user * @@
drivers/tty/vt/keyboard.c:1745:21: sparse: expected unsigned int const
*__gu_addr
drivers/tty/vt/keyboard.c:1745:21: sparse: got unsigned int [noderef]
__user *
drivers/tty/vt/keyboard.c:1745:21: sparse: sparse: incorrect type in
argument 1 (different address spaces) @@ expected void const volatile
[noderef] __user *ptr @@ got unsigned int const *__gu_addr @@
drivers/tty/vt/keyboard.c:1745:21: sparse: expected void const volatile
[noderef] __user *ptr
drivers/tty/vt/keyboard.c:1745:21: sparse: got unsigned int const
*__gu_addr
drivers/tty/vt/keyboard.c:1783:21: sparse: sparse: incorrect type in
initializer (different address spaces) @@ expected unsigned int const
*__gu_addr @@ got unsigned int [noderef] __user * @@
drivers/tty/vt/keyboard.c:1783:21: sparse: expected unsigned int const
*__gu_addr
drivers/tty/vt/keyboard.c:1783:21: sparse: got unsigned int [noderef]
__user *
drivers/tty/vt/keyboard.c:1783:21: sparse: sparse: incorrect type in
argument 1 (different address spaces) @@ expected void const volatile
[noderef] __user *ptr @@ got unsigned int const *__gu_addr @@
drivers/tty/vt/keyboard.c:1783:21: sparse: expected void const volatile
[noderef] __user *ptr
drivers/tty/vt/keyboard.c:1783:21: sparse: got unsigned int const
*__gu_addr
>> drivers/tty/vt/keyboard.c:2037:13: sparse: sparse: incorrect type in
>> initializer (different address spaces) @@ expected unsigned char const
>> *__gu_addr @@ got unsigned char [noderef] __user * @@
drivers/tty/vt/keyboard.c:2037:13: sparse: expected unsigned char const
*__gu_addr
drivers/tty/vt/keyboard.c:2037:13: sparse: got unsigned char [noderef]
__user *
>> drivers/tty/vt/keyboard.c:2037:13: sparse: sparse: incorrect type in
>> argument 1 (different address spaces) @@ expected void const volatile
>> [noderef] __user *ptr @@ got unsigned char const *__gu_addr @@
drivers/tty/vt/keyboard.c:2037:13: sparse: expected void const volatile
[noderef] __user *ptr
drivers/tty/vt/keyboard.c:2037:13: sparse: got unsigned char const
*__gu_addr
vim +2037 drivers/tty/vt/keyboard.c
2020
2021 /* FIXME: This one needs untangling */
2022 int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int
perm)
2023 {
2024 char *kbs;
2025 u_char *q;
2026 int sz, fnw_sz;
2027 int delta;
2028 char *first_free, *fj, *fnw;
2029 int j, k;
2030 int ret;
2031 unsigned long flags;
2032 unsigned char kb_func;
2033
2034 if (!capable(CAP_SYS_TTY_CONFIG))
2035 perm = 0;
2036
> 2037 if (get_user(kb_func, &user_kdgkb->kb_func))
2038 return -EFAULT;
2039
2040 kb_func = array_index_nospec(kb_func, MAX_NR_FUNC);
2041
2042 switch (cmd) {
2043 case KDGKBSENT: {
2044 /* size should have been a struct member */
2045 ssize_t len = sizeof(user_kdgkb->kb_string);
2046
2047 kbs = kmalloc(len, GFP_KERNEL);
2048 if (!kbs)
2049 return -ENOMEM;
2050
2051 spin_lock_irqsave(&func_buf_lock, flags);
2052 len = strlcpy(kbs, func_table[kb_func] ? : "", len);
2053 spin_unlock_irqrestore(&func_buf_lock, flags);
2054
2055 ret = copy_to_user(user_kdgkb->kb_string, kbs, len + 1)
?
2056 -EFAULT : 0;
2057
2058 goto reterr;
2059 }
2060 case KDSKBSENT:
2061 if (!perm)
2062 return -EPERM;
2063
2064 kbs = strndup_user(user_kdgkb->kb_string,
2065 sizeof(user_kdgkb->kb_string));
2066 if (IS_ERR(kbs))
2067 return PTR_ERR(kbs);
2068
2069 fnw = NULL;
2070 fnw_sz = 0;
2071 /* race aginst other writers */
2072 again:
2073 spin_lock_irqsave(&func_buf_lock, flags);
2074 q = func_table[kb_func];
2075
2076 /* fj pointer to next entry after 'q' */
2077 first_free = funcbufptr + (funcbufsize - funcbufleft);
2078 for (j = kb_func + 1; j < MAX_NR_FUNC &&
!func_table[j]; j++)
2079 ;
2080 if (j < MAX_NR_FUNC)
2081 fj = func_table[j];
2082 else
2083 fj = first_free;
2084 /* buffer usage increase by new entry */
2085 delta = (q ? -strlen(q) : 1) + strlen(kbs);
2086
2087 if (delta <= funcbufleft) { /* it fits in current
buf */
2088 if (j < MAX_NR_FUNC) {
2089 /* make enough space for new entry at 'fj' */
2090 memmove(fj + delta, fj, first_free - fj);
2091 for (k = j; k < MAX_NR_FUNC; k++)
2092 if (func_table[k])
2093 func_table[k] += delta;
2094 }
2095 if (!q)
2096 func_table[kb_func] = fj;
2097 funcbufleft -= delta;
2098 } else { /* allocate a larger
buffer */
2099 sz = 256;
2100 while (sz < funcbufsize - funcbufleft + delta)
2101 sz <<= 1;
2102 if (fnw_sz != sz) {
2103 spin_unlock_irqrestore(&func_buf_lock, flags);
2104 kfree(fnw);
2105 fnw = kmalloc(sz, GFP_KERNEL);
2106 fnw_sz = sz;
2107 if (!fnw) {
2108 ret = -ENOMEM;
2109 goto reterr;
2110 }
2111 goto again;
2112 }
2113
2114 if (!q)
2115 func_table[kb_func] = fj;
2116 /* copy data before insertion point to new location
*/
2117 if (fj > funcbufptr)
2118 memmove(fnw, funcbufptr, fj - funcbufptr);
2119 for (k = 0; k < j; k++)
2120 if (func_table[k])
2121 func_table[k] = fnw + (func_table[k] -
funcbufptr);
2122
2123 /* copy data after insertion point to new location
*/
2124 if (first_free > fj) {
2125 memmove(fnw + (fj - funcbufptr) + delta, fj,
first_free - fj);
2126 for (k = j; k < MAX_NR_FUNC; k++)
2127 if (func_table[k])
2128 func_table[k] = fnw + (func_table[k] -
funcbufptr) + delta;
2129 }
2130 if (funcbufptr != func_buf)
2131 kfree(funcbufptr);
2132 funcbufptr = fnw;
2133 funcbufleft = funcbufleft - delta + sz -
funcbufsize;
2134 funcbufsize = sz;
2135 }
2136 /* finally insert item itself */
2137 strcpy(func_table[kb_func], kbs);
2138 spin_unlock_irqrestore(&func_buf_lock, flags);
2139 break;
2140 }
2141 ret = 0;
2142 reterr:
2143 kfree(kbs);
2144 return ret;
2145 }
2146
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-...@lists.01.org
.config.gz
Description: application/gzip
