tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master head: fe07bfda2fb9cdef8a4d4008a409bb02f35f1bd8 commit: 20224d715a882210428ea62bba93f1bc4a0afe23 drm/msm/submit: Move copy_from_user ahead of locking bos config: arm64-randconfig-m031-20210301 (attached as .config) compiler: aarch64-linux-gcc (GCC) 9.3.0
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <l...@intel.com>
Reported-by: Dan Carpenter <dan.carpen...@oracle.com>
smatch warnings:
drivers/gpu/drm/msm/msm_gem_submit.c:202 submit_lookup_cmds() warn: impossible
condition '(sz == (~0)) => (0-u32max == u64max)'
vim +202 drivers/gpu/drm/msm/msm_gem_submit.c
20224d715a8822 Rob Clark 2020-10-23 158 static int submit_lookup_cmds(struct
msm_gem_submit *submit,
20224d715a8822 Rob Clark 2020-10-23 159 struct
drm_msm_gem_submit *args, struct drm_file *file)
20224d715a8822 Rob Clark 2020-10-23 160 {
20224d715a8822 Rob Clark 2020-10-23 161 unsigned i, sz;
20224d715a8822 Rob Clark 2020-10-23 162 int ret = 0;
20224d715a8822 Rob Clark 2020-10-23 163
20224d715a8822 Rob Clark 2020-10-23 164 for (i = 0; i < args->nr_cmds;
i++) {
20224d715a8822 Rob Clark 2020-10-23 165 struct
drm_msm_gem_submit_cmd submit_cmd;
20224d715a8822 Rob Clark 2020-10-23 166 void __user *userptr =
20224d715a8822 Rob Clark 2020-10-23 167
u64_to_user_ptr(args->cmds + (i * sizeof(submit_cmd)));
20224d715a8822 Rob Clark 2020-10-23 168
20224d715a8822 Rob Clark 2020-10-23 169 ret =
copy_from_user(&submit_cmd, userptr, sizeof(submit_cmd));
20224d715a8822 Rob Clark 2020-10-23 170 if (ret) {
20224d715a8822 Rob Clark 2020-10-23 171 ret = -EFAULT;
20224d715a8822 Rob Clark 2020-10-23 172 goto out;
20224d715a8822 Rob Clark 2020-10-23 173 }
20224d715a8822 Rob Clark 2020-10-23 174
20224d715a8822 Rob Clark 2020-10-23 175 /* validate input from
userspace: */
20224d715a8822 Rob Clark 2020-10-23 176 switch
(submit_cmd.type) {
20224d715a8822 Rob Clark 2020-10-23 177 case MSM_SUBMIT_CMD_BUF:
20224d715a8822 Rob Clark 2020-10-23 178 case
MSM_SUBMIT_CMD_IB_TARGET_BUF:
20224d715a8822 Rob Clark 2020-10-23 179 case
MSM_SUBMIT_CMD_CTX_RESTORE_BUF:
20224d715a8822 Rob Clark 2020-10-23 180 break;
20224d715a8822 Rob Clark 2020-10-23 181 default:
20224d715a8822 Rob Clark 2020-10-23 182
DRM_ERROR("invalid type: %08x\n", submit_cmd.type);
20224d715a8822 Rob Clark 2020-10-23 183 return -EINVAL;
20224d715a8822 Rob Clark 2020-10-23 184 }
20224d715a8822 Rob Clark 2020-10-23 185
20224d715a8822 Rob Clark 2020-10-23 186 if (submit_cmd.size %
4) {
20224d715a8822 Rob Clark 2020-10-23 187
DRM_ERROR("non-aligned cmdstream buffer size: %u\n",
20224d715a8822 Rob Clark 2020-10-23 188
submit_cmd.size);
20224d715a8822 Rob Clark 2020-10-23 189 ret = -EINVAL;
20224d715a8822 Rob Clark 2020-10-23 190 goto out;
20224d715a8822 Rob Clark 2020-10-23 191 }
20224d715a8822 Rob Clark 2020-10-23 192
20224d715a8822 Rob Clark 2020-10-23 193 submit->cmd[i].type =
submit_cmd.type;
20224d715a8822 Rob Clark 2020-10-23 194 submit->cmd[i].size =
submit_cmd.size / 4;
20224d715a8822 Rob Clark 2020-10-23 195 submit->cmd[i].offset =
submit_cmd.submit_offset / 4;
20224d715a8822 Rob Clark 2020-10-23 196 submit->cmd[i].idx =
submit_cmd.submit_idx;
20224d715a8822 Rob Clark 2020-10-23 197
submit->cmd[i].nr_relocs = submit_cmd.nr_relocs;
20224d715a8822 Rob Clark 2020-10-23 198
20224d715a8822 Rob Clark 2020-10-23 199 sz =
array_size(submit_cmd.nr_relocs,
20224d715a8822 Rob Clark 2020-10-23 200
sizeof(struct drm_msm_gem_submit_reloc));
20224d715a8822 Rob Clark 2020-10-23 201 /* check for overflow:
*/
20224d715a8822 Rob Clark 2020-10-23 @202 if (sz == SIZE_MAX) {
^^^^^^^^^^^^^^
"sz" is an u32 so it can't equal ULONG_MAX on 64 bit systems. I would
just leave this check out and let kmalloc() fail with a splat.
20224d715a8822 Rob Clark 2020-10-23 203 ret = -ENOMEM;
20224d715a8822 Rob Clark 2020-10-23 204 goto out;
20224d715a8822 Rob Clark 2020-10-23 205 }
20224d715a8822 Rob Clark 2020-10-23 206 submit->cmd[i].relocs =
kmalloc(sz, GFP_KERNEL);
20224d715a8822 Rob Clark 2020-10-23 207 ret =
copy_from_user(submit->cmd[i].relocs, userptr, sz);
20224d715a8822 Rob Clark 2020-10-23 208 if (ret) {
20224d715a8822 Rob Clark 2020-10-23 209 ret = -EFAULT;
20224d715a8822 Rob Clark 2020-10-23 210 goto out;
20224d715a8822 Rob Clark 2020-10-23 211 }
The zero day bot will probably send you an email suggesting memdup_user()
here:
tmp = memdup_user(userptr, sz);
if (IS_ERR(copy)) {
ret = PTR_ERR(tmp);
goto out;
}
submit->cmd[i].relocs = tmp;
20224d715a8822 Rob Clark 2020-10-23 212 }
20224d715a8822 Rob Clark 2020-10-23 213
20224d715a8822 Rob Clark 2020-10-23 214 out:
20224d715a8822 Rob Clark 2020-10-23 215 return ret;
20224d715a8822 Rob Clark 2020-10-23 216 }
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-...@lists.01.org
.config.gz
Description: application/gzip
