Re: [PATCH RESEND 6/6] media: v4l2-compat-ioctl32: simplify casts

[Mauro Carvalho Chehab]

Em Thu, 19 Apr 2018 13:37:52 +0200
Hans Verkuil  escreveu:

> On 04/19/18 13:15, Mauro Carvalho Chehab wrote:
> > Making the cast right for get_user/put_user is not trivial, as
> > it needs to ensure that the types are the correct ones.
> > 
> > Improve it by using macros.
> > 
> > Tested with vivid with:
> > $ sudo modprobe vivid no_error_inj=1
> > $ v4l2-compliance-32bits -a -s10 >32bits && v4l2-compliance-64bits -a 
> > -s10 > 64bits && diff -U0 32bits 64bits
> > --- 32bits  2018-04-17 11:18:29.141240772 -0300
> > +++ 64bits  2018-04-17 11:18:40.635282341 -0300
> > @@ -1 +1 @@
> > -v4l2-compliance SHA   : bc71e4a67c6fbc5940062843bc41e7c8679634ce, 32 
> > bits
> > +v4l2-compliance SHA   : bc71e4a67c6fbc5940062843bc41e7c8679634ce, 64 
> > bits
> > 
> > Using the latest version of v4l-utils with this patch applied:
> > https://patchwork.linuxtv.org/patch/48746/
> > 
> > Signed-off-by: Mauro Carvalho Chehab 
> > ---
> >  drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 40 
> > ++-
> >  1 file changed, 27 insertions(+), 13 deletions(-)
> > 
> > diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c 
> > b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
> > index 8c05dd9660d3..d2f0268427c2 100644
> > --- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
> > +++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
> > @@ -30,6 +30,24 @@
> > get_user(__assign_tmp, from) || put_user(__assign_tmp, to); \
> >  })
> >  
> > +#define get_user_cast(__x, __ptr)  \
> > +({ \
> > +   get_user(__x, (typeof(*__ptr) __user *)(__ptr));\
> > +})
> > +
> > +#define put_user_force(__x, __ptr) \
> > +({ \
> > +   put_user((typeof(*__x) __force *)(__x), __ptr); \
> > +})
> > +
> > +#define assign_in_user_cast(to, from)  
> > \
> > +({ \
> > +   typeof(*from) __assign_tmp; \
> > +   \
> > +   get_user_cast(__assign_tmp, from) || put_user(__assign_tmp, to);\
> > +})  
> 
> Please add comments for these macros. It's not trivially obvious what they
> do and why they are needed.

Ok. Would the comments below be acceptable?

I may eventually post it as a separate patch, adding documentation to some
other functions (maybe adding it to some .rst file).

diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c 
b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
index d2f0268427c2..9530661d9b43 100644
--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
@@ -22,7 +22,18 @@
 #include 
 #include 
 
-/* Use the same argument order as copy_in_user */
+/**
+ * assign_in_user() - Copy from one __user var to another one
+ *
+ * @to: __user var where data will be stored
+ * @from: __user var were data will be retrieved.
+ *
+ * As this code very often needs to allocate userspace memory, it is easier
+ * to have a macro that will do both get_user() and put_user() at once.
+ *
+ * This function complements the macros defined at asm-generic/uaccess.h.
+ * It uses the same argument order as copy_in_user()
+ */
 #define assign_in_user(to, from)   \
 ({ \
typeof(*from) __assign_tmp; \
@@ -30,16 +41,57 @@
get_user(__assign_tmp, from) || put_user(__assign_tmp, to); \
 })
 
+/**
+ * get_user_cast() - Stores at a kernelspace local var the contents from a
+ * pointer with userspace data that is not tagged with __user.
+ *
+ * @__x: var where data will be stored
+ * @ptr: var were data will be retrieved.
+ *
+ * Sometimes, we need to declare a pointer without __user, because it
+ * comes from a pointer struct field that will be retrieved from userspace
+ * by the 64-bit native ioctl handler. This function ensures that the
+ * @ptr will be casted to __user before calling get_user(), in order to
+ * avoid warnings with static code analyzers like smatch.
+ */
 #define get_user_cast(__x, __ptr)  \
 ({ \
get_user(__x, (typeof(*__ptr) __user *)(__ptr));\
 })
 
+/**
+ * put_user_force() - Stores at the contents of a kernelspace local var
+ *   into an userspace pointer, removing any __user cast.
+ *
+ * @__x: var where data will be stored
+ * @ptr: var were data will be retrieved.
+ *
+ * As the compat32 code now handles with 32-bits and 64-bits __user
+ * structs, sometimes we 

Re: [PATCH RESEND 6/6] media: v4l2-compat-ioctl32: simplify casts

[Hans Verkuil]

On 04/19/18 13:15, Mauro Carvalho Chehab wrote:
> Making the cast right for get_user/put_user is not trivial, as
> it needs to ensure that the types are the correct ones.
> 
> Improve it by using macros.
> 
> Tested with vivid with:
>   $ sudo modprobe vivid no_error_inj=1
>   $ v4l2-compliance-32bits -a -s10 >32bits && v4l2-compliance-64bits -a 
> -s10 > 64bits && diff -U0 32bits 64bits
>   --- 32bits  2018-04-17 11:18:29.141240772 -0300
>   +++ 64bits  2018-04-17 11:18:40.635282341 -0300
>   @@ -1 +1 @@
>   -v4l2-compliance SHA   : bc71e4a67c6fbc5940062843bc41e7c8679634ce, 32 
> bits
>   +v4l2-compliance SHA   : bc71e4a67c6fbc5940062843bc41e7c8679634ce, 64 
> bits
> 
> Using the latest version of v4l-utils with this patch applied:
>   https://patchwork.linuxtv.org/patch/48746/
> 
> Signed-off-by: Mauro Carvalho Chehab 
> ---
>  drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 40 
> ++-
>  1 file changed, 27 insertions(+), 13 deletions(-)
> 
> diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c 
> b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
> index 8c05dd9660d3..d2f0268427c2 100644
> --- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
> +++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
> @@ -30,6 +30,24 @@
>   get_user(__assign_tmp, from) || put_user(__assign_tmp, to); \
>  })
>  
> +#define get_user_cast(__x, __ptr)\
> +({   \
> + get_user(__x, (typeof(*__ptr) __user *)(__ptr));\
> +})
> +
> +#define put_user_force(__x, __ptr)   \
> +({   \
> + put_user((typeof(*__x) __force *)(__x), __ptr); \
> +})
> +
> +#define assign_in_user_cast(to, from)
> \
> +({   \
> + typeof(*from) __assign_tmp; \
> + \
> + get_user_cast(__assign_tmp, from) || put_user(__assign_tmp, to);\
> +})

Please add comments for these macros. It's not trivially obvious what they
do and why they are needed.

> +
> +
>  static long native_ioctl(struct file *file, unsigned int cmd, unsigned long 
> arg)
>  {
>   long ret = -ENOIOCTLCMD;
> @@ -543,8 +561,7 @@ static int get_v4l2_buffer32(struct v4l2_buffer __user 
> *p64,
>   return -EFAULT;
>  
>   uplane = aux_buf;
> - if (put_user((__force struct v4l2_plane *)uplane,
> -  >m.planes))
> + if (put_user_force(uplane, >m.planes))
>   return -EFAULT;
>  
>   while (num_planes--) {
> @@ -682,7 +699,7 @@ static int get_v4l2_framebuffer32(struct v4l2_framebuffer 
> __user *p64,
>  
>   if (!access_ok(VERIFY_READ, p32, sizeof(*p32)) ||
>   get_user(tmp, >base) ||
> - put_user((void __force *)compat_ptr(tmp), >base) ||
> + put_user_force(compat_ptr(tmp), >base) ||
>   assign_in_user(>capability, >capability) ||
>   assign_in_user(>flags, >flags) ||
>   copy_in_user(>fmt, >fmt, sizeof(p64->fmt)))
> @@ -831,8 +848,7 @@ static int get_v4l2_ext_controls32(struct file *file,
>   if (aux_space < count * sizeof(*kcontrols))
>   return -EFAULT;
>   kcontrols = aux_buf;
> - if (put_user((__force struct v4l2_ext_control *)kcontrols,
> -  >controls))
> + if (put_user_force(kcontrols, >controls))
>   return -EFAULT;
>  
>   for (n = 0; n < count; n++) {
> @@ -898,12 +914,11 @@ static int put_v4l2_ext_controls32(struct file *file,
>   unsigned int size = sizeof(*ucontrols);
>   u32 id;
>  
> - if (get_user(id, (unsigned int __user *)>id) ||
> + if (get_user_cast(id, >id) ||
>   put_user(id, >id) ||
> - assign_in_user(>size,
> -(unsigned int __user *)>size) ||
> + assign_in_user_cast(>size, >size) ||
>   copy_in_user(>reserved2,
> -  (unsigned int __user *)>reserved2,
> +  (void __user *)>reserved2,

I would prefer to see this change merged with patch 4/6 instead. There
is no reason to correct it here.

>sizeof(ucontrols->reserved2)))
>   return -EFAULT;
>  
> @@ -916,7 +931,7 @@ static int put_v4l2_ext_controls32(struct file *file,
>   size -= sizeof(ucontrols->value64);
>  
>   if (copy_in_user(ucontrols,
> -  (unsigned int __user *)kcontrols, size))
> +  (void __user *)kcontrols, size))

Ditto for