From: kernel test robot <lkp@intel.com>
To: kbuild@lists.01.org
Subject: Re: [PATCH 2/2] vt: keyboard, extend func_buf_lock to readers
Date: Thu, 22 Oct 2020 06:52:10 +0800 [thread overview]
Message-ID: <202010220627.24XWO6dt-lkp@intel.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 11992 bytes --]
CC: kbuild-all(a)lists.01.org
In-Reply-To: <20201019085517.10176-2-jslaby@suse.cz>
References: <20201019085517.10176-2-jslaby@suse.cz>
TO: Jiri Slaby <jslaby@suse.cz>
Hi Jiri,
I love your patch! Perhaps something to improve:
[auto build test WARNING on tty/tty-testing]
[also build test WARNING on v5.9 next-20201021]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/0day-ci/linux/commits/Jiri-Slaby/vt-keyboard-simplify-vt_kdgkbsent/20201019-165627
base: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty.git tty-testing
:::::: branch date: 3 days ago
:::::: commit date: 3 days ago
config: openrisc-randconfig-m031-20201021 (attached as .config)
compiler: or1k-linux-gcc (GCC) 9.3.0
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
New smatch warnings:
drivers/tty/vt/keyboard.c:2037 vt_do_kdgkb_ioctl() warn: possible info leak 'kbs->kb_string'
Old smatch warnings:
drivers/tty/vt/keyboard.c:1914 vt_do_kdsk_ioctl() warn: potential spectre issue 'key_map' [r]
drivers/tty/vt/keyboard.c:2060 vt_do_kdgkb_ioctl() warn: potential spectre issue 'func_table' [r] (local cap)
drivers/tty/vt/keyboard.c:2069 vt_do_kdgkb_ioctl() warn: possible spectre second half. 'fj'
drivers/tty/vt/keyboard.c:2075 vt_do_kdgkb_ioctl() warn: possible spectre second half. 'fj'
drivers/tty/vt/keyboard.c:2094 vt_do_kdgkb_ioctl() warn: possible spectre second half. 'fj'
drivers/tty/vt/keyboard.c:2096 vt_do_kdgkb_ioctl() warn: possible spectre second half. 'fj'
vim +2037 drivers/tty/vt/keyboard.c
079c9534a96da9 Alan Cox 2012-02-28 1998
14b84317b4ceac Jiri Slaby 2020-10-19 1999 /* FIXME: This one needs untangling */
079c9534a96da9 Alan Cox 2012-02-28 2000 int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm)
079c9534a96da9 Alan Cox 2012-02-28 2001 {
079c9534a96da9 Alan Cox 2012-02-28 2002 struct kbsentry *kbs;
079c9534a96da9 Alan Cox 2012-02-28 2003 u_char *q;
46ca3f735f345c Sergei Trofimovich 2019-03-10 2004 int sz, fnw_sz;
079c9534a96da9 Alan Cox 2012-02-28 2005 int delta;
079c9534a96da9 Alan Cox 2012-02-28 2006 char *first_free, *fj, *fnw;
079c9534a96da9 Alan Cox 2012-02-28 2007 int i, j, k;
079c9534a96da9 Alan Cox 2012-02-28 2008 int ret;
46ca3f735f345c Sergei Trofimovich 2019-03-10 2009 unsigned long flags;
079c9534a96da9 Alan Cox 2012-02-28 2010
079c9534a96da9 Alan Cox 2012-02-28 2011 if (!capable(CAP_SYS_TTY_CONFIG))
079c9534a96da9 Alan Cox 2012-02-28 2012 perm = 0;
079c9534a96da9 Alan Cox 2012-02-28 2013
079c9534a96da9 Alan Cox 2012-02-28 2014 kbs = kmalloc(sizeof(*kbs), GFP_KERNEL);
079c9534a96da9 Alan Cox 2012-02-28 2015 if (!kbs) {
079c9534a96da9 Alan Cox 2012-02-28 2016 ret = -ENOMEM;
079c9534a96da9 Alan Cox 2012-02-28 2017 goto reterr;
079c9534a96da9 Alan Cox 2012-02-28 2018 }
079c9534a96da9 Alan Cox 2012-02-28 2019
079c9534a96da9 Alan Cox 2012-02-28 2020 /* we mostly copy too much here (512bytes), but who cares ;) */
079c9534a96da9 Alan Cox 2012-02-28 2021 if (copy_from_user(kbs, user_kdgkb, sizeof(struct kbsentry))) {
079c9534a96da9 Alan Cox 2012-02-28 2022 ret = -EFAULT;
079c9534a96da9 Alan Cox 2012-02-28 2023 goto reterr;
079c9534a96da9 Alan Cox 2012-02-28 2024 }
079c9534a96da9 Alan Cox 2012-02-28 2025 kbs->kb_string[sizeof(kbs->kb_string)-1] = '\0';
f3af1b68fc96b1 Jiri Slaby 2020-07-30 2026 i = array_index_nospec(kbs->kb_func, MAX_NR_FUNC);
079c9534a96da9 Alan Cox 2012-02-28 2027
079c9534a96da9 Alan Cox 2012-02-28 2028 switch (cmd) {
b2541e2365b072 Jiri Slaby 2020-10-19 2029 case KDGKBSENT: {
b2541e2365b072 Jiri Slaby 2020-10-19 2030 /* size should have been a struct member */
14b84317b4ceac Jiri Slaby 2020-10-19 2031 ssize_t len = sizeof(user_kdgkb->kb_string);
14b84317b4ceac Jiri Slaby 2020-10-19 2032
14b84317b4ceac Jiri Slaby 2020-10-19 2033 spin_lock_irqsave(&func_buf_lock, flags);
14b84317b4ceac Jiri Slaby 2020-10-19 2034 len = strlcpy(kbs->kb_string, func_table[i] ? : "", len);
14b84317b4ceac Jiri Slaby 2020-10-19 2035 spin_unlock_irqrestore(&func_buf_lock, flags);
b2541e2365b072 Jiri Slaby 2020-10-19 2036
14b84317b4ceac Jiri Slaby 2020-10-19 @2037 ret = copy_to_user(user_kdgkb->kb_string, kbs->kb_string,
14b84317b4ceac Jiri Slaby 2020-10-19 2038 len + 1) ? -EFAULT : 0;
b2541e2365b072 Jiri Slaby 2020-10-19 2039
079c9534a96da9 Alan Cox 2012-02-28 2040 goto reterr;
079c9534a96da9 Alan Cox 2012-02-28 2041 }
079c9534a96da9 Alan Cox 2012-02-28 2042 case KDSKBSENT:
079c9534a96da9 Alan Cox 2012-02-28 2043 if (!perm) {
079c9534a96da9 Alan Cox 2012-02-28 2044 ret = -EPERM;
079c9534a96da9 Alan Cox 2012-02-28 2045 goto reterr;
079c9534a96da9 Alan Cox 2012-02-28 2046 }
079c9534a96da9 Alan Cox 2012-02-28 2047
46ca3f735f345c Sergei Trofimovich 2019-03-10 2048 fnw = NULL;
46ca3f735f345c Sergei Trofimovich 2019-03-10 2049 fnw_sz = 0;
46ca3f735f345c Sergei Trofimovich 2019-03-10 2050 /* race aginst other writers */
46ca3f735f345c Sergei Trofimovich 2019-03-10 2051 again:
46ca3f735f345c Sergei Trofimovich 2019-03-10 2052 spin_lock_irqsave(&func_buf_lock, flags);
079c9534a96da9 Alan Cox 2012-02-28 2053 q = func_table[i];
46ca3f735f345c Sergei Trofimovich 2019-03-10 2054
46ca3f735f345c Sergei Trofimovich 2019-03-10 2055 /* fj pointer to next entry after 'q' */
079c9534a96da9 Alan Cox 2012-02-28 2056 first_free = funcbufptr + (funcbufsize - funcbufleft);
079c9534a96da9 Alan Cox 2012-02-28 2057 for (j = i+1; j < MAX_NR_FUNC && !func_table[j]; j++)
079c9534a96da9 Alan Cox 2012-02-28 2058 ;
079c9534a96da9 Alan Cox 2012-02-28 2059 if (j < MAX_NR_FUNC)
079c9534a96da9 Alan Cox 2012-02-28 2060 fj = func_table[j];
079c9534a96da9 Alan Cox 2012-02-28 2061 else
079c9534a96da9 Alan Cox 2012-02-28 2062 fj = first_free;
46ca3f735f345c Sergei Trofimovich 2019-03-10 2063 /* buffer usage increase by new entry */
079c9534a96da9 Alan Cox 2012-02-28 2064 delta = (q ? -strlen(q) : 1) + strlen(kbs->kb_string);
46ca3f735f345c Sergei Trofimovich 2019-03-10 2065
079c9534a96da9 Alan Cox 2012-02-28 2066 if (delta <= funcbufleft) { /* it fits in current buf */
079c9534a96da9 Alan Cox 2012-02-28 2067 if (j < MAX_NR_FUNC) {
46ca3f735f345c Sergei Trofimovich 2019-03-10 2068 /* make enough space for new entry@'fj' */
079c9534a96da9 Alan Cox 2012-02-28 2069 memmove(fj + delta, fj, first_free - fj);
079c9534a96da9 Alan Cox 2012-02-28 2070 for (k = j; k < MAX_NR_FUNC; k++)
079c9534a96da9 Alan Cox 2012-02-28 2071 if (func_table[k])
079c9534a96da9 Alan Cox 2012-02-28 2072 func_table[k] += delta;
079c9534a96da9 Alan Cox 2012-02-28 2073 }
079c9534a96da9 Alan Cox 2012-02-28 2074 if (!q)
079c9534a96da9 Alan Cox 2012-02-28 2075 func_table[i] = fj;
079c9534a96da9 Alan Cox 2012-02-28 2076 funcbufleft -= delta;
079c9534a96da9 Alan Cox 2012-02-28 2077 } else { /* allocate a larger buffer */
079c9534a96da9 Alan Cox 2012-02-28 2078 sz = 256;
079c9534a96da9 Alan Cox 2012-02-28 2079 while (sz < funcbufsize - funcbufleft + delta)
079c9534a96da9 Alan Cox 2012-02-28 2080 sz <<= 1;
46ca3f735f345c Sergei Trofimovich 2019-03-10 2081 if (fnw_sz != sz) {
46ca3f735f345c Sergei Trofimovich 2019-03-10 2082 spin_unlock_irqrestore(&func_buf_lock, flags);
46ca3f735f345c Sergei Trofimovich 2019-03-10 2083 kfree(fnw);
079c9534a96da9 Alan Cox 2012-02-28 2084 fnw = kmalloc(sz, GFP_KERNEL);
46ca3f735f345c Sergei Trofimovich 2019-03-10 2085 fnw_sz = sz;
079c9534a96da9 Alan Cox 2012-02-28 2086 if (!fnw) {
079c9534a96da9 Alan Cox 2012-02-28 2087 ret = -ENOMEM;
079c9534a96da9 Alan Cox 2012-02-28 2088 goto reterr;
079c9534a96da9 Alan Cox 2012-02-28 2089 }
46ca3f735f345c Sergei Trofimovich 2019-03-10 2090 goto again;
46ca3f735f345c Sergei Trofimovich 2019-03-10 2091 }
079c9534a96da9 Alan Cox 2012-02-28 2092
079c9534a96da9 Alan Cox 2012-02-28 2093 if (!q)
079c9534a96da9 Alan Cox 2012-02-28 2094 func_table[i] = fj;
46ca3f735f345c Sergei Trofimovich 2019-03-10 2095 /* copy data before insertion point to new location */
079c9534a96da9 Alan Cox 2012-02-28 2096 if (fj > funcbufptr)
079c9534a96da9 Alan Cox 2012-02-28 2097 memmove(fnw, funcbufptr, fj - funcbufptr);
079c9534a96da9 Alan Cox 2012-02-28 2098 for (k = 0; k < j; k++)
079c9534a96da9 Alan Cox 2012-02-28 2099 if (func_table[k])
079c9534a96da9 Alan Cox 2012-02-28 2100 func_table[k] = fnw + (func_table[k] - funcbufptr);
079c9534a96da9 Alan Cox 2012-02-28 2101
46ca3f735f345c Sergei Trofimovich 2019-03-10 2102 /* copy data after insertion point to new location */
079c9534a96da9 Alan Cox 2012-02-28 2103 if (first_free > fj) {
079c9534a96da9 Alan Cox 2012-02-28 2104 memmove(fnw + (fj - funcbufptr) + delta, fj, first_free - fj);
079c9534a96da9 Alan Cox 2012-02-28 2105 for (k = j; k < MAX_NR_FUNC; k++)
079c9534a96da9 Alan Cox 2012-02-28 2106 if (func_table[k])
079c9534a96da9 Alan Cox 2012-02-28 2107 func_table[k] = fnw + (func_table[k] - funcbufptr) + delta;
079c9534a96da9 Alan Cox 2012-02-28 2108 }
079c9534a96da9 Alan Cox 2012-02-28 2109 if (funcbufptr != func_buf)
079c9534a96da9 Alan Cox 2012-02-28 2110 kfree(funcbufptr);
079c9534a96da9 Alan Cox 2012-02-28 2111 funcbufptr = fnw;
079c9534a96da9 Alan Cox 2012-02-28 2112 funcbufleft = funcbufleft - delta + sz - funcbufsize;
079c9534a96da9 Alan Cox 2012-02-28 2113 funcbufsize = sz;
079c9534a96da9 Alan Cox 2012-02-28 2114 }
46ca3f735f345c Sergei Trofimovich 2019-03-10 2115 /* finally insert item itself */
079c9534a96da9 Alan Cox 2012-02-28 2116 strcpy(func_table[i], kbs->kb_string);
46ca3f735f345c Sergei Trofimovich 2019-03-10 2117 spin_unlock_irqrestore(&func_buf_lock, flags);
079c9534a96da9 Alan Cox 2012-02-28 2118 break;
079c9534a96da9 Alan Cox 2012-02-28 2119 }
079c9534a96da9 Alan Cox 2012-02-28 2120 ret = 0;
079c9534a96da9 Alan Cox 2012-02-28 2121 reterr:
079c9534a96da9 Alan Cox 2012-02-28 2122 kfree(kbs);
079c9534a96da9 Alan Cox 2012-02-28 2123 return ret;
079c9534a96da9 Alan Cox 2012-02-28 2124 }
079c9534a96da9 Alan Cox 2012-02-28 2125
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 26762 bytes --]
next reply other threads:[~2020-10-21 22:52 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-21 22:52 kernel test robot [this message]
-- strict thread matches above, loose matches on Subject: below --
2020-10-19 8:55 [PATCH v2 1/2] vt: keyboard, simplify vt_kdgkbsent Jiri Slaby
2020-10-19 8:55 ` [PATCH 2/2] vt: keyboard, extend func_buf_lock to readers Jiri Slaby
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202010220627.24XWO6dt-lkp@intel.com \
--to=lkp@intel.com \
--cc=kbuild@lists.01.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.