From: Shyam Sundar S K <Shyam-sundar.S-k@amd.com>
To: <hdegoede@redhat.com>, <ilpo.jarvinen@linux.intel.com>,
<markgross@kernel.org>
Cc: <Sanket.Goswami@amd.com>, <mario.limonciello@amd.com>,
<platform-driver-x86@vger.kernel.org>,
Shyam Sundar S K <Shyam-sundar.S-k@amd.com>
Subject: [PATCH v8 1/3] platform/x86/amd/pmc: Use flex array when calling amd_pmc_stb_debugfs_open_v2()
Date: Tue, 10 Oct 2023 20:20:01 +0530 [thread overview]
Message-ID: <20231010145003.139932-1-Shyam-sundar.S-k@amd.com> (raw)
Currently in amd_pmc_stb_debugfs_open_v2() the buffer size is assumed to
be fixed and a second call to amd_pmc_stb_debugfs_open_v2() may race with
a process holding open another fd. This could change "fsize" to a
bigger size causing an out of bounds read.
Instead create a struct with a flexarray to solve this.
Suggested-by: Hans de Goede <hdegoede@redhat.com>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Sanket Goswami <Sanket.Goswami@amd.com>
Signed-off-by: Shyam Sundar S K <Shyam-sundar.S-k@amd.com>
---
v7->v8:
- use min()
v6->v7:
- No change
v6:
- Handle release buffer case as per Hans remarks
- based on review-ilpo branch
v5:
- new patch based on comments in v4 from Hans.
- based on review-ilpo branch
drivers/platform/x86/amd/pmc/pmc.c | 32 ++++++++++++++++++------------
1 file changed, 19 insertions(+), 13 deletions(-)
diff --git a/drivers/platform/x86/amd/pmc/pmc.c b/drivers/platform/x86/amd/pmc/pmc.c
index c92dd5077a16..609bad470fe3 100644
--- a/drivers/platform/x86/amd/pmc/pmc.c
+++ b/drivers/platform/x86/amd/pmc/pmc.c
@@ -52,7 +52,7 @@
#define AMD_S2D_REGISTER_ARGUMENT 0xA88
/* STB Spill to DRAM Parameters */
-#define S2D_TELEMETRY_BYTES_MAX 0x100000
+#define S2D_TELEMETRY_BYTES_MAX 0x100000U
#define S2D_TELEMETRY_DRAMBYTES_MAX 0x1000000
/* STB Spill to DRAM Message Definition */
@@ -122,6 +122,11 @@ enum s2d_arg {
S2D_DRAM_SIZE,
};
+struct amd_pmc_stb_v2_data {
+ size_t size;
+ u8 data[] __counted_by(size);
+};
+
struct amd_pmc_bit_map {
const char *name;
u32 bit_mask;
@@ -239,7 +244,8 @@ static const struct file_operations amd_pmc_stb_debugfs_fops = {
static int amd_pmc_stb_debugfs_open_v2(struct inode *inode, struct file *filp)
{
struct amd_pmc_dev *dev = filp->f_inode->i_private;
- u32 *buf, fsize, num_samples, val, stb_rdptr_offset = 0;
+ u32 fsize, num_samples, val, stb_rdptr_offset = 0;
+ struct amd_pmc_stb_v2_data *flex_arr;
int ret;
/* Write dummy postcode while reading the STB buffer */
@@ -247,10 +253,6 @@ static int amd_pmc_stb_debugfs_open_v2(struct inode *inode, struct file *filp)
if (ret)
dev_err(dev->dev, "error writing to STB: %d\n", ret);
- buf = kzalloc(S2D_TELEMETRY_BYTES_MAX, GFP_KERNEL);
- if (!buf)
- return -ENOMEM;
-
/* Spill to DRAM num_samples uses separate SMU message port */
dev->msg_port = 1;
@@ -264,10 +266,16 @@ static int amd_pmc_stb_debugfs_open_v2(struct inode *inode, struct file *filp)
dev->msg_port = 0;
if (ret) {
dev_err(dev->dev, "error: S2D_NUM_SAMPLES not supported : %d\n", ret);
- kfree(buf);
return ret;
}
+ fsize = min(num_samples, S2D_TELEMETRY_BYTES_MAX);
+ flex_arr = kmalloc(struct_size(flex_arr, data, fsize), GFP_KERNEL);
+ if (!flex_arr)
+ return -ENOMEM;
+
+ flex_arr->size = fsize;
+
/* Start capturing data from the last push location */
if (num_samples > S2D_TELEMETRY_BYTES_MAX) {
fsize = S2D_TELEMETRY_BYTES_MAX;
@@ -277,8 +285,8 @@ static int amd_pmc_stb_debugfs_open_v2(struct inode *inode, struct file *filp)
stb_rdptr_offset = 0;
}
- memcpy_fromio(buf, dev->stb_virt_addr + stb_rdptr_offset, fsize);
- filp->private_data = buf;
+ memcpy_fromio(flex_arr->data, dev->stb_virt_addr + stb_rdptr_offset, fsize);
+ filp->private_data = flex_arr;
return 0;
}
@@ -286,11 +294,9 @@ static int amd_pmc_stb_debugfs_open_v2(struct inode *inode, struct file *filp)
static ssize_t amd_pmc_stb_debugfs_read_v2(struct file *filp, char __user *buf, size_t size,
loff_t *pos)
{
- if (!filp->private_data)
- return -EINVAL;
+ struct amd_pmc_stb_v2_data *data = filp->private_data;
- return simple_read_from_buffer(buf, size, pos, filp->private_data,
- S2D_TELEMETRY_BYTES_MAX);
+ return simple_read_from_buffer(buf, size, pos, data->data, data->size);
}
static int amd_pmc_stb_debugfs_release_v2(struct inode *inode, struct file *filp)
--
2.25.1
next reply other threads:[~2023-10-10 14:50 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-10 14:50 Shyam Sundar S K [this message]
2023-10-10 14:50 ` [PATCH v8 2/3] platform/x86/amd/pmc: Handle overflow cases where the num_samples range is higher Shyam Sundar S K
2023-10-10 14:50 ` [PATCH v8 3/3] platform/x86/amd/pmc: Add dump_custom_stb module parameter Shyam Sundar S K
2023-10-12 14:08 ` Ilpo Järvinen
2023-10-13 7:22 ` Shyam Sundar S K
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231010145003.139932-1-Shyam-sundar.S-k@amd.com \
--to=shyam-sundar.s-k@amd.com \
--cc=Sanket.Goswami@amd.com \
--cc=hdegoede@redhat.com \
--cc=ilpo.jarvinen@linux.intel.com \
--cc=mario.limonciello@amd.com \
--cc=markgross@kernel.org \
--cc=platform-driver-x86@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.