* [RFC] Spurious error handling code in 'vc4_get_hang_state_ioctl'
@ 2017-05-08 15:29 Christophe JAILLET
2017-05-09 8:58 ` Dan Carpenter
2017-05-09 16:29 ` Eric Anholt
0 siblings, 2 replies; 3+ messages in thread
From: Christophe JAILLET @ 2017-05-08 15:29 UTC (permalink / raw)
To: kernel-janitors
Hi,
While looking for labels with a spurious order in the linux kernel code,
I came across code around:
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/tree/drivers/gpu/drm/vc4/vc4_gem.c#n106
The error handling in this for loop looks spurious to me:
- if 'drm_gem_handle_create' fails, we leak 'bo_state'
This is freed after the 'copy_to_user'
- if 'drm_gem_handle_create' fails, then we have 'state->bo_count =
i - 1'
This looks odd. 'state->bo_count = i' sounds more logical to me.
- as 'state->bo_count' is updated, this could mean than the
'copy_to_user' should be performed.
I don't have any idea if one of the above is true (unless the memory
leak), so I just send it as a RFC to get feed-back.
The corresponding patch would look like:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -109,18 +109,19 @@ vc4_get_hang_state_ioctl(struct drm_device *dev,
void *data,
ret = drm_gem_handle_create(file_priv, kernel_state->bo[i],
&handle);
if (ret) {
- state->bo_count = i - 1;
- goto err;
+ state->bo_count = i;
+ goto do_copy;
}
bo_state[i].handle = handle;
bo_state[i].paddr = vc4_bo->base.paddr;
bo_state[i].size = vc4_bo->base.base.size;
}
+do_copy:
if (copy_to_user((void __user *)(uintptr_t)get_state->bo,
bo_state,
state->bo_count * sizeof(*bo_state)))
ret = -EFAULT;
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Best regards,
CJ
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [RFC] Spurious error handling code in 'vc4_get_hang_state_ioctl'
2017-05-08 15:29 [RFC] Spurious error handling code in 'vc4_get_hang_state_ioctl' Christophe JAILLET
@ 2017-05-09 8:58 ` Dan Carpenter
2017-05-09 16:29 ` Eric Anholt
1 sibling, 0 replies; 3+ messages in thread
From: Dan Carpenter @ 2017-05-09 8:58 UTC (permalink / raw)
To: kernel-janitors
On Mon, May 08, 2017 at 05:29:00PM +0200, Christophe JAILLET wrote:
> Hi,
>
> While looking for labels with a spurious order in the linux kernel code, I
> came across code around:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/tree/drivers/gpu/drm/vc4/vc4_gem.c#n106
>
> The error handling in this for loop looks spurious to me:
> - if 'drm_gem_handle_create' fails, we leak 'bo_state'
> This is freed after the 'copy_to_user'
> - if 'drm_gem_handle_create' fails, then we have 'state->bo_count = i - 1'
> This looks odd. 'state->bo_count = i' sounds more logical to me.
This is correct.
> - as 'state->bo_count' is updated, this could mean than the
> 'copy_to_user' should be performed.
This also seems correct, but I doubt user space is actually set up to
handle errors in real life... It could be that I'm too pesimistic.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [RFC] Spurious error handling code in 'vc4_get_hang_state_ioctl'
2017-05-08 15:29 [RFC] Spurious error handling code in 'vc4_get_hang_state_ioctl' Christophe JAILLET
2017-05-09 8:58 ` Dan Carpenter
@ 2017-05-09 16:29 ` Eric Anholt
1 sibling, 0 replies; 3+ messages in thread
From: Eric Anholt @ 2017-05-09 16:29 UTC (permalink / raw)
To: kernel-janitors
[-- Attachment #1: Type: text/plain, Size: 1341 bytes --]
Christophe JAILLET <christophe.jaillet@wanadoo.fr> writes:
> Hi,
>
> While looking for labels with a spurious order in the linux kernel code,
> I came across code around:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/tree/drivers/gpu/drm/vc4/vc4_gem.c#n106
>
> The error handling in this for loop looks spurious to me:
> - if 'drm_gem_handle_create' fails, we leak 'bo_state'
> This is freed after the 'copy_to_user'
> - if 'drm_gem_handle_create' fails, then we have 'state->bo_count =
> i - 1'
> This looks odd. 'state->bo_count = i' sounds more logical to me.
> - as 'state->bo_count' is updated, this could mean than the
> 'copy_to_user' should be performed.
The point of reducing the bo_count was presumably for freeing the
handles we had created before returning the error, which I forgot to
actually do (userspace won't know about the new handles to go and free
them itself). This is not that big a deal, as this interface is for use
by a root-only, one-shot app that gets the hang state and dumps it to
disk, so it can be processed later to try to debug the hang.
Want to put together a patch that frees the handles (and bo_state),
though, for correctness? Don't worry about copying any partial data out
on error -- the userspace tool just exits.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-05-09 16:29 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-05-08 15:29 [RFC] Spurious error handling code in 'vc4_get_hang_state_ioctl' Christophe JAILLET
2017-05-09 8:58 ` Dan Carpenter
2017-05-09 16:29 ` Eric Anholt
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.