* [PATCH 0/2] A brace of vchiq bulk transfer fixes @ 2021-01-04 12:09 ` Phil Elwell 0 siblings, 0 replies; 20+ messages in thread From: Phil Elwell @ 2021-01-04 12:09 UTC (permalink / raw) To: Nicolas Saenz Julienne, Greg Kroah-Hartman, Arnd Bergmann, Dan Carpenter, bcm-kernel-feedback-list, linux-rpi-kernel, linux-arm-kernel, devel Cc: Phil Elwell The recent batch of vchiq improvements broke bulk transfers in two ways: 1. The userdata associated with a transfer was lost in the case that a non-blocking mode was used. 2. The 64-bit ioctl compatibility shim for a bulk transfer used the wrong ioctl command. This patch set fixes both of those bugs. Phil Elwell (2): staging: vchiq: Fix bulk userdata handling staging: vchiq: Fix bulk transfers on 64-bit builds .../staging/vc04_services/interface/vchiq_arm/vchiq_arm.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) -- 2.25.1 _______________________________________________ devel mailing list devel@linuxdriverproject.org http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel ^ permalink raw reply [flat|nested] 20+ messages in thread
* [PATCH 0/2] A brace of vchiq bulk transfer fixes @ 2021-01-04 12:09 ` Phil Elwell 0 siblings, 0 replies; 20+ messages in thread From: Phil Elwell @ 2021-01-04 12:09 UTC (permalink / raw) To: Nicolas Saenz Julienne, Greg Kroah-Hartman, Arnd Bergmann, Dan Carpenter, bcm-kernel-feedback-list, linux-rpi-kernel, linux-arm-kernel, devel Cc: Phil Elwell The recent batch of vchiq improvements broke bulk transfers in two ways: 1. The userdata associated with a transfer was lost in the case that a non-blocking mode was used. 2. The 64-bit ioctl compatibility shim for a bulk transfer used the wrong ioctl command. This patch set fixes both of those bugs. Phil Elwell (2): staging: vchiq: Fix bulk userdata handling staging: vchiq: Fix bulk transfers on 64-bit builds .../staging/vc04_services/interface/vchiq_arm/vchiq_arm.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) -- 2.25.1 _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel ^ permalink raw reply [flat|nested] 20+ messages in thread
* [PATCH 1/2] staging: vchiq: Fix bulk userdata handling 2021-01-04 12:09 ` Phil Elwell @ 2021-01-04 12:09 ` Phil Elwell -1 siblings, 0 replies; 20+ messages in thread From: Phil Elwell @ 2021-01-04 12:09 UTC (permalink / raw) To: Nicolas Saenz Julienne, Greg Kroah-Hartman, Arnd Bergmann, Dan Carpenter, bcm-kernel-feedback-list, linux-rpi-kernel, linux-arm-kernel, devel Cc: Phil Elwell The addition of the local 'userdata' pointer to vchiq_irq_queue_bulk_tx_rx omitted the case where neither BLOCKING nor WAITING modes are used, in which case the value provided by the caller is replaced with a NULL. Fixes: 4184da4f316a ("staging: vchiq: fix __user annotations") Signed-off-by: Phil Elwell <phil@raspberrypi.com> --- drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c index f500a7043805..2a8883673ba1 100644 --- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c +++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c @@ -958,7 +958,7 @@ static int vchiq_irq_queue_bulk_tx_rx(struct vchiq_instance *instance, struct vchiq_service *service; struct bulk_waiter_node *waiter = NULL; bool found = false; - void *userdata = NULL; + void *userdata; int status = 0; int ret; @@ -997,6 +997,8 @@ static int vchiq_irq_queue_bulk_tx_rx(struct vchiq_instance *instance, "found bulk_waiter %pK for pid %d", waiter, current->pid); userdata = &waiter->bulk_waiter; + } else { + userdata = args->userdata; } /* -- 2.25.1 _______________________________________________ devel mailing list devel@linuxdriverproject.org http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel ^ permalink raw reply related [flat|nested] 20+ messages in thread
* [PATCH 1/2] staging: vchiq: Fix bulk userdata handling @ 2021-01-04 12:09 ` Phil Elwell 0 siblings, 0 replies; 20+ messages in thread From: Phil Elwell @ 2021-01-04 12:09 UTC (permalink / raw) To: Nicolas Saenz Julienne, Greg Kroah-Hartman, Arnd Bergmann, Dan Carpenter, bcm-kernel-feedback-list, linux-rpi-kernel, linux-arm-kernel, devel Cc: Phil Elwell The addition of the local 'userdata' pointer to vchiq_irq_queue_bulk_tx_rx omitted the case where neither BLOCKING nor WAITING modes are used, in which case the value provided by the caller is replaced with a NULL. Fixes: 4184da4f316a ("staging: vchiq: fix __user annotations") Signed-off-by: Phil Elwell <phil@raspberrypi.com> --- drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c index f500a7043805..2a8883673ba1 100644 --- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c +++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c @@ -958,7 +958,7 @@ static int vchiq_irq_queue_bulk_tx_rx(struct vchiq_instance *instance, struct vchiq_service *service; struct bulk_waiter_node *waiter = NULL; bool found = false; - void *userdata = NULL; + void *userdata; int status = 0; int ret; @@ -997,6 +997,8 @@ static int vchiq_irq_queue_bulk_tx_rx(struct vchiq_instance *instance, "found bulk_waiter %pK for pid %d", waiter, current->pid); userdata = &waiter->bulk_waiter; + } else { + userdata = args->userdata; } /* -- 2.25.1 _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel ^ permalink raw reply related [flat|nested] 20+ messages in thread
* Re: [PATCH 1/2] staging: vchiq: Fix bulk userdata handling 2021-01-04 12:09 ` Phil Elwell @ 2021-01-04 17:37 ` Stefan Wahren -1 siblings, 0 replies; 20+ messages in thread From: Stefan Wahren @ 2021-01-04 17:37 UTC (permalink / raw) To: Phil Elwell, Nicolas Saenz Julienne, Greg Kroah-Hartman, Arnd Bergmann, Dan Carpenter, bcm-kernel-feedback-list, linux-rpi-kernel, linux-arm-kernel, devel Am 04.01.21 um 13:09 schrieb Phil Elwell: > The addition of the local 'userdata' pointer to > vchiq_irq_queue_bulk_tx_rx omitted the case where neither BLOCKING nor > WAITING modes are used, in which case the value provided by the > caller is replaced with a NULL. > > Fixes: 4184da4f316a ("staging: vchiq: fix __user annotations") > > Signed-off-by: Phil Elwell <phil@raspberrypi.com> Tested-by: Stefan Wahren <stefan.wahren@i2se.com> _______________________________________________ devel mailing list devel@linuxdriverproject.org http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH 1/2] staging: vchiq: Fix bulk userdata handling @ 2021-01-04 17:37 ` Stefan Wahren 0 siblings, 0 replies; 20+ messages in thread From: Stefan Wahren @ 2021-01-04 17:37 UTC (permalink / raw) To: Phil Elwell, Nicolas Saenz Julienne, Greg Kroah-Hartman, Arnd Bergmann, Dan Carpenter, bcm-kernel-feedback-list, linux-rpi-kernel, linux-arm-kernel, devel Am 04.01.21 um 13:09 schrieb Phil Elwell: > The addition of the local 'userdata' pointer to > vchiq_irq_queue_bulk_tx_rx omitted the case where neither BLOCKING nor > WAITING modes are used, in which case the value provided by the > caller is replaced with a NULL. > > Fixes: 4184da4f316a ("staging: vchiq: fix __user annotations") > > Signed-off-by: Phil Elwell <phil@raspberrypi.com> Tested-by: Stefan Wahren <stefan.wahren@i2se.com> _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH 1/2] staging: vchiq: Fix bulk userdata handling 2021-01-04 12:09 ` Phil Elwell @ 2021-01-04 18:31 ` Dan Carpenter -1 siblings, 0 replies; 20+ messages in thread From: Dan Carpenter @ 2021-01-04 18:31 UTC (permalink / raw) To: Phil Elwell Cc: devel, Arnd Bergmann, Greg Kroah-Hartman, bcm-kernel-feedback-list, Nicolas Saenz Julienne, linux-arm-kernel, linux-rpi-kernel On Mon, Jan 04, 2021 at 12:09:27PM +0000, Phil Elwell wrote: > The addition of the local 'userdata' pointer to > vchiq_irq_queue_bulk_tx_rx omitted the case where neither BLOCKING nor > WAITING modes are used, in which case the value provided by the > caller is replaced with a NULL. > > Fixes: 4184da4f316a ("staging: vchiq: fix __user annotations") > > Signed-off-by: Phil Elwell <phil@raspberrypi.com> > --- > drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c > index f500a7043805..2a8883673ba1 100644 > --- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c > +++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c > @@ -958,7 +958,7 @@ static int vchiq_irq_queue_bulk_tx_rx(struct vchiq_instance *instance, > struct vchiq_service *service; > struct bulk_waiter_node *waiter = NULL; > bool found = false; > - void *userdata = NULL; > + void *userdata; > int status = 0; > int ret; > > @@ -997,6 +997,8 @@ static int vchiq_irq_queue_bulk_tx_rx(struct vchiq_instance *instance, > "found bulk_waiter %pK for pid %d", waiter, > current->pid); > userdata = &waiter->bulk_waiter; > + } else { > + userdata = args->userdata; "args->userdata" is marked as a user pointer so we really don't want to mix user and kernel pointers here. Presumably this opens up a large security hole. regards, dan carpenter _______________________________________________ devel mailing list devel@linuxdriverproject.org http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH 1/2] staging: vchiq: Fix bulk userdata handling @ 2021-01-04 18:31 ` Dan Carpenter 0 siblings, 0 replies; 20+ messages in thread From: Dan Carpenter @ 2021-01-04 18:31 UTC (permalink / raw) To: Phil Elwell Cc: devel, Arnd Bergmann, Greg Kroah-Hartman, bcm-kernel-feedback-list, Nicolas Saenz Julienne, linux-arm-kernel, linux-rpi-kernel On Mon, Jan 04, 2021 at 12:09:27PM +0000, Phil Elwell wrote: > The addition of the local 'userdata' pointer to > vchiq_irq_queue_bulk_tx_rx omitted the case where neither BLOCKING nor > WAITING modes are used, in which case the value provided by the > caller is replaced with a NULL. > > Fixes: 4184da4f316a ("staging: vchiq: fix __user annotations") > > Signed-off-by: Phil Elwell <phil@raspberrypi.com> > --- > drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c > index f500a7043805..2a8883673ba1 100644 > --- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c > +++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c > @@ -958,7 +958,7 @@ static int vchiq_irq_queue_bulk_tx_rx(struct vchiq_instance *instance, > struct vchiq_service *service; > struct bulk_waiter_node *waiter = NULL; > bool found = false; > - void *userdata = NULL; > + void *userdata; > int status = 0; > int ret; > > @@ -997,6 +997,8 @@ static int vchiq_irq_queue_bulk_tx_rx(struct vchiq_instance *instance, > "found bulk_waiter %pK for pid %d", waiter, > current->pid); > userdata = &waiter->bulk_waiter; > + } else { > + userdata = args->userdata; "args->userdata" is marked as a user pointer so we really don't want to mix user and kernel pointers here. Presumably this opens up a large security hole. regards, dan carpenter _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH 1/2] staging: vchiq: Fix bulk userdata handling 2021-01-04 18:31 ` Dan Carpenter @ 2021-01-04 19:26 ` Phil Elwell -1 siblings, 0 replies; 20+ messages in thread From: Phil Elwell @ 2021-01-04 19:26 UTC (permalink / raw) To: Dan Carpenter Cc: devel, Arnd Bergmann, Greg Kroah-Hartman, bcm-kernel-feedback-list, Nicolas Saenz Julienne, linux-arm-kernel, linux-rpi-kernel On 04/01/2021 18:31, Dan Carpenter wrote: > On Mon, Jan 04, 2021 at 12:09:27PM +0000, Phil Elwell wrote: >> The addition of the local 'userdata' pointer to >> vchiq_irq_queue_bulk_tx_rx omitted the case where neither BLOCKING nor >> WAITING modes are used, in which case the value provided by the >> caller is replaced with a NULL. >> >> Fixes: 4184da4f316a ("staging: vchiq: fix __user annotations") >> >> Signed-off-by: Phil Elwell <phil@raspberrypi.com> >> --- >> drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c | 4 +++- >> 1 file changed, 3 insertions(+), 1 deletion(-) >> >> diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c >> index f500a7043805..2a8883673ba1 100644 >> --- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c >> +++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c >> @@ -958,7 +958,7 @@ static int vchiq_irq_queue_bulk_tx_rx(struct vchiq_instance *instance, >> struct vchiq_service *service; >> struct bulk_waiter_node *waiter = NULL; >> bool found = false; >> - void *userdata = NULL; >> + void *userdata; >> int status = 0; >> int ret; >> >> @@ -997,6 +997,8 @@ static int vchiq_irq_queue_bulk_tx_rx(struct vchiq_instance *instance, >> "found bulk_waiter %pK for pid %d", waiter, >> current->pid); >> userdata = &waiter->bulk_waiter; >> + } else { >> + userdata = args->userdata; > > "args->userdata" is marked as a user pointer so we really don't want to > mix user and kernel pointers here. Presumably this opens up a large > security hole. It's an opaque, pointer-sized token that only exists to bereturned to userspace (or not, without this patch) - it's hard to see that as a security hole. Phil _______________________________________________ devel mailing list devel@linuxdriverproject.org http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH 1/2] staging: vchiq: Fix bulk userdata handling @ 2021-01-04 19:26 ` Phil Elwell 0 siblings, 0 replies; 20+ messages in thread From: Phil Elwell @ 2021-01-04 19:26 UTC (permalink / raw) To: Dan Carpenter Cc: devel, Arnd Bergmann, Greg Kroah-Hartman, bcm-kernel-feedback-list, Nicolas Saenz Julienne, linux-arm-kernel, linux-rpi-kernel On 04/01/2021 18:31, Dan Carpenter wrote: > On Mon, Jan 04, 2021 at 12:09:27PM +0000, Phil Elwell wrote: >> The addition of the local 'userdata' pointer to >> vchiq_irq_queue_bulk_tx_rx omitted the case where neither BLOCKING nor >> WAITING modes are used, in which case the value provided by the >> caller is replaced with a NULL. >> >> Fixes: 4184da4f316a ("staging: vchiq: fix __user annotations") >> >> Signed-off-by: Phil Elwell <phil@raspberrypi.com> >> --- >> drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c | 4 +++- >> 1 file changed, 3 insertions(+), 1 deletion(-) >> >> diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c >> index f500a7043805..2a8883673ba1 100644 >> --- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c >> +++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c >> @@ -958,7 +958,7 @@ static int vchiq_irq_queue_bulk_tx_rx(struct vchiq_instance *instance, >> struct vchiq_service *service; >> struct bulk_waiter_node *waiter = NULL; >> bool found = false; >> - void *userdata = NULL; >> + void *userdata; >> int status = 0; >> int ret; >> >> @@ -997,6 +997,8 @@ static int vchiq_irq_queue_bulk_tx_rx(struct vchiq_instance *instance, >> "found bulk_waiter %pK for pid %d", waiter, >> current->pid); >> userdata = &waiter->bulk_waiter; >> + } else { >> + userdata = args->userdata; > > "args->userdata" is marked as a user pointer so we really don't want to > mix user and kernel pointers here. Presumably this opens up a large > security hole. It's an opaque, pointer-sized token that only exists to bereturned to userspace (or not, without this patch) - it's hard to see that as a security hole. Phil _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH 1/2] staging: vchiq: Fix bulk userdata handling 2021-01-04 19:26 ` Phil Elwell @ 2021-01-05 11:01 ` Dan Carpenter -1 siblings, 0 replies; 20+ messages in thread From: Dan Carpenter @ 2021-01-05 11:01 UTC (permalink / raw) To: Phil Elwell Cc: devel, Arnd Bergmann, Greg Kroah-Hartman, bcm-kernel-feedback-list, linux-arm-kernel, Nicolas Saenz Julienne, linux-rpi-kernel On Mon, Jan 04, 2021 at 07:26:42PM +0000, Phil Elwell wrote: > On 04/01/2021 18:31, Dan Carpenter wrote: > > On Mon, Jan 04, 2021 at 12:09:27PM +0000, Phil Elwell wrote: > > > The addition of the local 'userdata' pointer to > > > vchiq_irq_queue_bulk_tx_rx omitted the case where neither BLOCKING nor > > > WAITING modes are used, in which case the value provided by the > > > caller is replaced with a NULL. > > > > > > Fixes: 4184da4f316a ("staging: vchiq: fix __user annotations") > > > > > > Signed-off-by: Phil Elwell <phil@raspberrypi.com> > > > --- > > > drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c | 4 +++- > > > 1 file changed, 3 insertions(+), 1 deletion(-) > > > > > > diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c > > > index f500a7043805..2a8883673ba1 100644 > > > --- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c > > > +++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c > > > @@ -958,7 +958,7 @@ static int vchiq_irq_queue_bulk_tx_rx(struct vchiq_instance *instance, > > > struct vchiq_service *service; > > > struct bulk_waiter_node *waiter = NULL; > > > bool found = false; > > > - void *userdata = NULL; > > > + void *userdata; > > > int status = 0; > > > int ret; > > > @@ -997,6 +997,8 @@ static int vchiq_irq_queue_bulk_tx_rx(struct vchiq_instance *instance, > > > "found bulk_waiter %pK for pid %d", waiter, > > > current->pid); > > > userdata = &waiter->bulk_waiter; > > > + } else { > > > + userdata = args->userdata; > > > > "args->userdata" is marked as a user pointer so we really don't want to > > mix user and kernel pointers here. Presumably this opens up a large > > security hole. > > It's an opaque, pointer-sized token that only exists to bereturned to userspace (or not, > without this patch) - it's hard to see that as a security hole. I was assuming the bug here was a NULL dereference... Apparently that's not the case? The commit message needs to be updated to be more clear about how the bug looks like to the user. Are we using the "&waiter->bulk_waiter" as a "token to be returned to userspace" as well? It looks like maybe it is in vchiq_put_completion(). That defeats KASLR and is a different sort of security problem. Mixing __user pointers and regular pointers is dangerous and has lead to security problems in this driver in the past. But also mixing mixing tokens with pointers just makes the code hard to read. Instead of undoing Arnd's work where he split the user space and kernel pointers apart we should go ahead and spit it up even more. At least add a giant FIXME comment and an item in the TODO list so we don't forget to do this before removing the code from staging. regards, dan carpenter _______________________________________________ devel mailing list devel@linuxdriverproject.org http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH 1/2] staging: vchiq: Fix bulk userdata handling @ 2021-01-05 11:01 ` Dan Carpenter 0 siblings, 0 replies; 20+ messages in thread From: Dan Carpenter @ 2021-01-05 11:01 UTC (permalink / raw) To: Phil Elwell Cc: devel, Arnd Bergmann, Greg Kroah-Hartman, bcm-kernel-feedback-list, linux-arm-kernel, Nicolas Saenz Julienne, linux-rpi-kernel On Mon, Jan 04, 2021 at 07:26:42PM +0000, Phil Elwell wrote: > On 04/01/2021 18:31, Dan Carpenter wrote: > > On Mon, Jan 04, 2021 at 12:09:27PM +0000, Phil Elwell wrote: > > > The addition of the local 'userdata' pointer to > > > vchiq_irq_queue_bulk_tx_rx omitted the case where neither BLOCKING nor > > > WAITING modes are used, in which case the value provided by the > > > caller is replaced with a NULL. > > > > > > Fixes: 4184da4f316a ("staging: vchiq: fix __user annotations") > > > > > > Signed-off-by: Phil Elwell <phil@raspberrypi.com> > > > --- > > > drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c | 4 +++- > > > 1 file changed, 3 insertions(+), 1 deletion(-) > > > > > > diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c > > > index f500a7043805..2a8883673ba1 100644 > > > --- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c > > > +++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c > > > @@ -958,7 +958,7 @@ static int vchiq_irq_queue_bulk_tx_rx(struct vchiq_instance *instance, > > > struct vchiq_service *service; > > > struct bulk_waiter_node *waiter = NULL; > > > bool found = false; > > > - void *userdata = NULL; > > > + void *userdata; > > > int status = 0; > > > int ret; > > > @@ -997,6 +997,8 @@ static int vchiq_irq_queue_bulk_tx_rx(struct vchiq_instance *instance, > > > "found bulk_waiter %pK for pid %d", waiter, > > > current->pid); > > > userdata = &waiter->bulk_waiter; > > > + } else { > > > + userdata = args->userdata; > > > > "args->userdata" is marked as a user pointer so we really don't want to > > mix user and kernel pointers here. Presumably this opens up a large > > security hole. > > It's an opaque, pointer-sized token that only exists to bereturned to userspace (or not, > without this patch) - it's hard to see that as a security hole. I was assuming the bug here was a NULL dereference... Apparently that's not the case? The commit message needs to be updated to be more clear about how the bug looks like to the user. Are we using the "&waiter->bulk_waiter" as a "token to be returned to userspace" as well? It looks like maybe it is in vchiq_put_completion(). That defeats KASLR and is a different sort of security problem. Mixing __user pointers and regular pointers is dangerous and has lead to security problems in this driver in the past. But also mixing mixing tokens with pointers just makes the code hard to read. Instead of undoing Arnd's work where he split the user space and kernel pointers apart we should go ahead and spit it up even more. At least add a giant FIXME comment and an item in the TODO list so we don't forget to do this before removing the code from staging. regards, dan carpenter _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH 1/2] staging: vchiq: Fix bulk userdata handling 2021-01-05 11:01 ` Dan Carpenter @ 2021-01-05 11:53 ` Phil Elwell -1 siblings, 0 replies; 20+ messages in thread From: Phil Elwell @ 2021-01-05 11:53 UTC (permalink / raw) To: Dan Carpenter Cc: devel, Arnd Bergmann, Greg Kroah-Hartman, maintainer:BROADCOM BCM7XXX ARM ARCHITECTURE, linux-arm-kernel, Nicolas Saenz Julienne, moderated list:BROADCOM BCM2711/BCM2835 ARM ARCHITECTURE On Tue, 5 Jan 2021 at 11:04, Dan Carpenter <dan.carpenter@oracle.com> wrote: > > On Mon, Jan 04, 2021 at 07:26:42PM +0000, Phil Elwell wrote: > > On 04/01/2021 18:31, Dan Carpenter wrote: > > > On Mon, Jan 04, 2021 at 12:09:27PM +0000, Phil Elwell wrote: > > > > The addition of the local 'userdata' pointer to > > > > vchiq_irq_queue_bulk_tx_rx omitted the case where neither BLOCKING nor > > > > WAITING modes are used, in which case the value provided by the > > > > caller is replaced with a NULL. > > > > > > > > Fixes: 4184da4f316a ("staging: vchiq: fix __user annotations") > > > > > > > > Signed-off-by: Phil Elwell <phil@raspberrypi.com> > > > > --- > > > > drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c | 4 +++- > > > > 1 file changed, 3 insertions(+), 1 deletion(-) > > > > > > > > diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c > > > > index f500a7043805..2a8883673ba1 100644 > > > > --- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c > > > > +++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c > > > > @@ -958,7 +958,7 @@ static int vchiq_irq_queue_bulk_tx_rx(struct vchiq_instance *instance, > > > > struct vchiq_service *service; > > > > struct bulk_waiter_node *waiter = NULL; > > > > bool found = false; > > > > - void *userdata = NULL; > > > > + void *userdata; > > > > int status = 0; > > > > int ret; > > > > @@ -997,6 +997,8 @@ static int vchiq_irq_queue_bulk_tx_rx(struct vchiq_instance *instance, > > > > "found bulk_waiter %pK for pid %d", waiter, > > > > current->pid); > > > > userdata = &waiter->bulk_waiter; > > > > + } else { > > > > + userdata = args->userdata; > > > > > > "args->userdata" is marked as a user pointer so we really don't want to > > > mix user and kernel pointers here. Presumably this opens up a large > > > security hole. > > > > It's an opaque, pointer-sized token that only exists to bereturned to userspace (or not, > > without this patch) - it's hard to see that as a security hole. > > I was assuming the bug here was a NULL dereference... Apparently that's > not the case? The commit message needs to be updated to be more clear > about how the bug looks like to the user. > > Are we using the "&waiter->bulk_waiter" as a "token to be returned to > userspace" as well? It looks like maybe it is in vchiq_put_completion(). > That defeats KASLR and is a different sort of security problem. > > Mixing __user pointers and regular pointers is dangerous and has lead to > security problems in this driver in the past. But also mixing mixing > tokens with pointers just makes the code hard to read. Instead of > undoing Arnd's work where he split the user space and kernel pointers > apart we should go ahead and spit it up even more. At least add a giant > FIXME comment and an item in the TODO list so we don't forget to do this > before removing the code from staging. Those all sound like valid comments to have made against the original patch, but that seems to have received little attention. I'll just leave this here - perhaps Arnd has the patience to finish the job. Phil _______________________________________________ devel mailing list devel@linuxdriverproject.org http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH 1/2] staging: vchiq: Fix bulk userdata handling @ 2021-01-05 11:53 ` Phil Elwell 0 siblings, 0 replies; 20+ messages in thread From: Phil Elwell @ 2021-01-05 11:53 UTC (permalink / raw) To: Dan Carpenter Cc: devel, Arnd Bergmann, Greg Kroah-Hartman, maintainer:BROADCOM BCM7XXX ARM ARCHITECTURE, linux-arm-kernel, Nicolas Saenz Julienne, moderated list:BROADCOM BCM2711/BCM2835 ARM ARCHITECTURE On Tue, 5 Jan 2021 at 11:04, Dan Carpenter <dan.carpenter@oracle.com> wrote: > > On Mon, Jan 04, 2021 at 07:26:42PM +0000, Phil Elwell wrote: > > On 04/01/2021 18:31, Dan Carpenter wrote: > > > On Mon, Jan 04, 2021 at 12:09:27PM +0000, Phil Elwell wrote: > > > > The addition of the local 'userdata' pointer to > > > > vchiq_irq_queue_bulk_tx_rx omitted the case where neither BLOCKING nor > > > > WAITING modes are used, in which case the value provided by the > > > > caller is replaced with a NULL. > > > > > > > > Fixes: 4184da4f316a ("staging: vchiq: fix __user annotations") > > > > > > > > Signed-off-by: Phil Elwell <phil@raspberrypi.com> > > > > --- > > > > drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c | 4 +++- > > > > 1 file changed, 3 insertions(+), 1 deletion(-) > > > > > > > > diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c > > > > index f500a7043805..2a8883673ba1 100644 > > > > --- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c > > > > +++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c > > > > @@ -958,7 +958,7 @@ static int vchiq_irq_queue_bulk_tx_rx(struct vchiq_instance *instance, > > > > struct vchiq_service *service; > > > > struct bulk_waiter_node *waiter = NULL; > > > > bool found = false; > > > > - void *userdata = NULL; > > > > + void *userdata; > > > > int status = 0; > > > > int ret; > > > > @@ -997,6 +997,8 @@ static int vchiq_irq_queue_bulk_tx_rx(struct vchiq_instance *instance, > > > > "found bulk_waiter %pK for pid %d", waiter, > > > > current->pid); > > > > userdata = &waiter->bulk_waiter; > > > > + } else { > > > > + userdata = args->userdata; > > > > > > "args->userdata" is marked as a user pointer so we really don't want to > > > mix user and kernel pointers here. Presumably this opens up a large > > > security hole. > > > > It's an opaque, pointer-sized token that only exists to bereturned to userspace (or not, > > without this patch) - it's hard to see that as a security hole. > > I was assuming the bug here was a NULL dereference... Apparently that's > not the case? The commit message needs to be updated to be more clear > about how the bug looks like to the user. > > Are we using the "&waiter->bulk_waiter" as a "token to be returned to > userspace" as well? It looks like maybe it is in vchiq_put_completion(). > That defeats KASLR and is a different sort of security problem. > > Mixing __user pointers and regular pointers is dangerous and has lead to > security problems in this driver in the past. But also mixing mixing > tokens with pointers just makes the code hard to read. Instead of > undoing Arnd's work where he split the user space and kernel pointers > apart we should go ahead and spit it up even more. At least add a giant > FIXME comment and an item in the TODO list so we don't forget to do this > before removing the code from staging. Those all sound like valid comments to have made against the original patch, but that seems to have received little attention. I'll just leave this here - perhaps Arnd has the patience to finish the job. Phil _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH 1/2] staging: vchiq: Fix bulk userdata handling 2021-01-05 11:53 ` Phil Elwell @ 2021-01-05 13:22 ` Dan Carpenter -1 siblings, 0 replies; 20+ messages in thread From: Dan Carpenter @ 2021-01-05 13:22 UTC (permalink / raw) To: Phil Elwell Cc: devel, Arnd Bergmann, Greg Kroah-Hartman, maintainer:BROADCOM BCM7XXX ARM ARCHITECTURE, linux-arm-kernel, Nicolas Saenz Julienne, moderated list:BROADCOM BCM2711/BCM2835 ARM ARCHITECTURE On Tue, Jan 05, 2021 at 11:53:32AM +0000, Phil Elwell wrote: > On Tue, 5 Jan 2021 at 11:04, Dan Carpenter <dan.carpenter@oracle.com> wrote: > > > > On Mon, Jan 04, 2021 at 07:26:42PM +0000, Phil Elwell wrote: > > > On 04/01/2021 18:31, Dan Carpenter wrote: > > > > On Mon, Jan 04, 2021 at 12:09:27PM +0000, Phil Elwell wrote: > > > > > The addition of the local 'userdata' pointer to > > > > > vchiq_irq_queue_bulk_tx_rx omitted the case where neither BLOCKING nor > > > > > WAITING modes are used, in which case the value provided by the > > > > > caller is replaced with a NULL. > > > > > > > > > > Fixes: 4184da4f316a ("staging: vchiq: fix __user annotations") > > > > > > > > > > Signed-off-by: Phil Elwell <phil@raspberrypi.com> > > > > > --- > > > > > drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c | 4 +++- > > > > > 1 file changed, 3 insertions(+), 1 deletion(-) > > > > > > > > > > diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c > > > > > index f500a7043805..2a8883673ba1 100644 > > > > > --- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c > > > > > +++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c > > > > > @@ -958,7 +958,7 @@ static int vchiq_irq_queue_bulk_tx_rx(struct vchiq_instance *instance, > > > > > struct vchiq_service *service; > > > > > struct bulk_waiter_node *waiter = NULL; > > > > > bool found = false; > > > > > - void *userdata = NULL; > > > > > + void *userdata; > > > > > int status = 0; > > > > > int ret; > > > > > @@ -997,6 +997,8 @@ static int vchiq_irq_queue_bulk_tx_rx(struct vchiq_instance *instance, > > > > > "found bulk_waiter %pK for pid %d", waiter, > > > > > current->pid); > > > > > userdata = &waiter->bulk_waiter; > > > > > + } else { > > > > > + userdata = args->userdata; > > > > > > > > "args->userdata" is marked as a user pointer so we really don't want to > > > > mix user and kernel pointers here. Presumably this opens up a large > > > > security hole. > > > > > > It's an opaque, pointer-sized token that only exists to bereturned to userspace (or not, > > > without this patch) - it's hard to see that as a security hole. > > > > I was assuming the bug here was a NULL dereference... Apparently that's > > not the case? The commit message needs to be updated to be more clear > > about how the bug looks like to the user. > > > > Are we using the "&waiter->bulk_waiter" as a "token to be returned to > > userspace" as well? It looks like maybe it is in vchiq_put_completion(). > > That defeats KASLR and is a different sort of security problem. > > > > Mixing __user pointers and regular pointers is dangerous and has lead to > > security problems in this driver in the past. But also mixing mixing > > tokens with pointers just makes the code hard to read. Instead of > > undoing Arnd's work where he split the user space and kernel pointers > > apart we should go ahead and spit it up even more. At least add a giant > > FIXME comment and an item in the TODO list so we don't forget to do this > > before removing the code from staging. > > Those all sound like valid comments to have made against the original > patch, but that seems to have received little attention. > > I'll just leave this here - perhaps Arnd has the patience to finish the job. I kind of have a headache today so maybe I shouldn't be sending emails. But really, all I'm asking is for is two fairly reasonable things: 1) The commit message needs to say what the bug looks like to the user. Up to now, I still have no idea the answer to this question. 2) Put a note in the TODO which says: "Clean up Sparse warnings from __user annotations. See vchiq_irq_queue_bulk_tx_rx(). Ensure that the the address of "&waiter->bulk_waiter" is never disclosed to userspace." regards, dan carpenter _______________________________________________ devel mailing list devel@linuxdriverproject.org http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH 1/2] staging: vchiq: Fix bulk userdata handling @ 2021-01-05 13:22 ` Dan Carpenter 0 siblings, 0 replies; 20+ messages in thread From: Dan Carpenter @ 2021-01-05 13:22 UTC (permalink / raw) To: Phil Elwell Cc: devel, Arnd Bergmann, Greg Kroah-Hartman, maintainer:BROADCOM BCM7XXX ARM ARCHITECTURE, linux-arm-kernel, Nicolas Saenz Julienne, moderated list:BROADCOM BCM2711/BCM2835 ARM ARCHITECTURE On Tue, Jan 05, 2021 at 11:53:32AM +0000, Phil Elwell wrote: > On Tue, 5 Jan 2021 at 11:04, Dan Carpenter <dan.carpenter@oracle.com> wrote: > > > > On Mon, Jan 04, 2021 at 07:26:42PM +0000, Phil Elwell wrote: > > > On 04/01/2021 18:31, Dan Carpenter wrote: > > > > On Mon, Jan 04, 2021 at 12:09:27PM +0000, Phil Elwell wrote: > > > > > The addition of the local 'userdata' pointer to > > > > > vchiq_irq_queue_bulk_tx_rx omitted the case where neither BLOCKING nor > > > > > WAITING modes are used, in which case the value provided by the > > > > > caller is replaced with a NULL. > > > > > > > > > > Fixes: 4184da4f316a ("staging: vchiq: fix __user annotations") > > > > > > > > > > Signed-off-by: Phil Elwell <phil@raspberrypi.com> > > > > > --- > > > > > drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c | 4 +++- > > > > > 1 file changed, 3 insertions(+), 1 deletion(-) > > > > > > > > > > diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c > > > > > index f500a7043805..2a8883673ba1 100644 > > > > > --- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c > > > > > +++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c > > > > > @@ -958,7 +958,7 @@ static int vchiq_irq_queue_bulk_tx_rx(struct vchiq_instance *instance, > > > > > struct vchiq_service *service; > > > > > struct bulk_waiter_node *waiter = NULL; > > > > > bool found = false; > > > > > - void *userdata = NULL; > > > > > + void *userdata; > > > > > int status = 0; > > > > > int ret; > > > > > @@ -997,6 +997,8 @@ static int vchiq_irq_queue_bulk_tx_rx(struct vchiq_instance *instance, > > > > > "found bulk_waiter %pK for pid %d", waiter, > > > > > current->pid); > > > > > userdata = &waiter->bulk_waiter; > > > > > + } else { > > > > > + userdata = args->userdata; > > > > > > > > "args->userdata" is marked as a user pointer so we really don't want to > > > > mix user and kernel pointers here. Presumably this opens up a large > > > > security hole. > > > > > > It's an opaque, pointer-sized token that only exists to bereturned to userspace (or not, > > > without this patch) - it's hard to see that as a security hole. > > > > I was assuming the bug here was a NULL dereference... Apparently that's > > not the case? The commit message needs to be updated to be more clear > > about how the bug looks like to the user. > > > > Are we using the "&waiter->bulk_waiter" as a "token to be returned to > > userspace" as well? It looks like maybe it is in vchiq_put_completion(). > > That defeats KASLR and is a different sort of security problem. > > > > Mixing __user pointers and regular pointers is dangerous and has lead to > > security problems in this driver in the past. But also mixing mixing > > tokens with pointers just makes the code hard to read. Instead of > > undoing Arnd's work where he split the user space and kernel pointers > > apart we should go ahead and spit it up even more. At least add a giant > > FIXME comment and an item in the TODO list so we don't forget to do this > > before removing the code from staging. > > Those all sound like valid comments to have made against the original > patch, but that seems to have received little attention. > > I'll just leave this here - perhaps Arnd has the patience to finish the job. I kind of have a headache today so maybe I shouldn't be sending emails. But really, all I'm asking is for is two fairly reasonable things: 1) The commit message needs to say what the bug looks like to the user. Up to now, I still have no idea the answer to this question. 2) Put a note in the TODO which says: "Clean up Sparse warnings from __user annotations. See vchiq_irq_queue_bulk_tx_rx(). Ensure that the the address of "&waiter->bulk_waiter" is never disclosed to userspace." regards, dan carpenter _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH 1/2] staging: vchiq: Fix bulk userdata handling 2021-01-05 11:53 ` Phil Elwell @ 2021-01-05 15:13 ` Arnd Bergmann -1 siblings, 0 replies; 20+ messages in thread From: Arnd Bergmann @ 2021-01-05 15:13 UTC (permalink / raw) To: Phil Elwell Cc: driverdevel, moderated list:BROADCOM BCM2711/BCM2835 ARM ARCHITECTURE, Arnd Bergmann, Greg Kroah-Hartman, maintainer:BROADCOM BCM7XXX ARM ARCHITECTURE, Dan Carpenter, Nicolas Saenz Julienne, Linux ARM On Tue, Jan 5, 2021 at 12:53 PM Phil Elwell <phil@raspberrypi.com> wrote: > On Tue, 5 Jan 2021 at 11:04, Dan Carpenter <dan.carpenter@oracle.com> wrote: > > > > Mixing __user pointers and regular pointers is dangerous and has lead to > > security problems in this driver in the past. But also mixing mixing > > tokens with pointers just makes the code hard to read. Instead of > > undoing Arnd's work where he split the user space and kernel pointers > > apart we should go ahead and spit it up even more. At least add a giant > > FIXME comment and an item in the TODO list so we don't forget to do this > > before removing the code from staging. > > Those all sound like valid comments to have made against the original > patch, but that seems to have received little attention. > > I'll just leave this here - perhaps Arnd has the patience to finish the job. I don't really have an interest in this driver. I did a larger cleanup in order to kill off copy_in_user() from the kernel, and then cleaned it up some more for good measure, but I would hope someone else can finish the address space mismatch. Arnd _______________________________________________ devel mailing list devel@linuxdriverproject.org http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH 1/2] staging: vchiq: Fix bulk userdata handling @ 2021-01-05 15:13 ` Arnd Bergmann 0 siblings, 0 replies; 20+ messages in thread From: Arnd Bergmann @ 2021-01-05 15:13 UTC (permalink / raw) To: Phil Elwell Cc: driverdevel, moderated list:BROADCOM BCM2711/BCM2835 ARM ARCHITECTURE, Arnd Bergmann, Greg Kroah-Hartman, maintainer:BROADCOM BCM7XXX ARM ARCHITECTURE, Dan Carpenter, Nicolas Saenz Julienne, Linux ARM On Tue, Jan 5, 2021 at 12:53 PM Phil Elwell <phil@raspberrypi.com> wrote: > On Tue, 5 Jan 2021 at 11:04, Dan Carpenter <dan.carpenter@oracle.com> wrote: > > > > Mixing __user pointers and regular pointers is dangerous and has lead to > > security problems in this driver in the past. But also mixing mixing > > tokens with pointers just makes the code hard to read. Instead of > > undoing Arnd's work where he split the user space and kernel pointers > > apart we should go ahead and spit it up even more. At least add a giant > > FIXME comment and an item in the TODO list so we don't forget to do this > > before removing the code from staging. > > Those all sound like valid comments to have made against the original > patch, but that seems to have received little attention. > > I'll just leave this here - perhaps Arnd has the patience to finish the job. I don't really have an interest in this driver. I did a larger cleanup in order to kill off copy_in_user() from the kernel, and then cleaned it up some more for good measure, but I would hope someone else can finish the address space mismatch. Arnd _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel ^ permalink raw reply [flat|nested] 20+ messages in thread
* [PATCH 2/2] staging: vchiq: Fix bulk transfers on 64-bit builds 2021-01-04 12:09 ` Phil Elwell @ 2021-01-04 12:09 ` Phil Elwell -1 siblings, 0 replies; 20+ messages in thread From: Phil Elwell @ 2021-01-04 12:09 UTC (permalink / raw) To: Nicolas Saenz Julienne, Greg Kroah-Hartman, Arnd Bergmann, Dan Carpenter, bcm-kernel-feedback-list, linux-rpi-kernel, linux-arm-kernel, devel Cc: Phil Elwell The recent change to the bulk transfer compat function missed the fact the relevant ioctl command is VCHIQ_IOC_QUEUE_BULK_TRANSMIT32, not VCHIQ_IOC_QUEUE_BULK_TRANSMIT, as any attempt to send a bulk block to the VPU would have shown. Fixes: a4367cd2b231 ("staging: vchiq: convert compat bulk transfer") Signed-off-by: Phil Elwell <phil@raspberrypi.com> --- drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c index 2a8883673ba1..2ca5805b2fce 100644 --- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c +++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c @@ -1717,7 +1717,7 @@ vchiq_compat_ioctl_queue_bulk(struct file *file, { struct vchiq_queue_bulk_transfer32 args32; struct vchiq_queue_bulk_transfer args; - enum vchiq_bulk_dir dir = (cmd == VCHIQ_IOC_QUEUE_BULK_TRANSMIT) ? + enum vchiq_bulk_dir dir = (cmd == VCHIQ_IOC_QUEUE_BULK_TRANSMIT32) ? VCHIQ_BULK_TRANSMIT : VCHIQ_BULK_RECEIVE; if (copy_from_user(&args32, argp, sizeof(args32))) -- 2.25.1 _______________________________________________ devel mailing list devel@linuxdriverproject.org http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel ^ permalink raw reply related [flat|nested] 20+ messages in thread
* [PATCH 2/2] staging: vchiq: Fix bulk transfers on 64-bit builds @ 2021-01-04 12:09 ` Phil Elwell 0 siblings, 0 replies; 20+ messages in thread From: Phil Elwell @ 2021-01-04 12:09 UTC (permalink / raw) To: Nicolas Saenz Julienne, Greg Kroah-Hartman, Arnd Bergmann, Dan Carpenter, bcm-kernel-feedback-list, linux-rpi-kernel, linux-arm-kernel, devel Cc: Phil Elwell The recent change to the bulk transfer compat function missed the fact the relevant ioctl command is VCHIQ_IOC_QUEUE_BULK_TRANSMIT32, not VCHIQ_IOC_QUEUE_BULK_TRANSMIT, as any attempt to send a bulk block to the VPU would have shown. Fixes: a4367cd2b231 ("staging: vchiq: convert compat bulk transfer") Signed-off-by: Phil Elwell <phil@raspberrypi.com> --- drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c index 2a8883673ba1..2ca5805b2fce 100644 --- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c +++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c @@ -1717,7 +1717,7 @@ vchiq_compat_ioctl_queue_bulk(struct file *file, { struct vchiq_queue_bulk_transfer32 args32; struct vchiq_queue_bulk_transfer args; - enum vchiq_bulk_dir dir = (cmd == VCHIQ_IOC_QUEUE_BULK_TRANSMIT) ? + enum vchiq_bulk_dir dir = (cmd == VCHIQ_IOC_QUEUE_BULK_TRANSMIT32) ? VCHIQ_BULK_TRANSMIT : VCHIQ_BULK_RECEIVE; if (copy_from_user(&args32, argp, sizeof(args32))) -- 2.25.1 _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel ^ permalink raw reply related [flat|nested] 20+ messages in thread
end of thread, other threads:[~2021-01-05 15:15 UTC | newest] Thread overview: 20+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-01-04 12:09 [PATCH 0/2] A brace of vchiq bulk transfer fixes Phil Elwell 2021-01-04 12:09 ` Phil Elwell 2021-01-04 12:09 ` [PATCH 1/2] staging: vchiq: Fix bulk userdata handling Phil Elwell 2021-01-04 12:09 ` Phil Elwell 2021-01-04 17:37 ` Stefan Wahren 2021-01-04 17:37 ` Stefan Wahren 2021-01-04 18:31 ` Dan Carpenter 2021-01-04 18:31 ` Dan Carpenter 2021-01-04 19:26 ` Phil Elwell 2021-01-04 19:26 ` Phil Elwell 2021-01-05 11:01 ` Dan Carpenter 2021-01-05 11:01 ` Dan Carpenter 2021-01-05 11:53 ` Phil Elwell 2021-01-05 11:53 ` Phil Elwell 2021-01-05 13:22 ` Dan Carpenter 2021-01-05 13:22 ` Dan Carpenter 2021-01-05 15:13 ` Arnd Bergmann 2021-01-05 15:13 ` Arnd Bergmann 2021-01-04 12:09 ` [PATCH 2/2] staging: vchiq: Fix bulk transfers on 64-bit builds Phil Elwell 2021-01-04 12:09 ` Phil Elwell
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.