[Bug 188621] New: Function kfd_wait_on_events() does not set error code when the call to copy_from_user() fails

[Bug 188621] New: Function kfd_wait_on_events() does not set error code when the call to copy_from_user() fails

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=188621

            Bug ID: 188621
           Summary: Function kfd_wait_on_events() does not set error code
                    when the call to copy_from_user() fails
           Product: Drivers
           Version: 2.5
    Kernel Version: linux-4.9-rc6
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: Video(DRI - non Intel)
          Assignee: drivers_video-dri@kernel-bugs.osdl.org
          Reporter: bianpan2010@ruc.edu.cn
        Regression: No

The return value of copy_from_user() indicates the number of bytes that cannot
be copied, and there may be something wrong when the value is non-zero. In
function kfd_wait_on_events() defined in file
drivers/gpu/drm/amd/amdkfd/kfd_events.c, variable ret takes the error code. At
line 743, the value of ret must be 0, and thus it will return 0 when
copy_from_user() fails. 0 indicates there is no error, which is contrary to the
fact. Maybe it is better to assign "-EFAULT" to ret when the check of the
return value of copy_from_user() fails at line 741. Codes related to this bug
are summarised as follows.

kfd_wait_on_events @@ drivers/gpu/drm/amd/amdkfd/kfd_events.c
718 int kfd_wait_on_events(struct kfd_process *p,
719                uint32_t num_events, void __user *data,
720                bool all, uint32_t user_timeout_ms,
721                enum kfd_event_wait_result *wait_result)
722 {
        ...
726     int ret = 0;
        ...
730     mutex_lock(&p->event_mutex);
731 
732     event_waiters = alloc_event_waiters(num_events);
733     if (!event_waiters) {
734         ret = -ENOMEM;
735         goto fail;
736     }
737 
738     for (i = 0; i < num_events; i++) {
739         struct kfd_event_data event_data;
740 
741         if (copy_from_user(&event_data, &events[i],
742                 sizeof(struct kfd_event_data)))
743             goto fail;   // insert "ret = -EFAULT;" before this jump
instruction?
744 
745         ret = init_event_waiter(p, &event_waiters[i],
746                 event_data.event_id, i);
747         if (ret)
748             goto fail;
749     }
        ...
796 fail:
797     if (event_waiters)
798         free_waiters(num_events, event_waiters);
799 
800     mutex_unlock(&p->event_mutex);
801 
802     *wait_result = KFD_WAIT_ERROR;
803 
804     return ret;
805 }

Thanks very much!

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel

[Bug 188621] Function kfd_wait_on_events() does not set error code when the call to copy_from_user() fails

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=188621

--- Comment #1 from Oded Gabbay <oded.gabbay@gmail.com> ---
I'll look into it.
Thanks for the bug.
Oded

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel

[Bug 188621] Function kfd_wait_on_events() does not set error code when the call to copy_from_user() fails

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=188621

--- Comment #2 from bianpan <bianpan2010@ruc.edu.cn> ---
Created attachment 246531
  --> https://bugzilla.kernel.org/attachment.cgi?id=246531&action=edit
A patch to fix the bug

I created a patch to fix the bug. Please check whether it is suitable. Thanks!

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel

[Bug 188621] Function kfd_wait_on_events() does not set error code when the call to copy_from_user() fails

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=188621

--- Comment #3 from Oded Gabbay <oded.gabbay@gmail.com> ---
I'll take a look.
Thanks!
Oded

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel

[Bug 188621] Function kfd_wait_on_events() does not set error code when the call to copy_from_user() fails

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=188621

--- Comment #4 from Oded Gabbay <oded.gabbay@gmail.com> ---
Hi,
Sent the patch to upstream for kernel 4.11 merge window.

Oded

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel

[Bug 188621] Function kfd_wait_on_events() does not set error code when the call to copy_from_user() fails

[bugzilla-daemon]

https://bugzilla.kernel.org/show_bug.cgi?id=188621

bianpan (bianpan2010@ruc.edu.cn) changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |CODE_FIX

--- Comment #5 from bianpan (bianpan2010@ruc.edu.cn) ---
Bug fixed. Thanks. I will close it.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel