kernel-janitors.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 1/4] drm/amdgpu: fix a signedness bug in __verify_ras_table_checksum()
@ 2021-07-03  9:44 Dan Carpenter
  2021-07-03  9:44 ` [PATCH 2/4] drm/amdgpu: Fix signedness bug in __amdgpu_eeprom_xfer() Dan Carpenter
                   ` (3 more replies)
  0 siblings, 4 replies; 6+ messages in thread
From: Dan Carpenter @ 2021-07-03  9:44 UTC (permalink / raw)
  To: Alex Deucher, Luben Tuikov
  Cc: Christian König, Pan, Xinhui, David Airlie, Daniel Vetter,
	Hawking Zhang, Guchun Chen, John Clements, Dennis Li, amd-gfx,
	dri-devel, kernel-janitors

If amdgpu_eeprom_read() returns a negative error code then the error
handling checks:

	if (res < buf_size) {

The problem is that "buf_size" is a u32 so negative values are type
promoted to a high positive values and the condition is false.  Fix
this by changing the type of "buf_size" to int.

Fixes: 79beb6114014 ("drm/amdgpu: Optimize EEPROM RAS table I/O")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
It's hard for me to tell the exact upper bound that "buf_size" can be,
but if it's over USHRT_MAX then we are well toasted.

 drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c
index fc70620369e4..f07a456506ef 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c
@@ -978,9 +978,8 @@ const struct file_operations amdgpu_ras_debugfs_eeprom_table_ops = {
 static int __verify_ras_table_checksum(struct amdgpu_ras_eeprom_control *control)
 {
 	struct amdgpu_device *adev = to_amdgpu_device(control);
-	int res;
+	int buf_size, res;
 	u8  csum, *buf, *pp;
-	u32 buf_size;
 
 	buf_size = RAS_TABLE_HEADER_SIZE +
 		control->ras_num_recs * RAS_TABLE_RECORD_SIZE;
-- 
2.30.2


^ permalink raw reply	[flat|nested] 6+ messages in thread

* [PATCH 2/4] drm/amdgpu: Fix signedness bug in __amdgpu_eeprom_xfer()
  2021-07-03  9:44 [PATCH 1/4] drm/amdgpu: fix a signedness bug in __verify_ras_table_checksum() Dan Carpenter
@ 2021-07-03  9:44 ` Dan Carpenter
  2021-07-03  9:45 ` [PATCH 3/4] drm/amdgpu: unlock on error in amdgpu_ras_debugfs_table_read() Dan Carpenter
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 6+ messages in thread
From: Dan Carpenter @ 2021-07-03  9:44 UTC (permalink / raw)
  To: Alex Deucher, Luben Tuikov
  Cc: Christian König, Pan, Xinhui, David Airlie, Daniel Vetter,
	Roman Li, Nicholas Kazlauskas, Bindu Ramamurthy,
	Andrey Grodzovsky, amd-gfx, dri-devel, kernel-janitors

The i2c_transfer() function returns negatives or else the number of
messages transferred.  This code does not work because ARRAY_SIZE()
is type size_t and so that means negative values of "r" are type
promoted to high positive values which are greater than the ARRAY_SIZE().

Fix this by changing the < to != which works regardless of type
promotion.

Fixes: 6cda0af81a50 ("drm/amdgpu: Fixes to the AMDGPU EEPROM driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 drivers/gpu/drm/amd/amdgpu/amdgpu_eeprom.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_eeprom.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_eeprom.c
index 4c3c65a5acae..4d9eb0137f8c 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_eeprom.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_eeprom.c
@@ -147,7 +147,7 @@ static int __amdgpu_eeprom_xfer(struct i2c_adapter *i2c_adap, u32 eeprom_addr,
 		/* This constitutes a START-STOP transaction.
 		 */
 		r = i2c_transfer(i2c_adap, msgs, ARRAY_SIZE(msgs));
-		if (r < ARRAY_SIZE(msgs))
+		if (r != ARRAY_SIZE(msgs))
 			break;
 
 		if (!read) {
-- 
2.30.2


^ permalink raw reply	[flat|nested] 6+ messages in thread

* [PATCH 3/4] drm/amdgpu: unlock on error in amdgpu_ras_debugfs_table_read()
  2021-07-03  9:44 [PATCH 1/4] drm/amdgpu: fix a signedness bug in __verify_ras_table_checksum() Dan Carpenter
  2021-07-03  9:44 ` [PATCH 2/4] drm/amdgpu: Fix signedness bug in __amdgpu_eeprom_xfer() Dan Carpenter
@ 2021-07-03  9:45 ` Dan Carpenter
  2021-07-03  9:46 ` [PATCH 4/4] drm/amdgpu: return -EFAULT if copy_to_user() fails Dan Carpenter
  2021-07-04 15:18 ` [PATCH 1/4] drm/amdgpu: fix a signedness bug in __verify_ras_table_checksum() Luben Tuikov
  3 siblings, 0 replies; 6+ messages in thread
From: Dan Carpenter @ 2021-07-03  9:45 UTC (permalink / raw)
  To: Alex Deucher, Luben Tuikov
  Cc: Christian König, Pan, Xinhui, David Airlie, Daniel Vetter,
	Hawking Zhang, Guchun Chen, John Clements, Dennis Li, amd-gfx,
	dri-devel, kernel-janitors

This error path needs to unlock before returning.  While we're at it,
the correct error code from copy_to_user() failure is -EFAULT, not
-EINVAL.

Fixes: 9b790694a031 (""drm/amdgpu: RAS EEPROM table is now in debugfs)
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c
index f07a456506ef..3e33e85d8dbc 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c
@@ -821,7 +821,7 @@ static ssize_t amdgpu_ras_debugfs_table_read(struct file *f, char __user *buf,
 	struct amdgpu_ras *ras = amdgpu_ras_get_context(adev);
 	struct amdgpu_ras_eeprom_control *control = &ras->eeprom_control;
 	const size_t orig_size = size;
-	int res = -EINVAL;
+	int res = -EFAULT;
 	size_t data_len;
 
 	mutex_lock(&control->ras_tbl_mutex);
@@ -912,8 +912,10 @@ static ssize_t amdgpu_ras_debugfs_table_read(struct file *f, char __user *buf,
 				 record.retired_page);
 
 			data_len = min_t(size_t, rec_hdr_fmt_size - r, size);
-			if (copy_to_user(buf, &data[r], data_len))
-				return -EINVAL;
+			if (copy_to_user(buf, &data[r], data_len)) {
+				res = -EFAULT;
+				goto Out;
+			}
 			buf += data_len;
 			size -= data_len;
 			*pos += data_len;
-- 
2.30.2


^ permalink raw reply	[flat|nested] 6+ messages in thread

* [PATCH 4/4] drm/amdgpu: return -EFAULT if copy_to_user() fails
  2021-07-03  9:44 [PATCH 1/4] drm/amdgpu: fix a signedness bug in __verify_ras_table_checksum() Dan Carpenter
  2021-07-03  9:44 ` [PATCH 2/4] drm/amdgpu: Fix signedness bug in __amdgpu_eeprom_xfer() Dan Carpenter
  2021-07-03  9:45 ` [PATCH 3/4] drm/amdgpu: unlock on error in amdgpu_ras_debugfs_table_read() Dan Carpenter
@ 2021-07-03  9:46 ` Dan Carpenter
  2021-07-04 15:18 ` [PATCH 1/4] drm/amdgpu: fix a signedness bug in __verify_ras_table_checksum() Luben Tuikov
  3 siblings, 0 replies; 6+ messages in thread
From: Dan Carpenter @ 2021-07-03  9:46 UTC (permalink / raw)
  To: Alex Deucher, Luben Tuikov
  Cc: Christian König, Pan, Xinhui, David Airlie, Daniel Vetter,
	Hawking Zhang, Guchun Chen, John Clements, Dennis Li, amd-gfx,
	dri-devel, kernel-janitors

If copy_to_user() fails then this should return -EFAULT instead of
-EINVAL.

Fixes: 9b790694a031 ("drm/amdgpu: RAS EEPROM table is now in debugfs")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c
index 3e33e85d8dbc..d2e5b2567bc1 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c
@@ -771,7 +771,7 @@ amdgpu_ras_debugfs_eeprom_size_read(struct file *f, char __user *buf,
 	res = min_t(size_t, res, size);
 
 	if (copy_to_user(buf, &data[*pos], res))
-		return -EINVAL;
+		return -EFAULT;
 
 	*pos += res;
 
@@ -950,7 +950,7 @@ amdgpu_ras_debugfs_eeprom_table_read(struct file *f, char __user *buf,
 		res = min_t(size_t, res, size);
 
 		if (copy_to_user(buf, &data[*pos], res))
-			return -EINVAL;
+			return -EFAULT;
 
 		*pos += res;
 
-- 
2.30.2


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH 1/4] drm/amdgpu: fix a signedness bug in __verify_ras_table_checksum()
  2021-07-03  9:44 [PATCH 1/4] drm/amdgpu: fix a signedness bug in __verify_ras_table_checksum() Dan Carpenter
                   ` (2 preceding siblings ...)
  2021-07-03  9:46 ` [PATCH 4/4] drm/amdgpu: return -EFAULT if copy_to_user() fails Dan Carpenter
@ 2021-07-04 15:18 ` Luben Tuikov
  2021-07-06  0:52   ` Luben Tuikov
  3 siblings, 1 reply; 6+ messages in thread
From: Luben Tuikov @ 2021-07-04 15:18 UTC (permalink / raw)
  To: Dan Carpenter, Alex Deucher
  Cc: Christian König, Pan, Xinhui, David Airlie, Daniel Vetter,
	Hawking Zhang, Guchun Chen, John Clements, Dennis Li, amd-gfx,
	dri-devel, kernel-janitors

Series is,
Reviewed-by: Luben Tuikov <luben.tuikov@amd.com>

Regards,
Luben

On 2021-07-03 5:44 a.m., Dan Carpenter wrote:
> If amdgpu_eeprom_read() returns a negative error code then the error
> handling checks:
>
> 	if (res < buf_size) {
>
> The problem is that "buf_size" is a u32 so negative values are type
> promoted to a high positive values and the condition is false.  Fix
> this by changing the type of "buf_size" to int.
>
> Fixes: 79beb6114014 ("drm/amdgpu: Optimize EEPROM RAS table I/O")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> It's hard for me to tell the exact upper bound that "buf_size" can be,
> but if it's over USHRT_MAX then we are well toasted.
>
>  drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c
> index fc70620369e4..f07a456506ef 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c
> @@ -978,9 +978,8 @@ const struct file_operations amdgpu_ras_debugfs_eeprom_table_ops = {
>  static int __verify_ras_table_checksum(struct amdgpu_ras_eeprom_control *control)
>  {
>  	struct amdgpu_device *adev = to_amdgpu_device(control);
> -	int res;
> +	int buf_size, res;
>  	u8  csum, *buf, *pp;
> -	u32 buf_size;
>  
>  	buf_size = RAS_TABLE_HEADER_SIZE +
>  		control->ras_num_recs * RAS_TABLE_RECORD_SIZE;


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH 1/4] drm/amdgpu: fix a signedness bug in __verify_ras_table_checksum()
  2021-07-04 15:18 ` [PATCH 1/4] drm/amdgpu: fix a signedness bug in __verify_ras_table_checksum() Luben Tuikov
@ 2021-07-06  0:52   ` Luben Tuikov
  0 siblings, 0 replies; 6+ messages in thread
From: Luben Tuikov @ 2021-07-06  0:52 UTC (permalink / raw)
  To: Dan Carpenter, Alex Deucher
  Cc: Christian König, Pan, Xinhui, David Airlie, Daniel Vetter,
	Hawking Zhang, Guchun Chen, John Clements, Dennis Li, amd-gfx,
	dri-devel, kernel-janitors

Alex,

I think we should pull these through amd-staging-drm-next.

Regards,
Luben

On 2021-07-04 11:18 a.m., Luben Tuikov wrote:
> Series is,
> Reviewed-by: Luben Tuikov <luben.tuikov@amd.com>
>
> Regards,
> Luben
>
> On 2021-07-03 5:44 a.m., Dan Carpenter wrote:
>> If amdgpu_eeprom_read() returns a negative error code then the error
>> handling checks:
>>
>> 	if (res < buf_size) {
>>
>> The problem is that "buf_size" is a u32 so negative values are type
>> promoted to a high positive values and the condition is false.  Fix
>> this by changing the type of "buf_size" to int.
>>
>> Fixes: 79beb6114014 ("drm/amdgpu: Optimize EEPROM RAS table I/O")
>> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>> ---
>> It's hard for me to tell the exact upper bound that "buf_size" can be,
>> but if it's over USHRT_MAX then we are well toasted.
>>
>>  drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c | 3 +--
>>  1 file changed, 1 insertion(+), 2 deletions(-)
>>
>> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c
>> index fc70620369e4..f07a456506ef 100644
>> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c
>> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c
>> @@ -978,9 +978,8 @@ const struct file_operations amdgpu_ras_debugfs_eeprom_table_ops = {
>>  static int __verify_ras_table_checksum(struct amdgpu_ras_eeprom_control *control)
>>  {
>>  	struct amdgpu_device *adev = to_amdgpu_device(control);
>> -	int res;
>> +	int buf_size, res;
>>  	u8  csum, *buf, *pp;
>> -	u32 buf_size;
>>  
>>  	buf_size = RAS_TABLE_HEADER_SIZE +
>>  		control->ras_num_recs * RAS_TABLE_RECORD_SIZE;


^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2021-07-06  0:52 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-03  9:44 [PATCH 1/4] drm/amdgpu: fix a signedness bug in __verify_ras_table_checksum() Dan Carpenter
2021-07-03  9:44 ` [PATCH 2/4] drm/amdgpu: Fix signedness bug in __amdgpu_eeprom_xfer() Dan Carpenter
2021-07-03  9:45 ` [PATCH 3/4] drm/amdgpu: unlock on error in amdgpu_ras_debugfs_table_read() Dan Carpenter
2021-07-03  9:46 ` [PATCH 4/4] drm/amdgpu: return -EFAULT if copy_to_user() fails Dan Carpenter
2021-07-04 15:18 ` [PATCH 1/4] drm/amdgpu: fix a signedness bug in __verify_ras_table_checksum() Luben Tuikov
2021-07-06  0:52   ` Luben Tuikov

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).