* [PATCH 2/4] drm/amdgpu: Fix signedness bug in __amdgpu_eeprom_xfer()
2021-07-03 9:44 [PATCH 1/4] drm/amdgpu: fix a signedness bug in __verify_ras_table_checksum() Dan Carpenter
@ 2021-07-03 9:44 ` Dan Carpenter
2021-07-03 9:45 ` [PATCH 3/4] drm/amdgpu: unlock on error in amdgpu_ras_debugfs_table_read() Dan Carpenter
` (2 subsequent siblings)
3 siblings, 0 replies; 6+ messages in thread
From: Dan Carpenter @ 2021-07-03 9:44 UTC (permalink / raw)
To: Alex Deucher, Luben Tuikov
Cc: Christian König, Pan, Xinhui, David Airlie, Daniel Vetter,
Roman Li, Nicholas Kazlauskas, Bindu Ramamurthy,
Andrey Grodzovsky, amd-gfx, dri-devel, kernel-janitors
The i2c_transfer() function returns negatives or else the number of
messages transferred. This code does not work because ARRAY_SIZE()
is type size_t and so that means negative values of "r" are type
promoted to high positive values which are greater than the ARRAY_SIZE().
Fix this by changing the < to != which works regardless of type
promotion.
Fixes: 6cda0af81a50 ("drm/amdgpu: Fixes to the AMDGPU EEPROM driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_eeprom.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_eeprom.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_eeprom.c
index 4c3c65a5acae..4d9eb0137f8c 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_eeprom.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_eeprom.c
@@ -147,7 +147,7 @@ static int __amdgpu_eeprom_xfer(struct i2c_adapter *i2c_adap, u32 eeprom_addr,
/* This constitutes a START-STOP transaction.
*/
r = i2c_transfer(i2c_adap, msgs, ARRAY_SIZE(msgs));
- if (r < ARRAY_SIZE(msgs))
+ if (r != ARRAY_SIZE(msgs))
break;
if (!read) {
--
2.30.2
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 3/4] drm/amdgpu: unlock on error in amdgpu_ras_debugfs_table_read()
2021-07-03 9:44 [PATCH 1/4] drm/amdgpu: fix a signedness bug in __verify_ras_table_checksum() Dan Carpenter
2021-07-03 9:44 ` [PATCH 2/4] drm/amdgpu: Fix signedness bug in __amdgpu_eeprom_xfer() Dan Carpenter
@ 2021-07-03 9:45 ` Dan Carpenter
2021-07-03 9:46 ` [PATCH 4/4] drm/amdgpu: return -EFAULT if copy_to_user() fails Dan Carpenter
2021-07-04 15:18 ` [PATCH 1/4] drm/amdgpu: fix a signedness bug in __verify_ras_table_checksum() Luben Tuikov
3 siblings, 0 replies; 6+ messages in thread
From: Dan Carpenter @ 2021-07-03 9:45 UTC (permalink / raw)
To: Alex Deucher, Luben Tuikov
Cc: Christian König, Pan, Xinhui, David Airlie, Daniel Vetter,
Hawking Zhang, Guchun Chen, John Clements, Dennis Li, amd-gfx,
dri-devel, kernel-janitors
This error path needs to unlock before returning. While we're at it,
the correct error code from copy_to_user() failure is -EFAULT, not
-EINVAL.
Fixes: 9b790694a031 (""drm/amdgpu: RAS EEPROM table is now in debugfs)
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c
index f07a456506ef..3e33e85d8dbc 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c
@@ -821,7 +821,7 @@ static ssize_t amdgpu_ras_debugfs_table_read(struct file *f, char __user *buf,
struct amdgpu_ras *ras = amdgpu_ras_get_context(adev);
struct amdgpu_ras_eeprom_control *control = &ras->eeprom_control;
const size_t orig_size = size;
- int res = -EINVAL;
+ int res = -EFAULT;
size_t data_len;
mutex_lock(&control->ras_tbl_mutex);
@@ -912,8 +912,10 @@ static ssize_t amdgpu_ras_debugfs_table_read(struct file *f, char __user *buf,
record.retired_page);
data_len = min_t(size_t, rec_hdr_fmt_size - r, size);
- if (copy_to_user(buf, &data[r], data_len))
- return -EINVAL;
+ if (copy_to_user(buf, &data[r], data_len)) {
+ res = -EFAULT;
+ goto Out;
+ }
buf += data_len;
size -= data_len;
*pos += data_len;
--
2.30.2
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 4/4] drm/amdgpu: return -EFAULT if copy_to_user() fails
2021-07-03 9:44 [PATCH 1/4] drm/amdgpu: fix a signedness bug in __verify_ras_table_checksum() Dan Carpenter
2021-07-03 9:44 ` [PATCH 2/4] drm/amdgpu: Fix signedness bug in __amdgpu_eeprom_xfer() Dan Carpenter
2021-07-03 9:45 ` [PATCH 3/4] drm/amdgpu: unlock on error in amdgpu_ras_debugfs_table_read() Dan Carpenter
@ 2021-07-03 9:46 ` Dan Carpenter
2021-07-04 15:18 ` [PATCH 1/4] drm/amdgpu: fix a signedness bug in __verify_ras_table_checksum() Luben Tuikov
3 siblings, 0 replies; 6+ messages in thread
From: Dan Carpenter @ 2021-07-03 9:46 UTC (permalink / raw)
To: Alex Deucher, Luben Tuikov
Cc: Christian König, Pan, Xinhui, David Airlie, Daniel Vetter,
Hawking Zhang, Guchun Chen, John Clements, Dennis Li, amd-gfx,
dri-devel, kernel-janitors
If copy_to_user() fails then this should return -EFAULT instead of
-EINVAL.
Fixes: 9b790694a031 ("drm/amdgpu: RAS EEPROM table is now in debugfs")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c
index 3e33e85d8dbc..d2e5b2567bc1 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c
@@ -771,7 +771,7 @@ amdgpu_ras_debugfs_eeprom_size_read(struct file *f, char __user *buf,
res = min_t(size_t, res, size);
if (copy_to_user(buf, &data[*pos], res))
- return -EINVAL;
+ return -EFAULT;
*pos += res;
@@ -950,7 +950,7 @@ amdgpu_ras_debugfs_eeprom_table_read(struct file *f, char __user *buf,
res = min_t(size_t, res, size);
if (copy_to_user(buf, &data[*pos], res))
- return -EINVAL;
+ return -EFAULT;
*pos += res;
--
2.30.2
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH 1/4] drm/amdgpu: fix a signedness bug in __verify_ras_table_checksum()
2021-07-03 9:44 [PATCH 1/4] drm/amdgpu: fix a signedness bug in __verify_ras_table_checksum() Dan Carpenter
` (2 preceding siblings ...)
2021-07-03 9:46 ` [PATCH 4/4] drm/amdgpu: return -EFAULT if copy_to_user() fails Dan Carpenter
@ 2021-07-04 15:18 ` Luben Tuikov
2021-07-06 0:52 ` Luben Tuikov
3 siblings, 1 reply; 6+ messages in thread
From: Luben Tuikov @ 2021-07-04 15:18 UTC (permalink / raw)
To: Dan Carpenter, Alex Deucher
Cc: Christian König, Pan, Xinhui, David Airlie, Daniel Vetter,
Hawking Zhang, Guchun Chen, John Clements, Dennis Li, amd-gfx,
dri-devel, kernel-janitors
Series is,
Reviewed-by: Luben Tuikov <luben.tuikov@amd.com>
Regards,
Luben
On 2021-07-03 5:44 a.m., Dan Carpenter wrote:
> If amdgpu_eeprom_read() returns a negative error code then the error
> handling checks:
>
> if (res < buf_size) {
>
> The problem is that "buf_size" is a u32 so negative values are type
> promoted to a high positive values and the condition is false. Fix
> this by changing the type of "buf_size" to int.
>
> Fixes: 79beb6114014 ("drm/amdgpu: Optimize EEPROM RAS table I/O")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> It's hard for me to tell the exact upper bound that "buf_size" can be,
> but if it's over USHRT_MAX then we are well toasted.
>
> drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c
> index fc70620369e4..f07a456506ef 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c
> @@ -978,9 +978,8 @@ const struct file_operations amdgpu_ras_debugfs_eeprom_table_ops = {
> static int __verify_ras_table_checksum(struct amdgpu_ras_eeprom_control *control)
> {
> struct amdgpu_device *adev = to_amdgpu_device(control);
> - int res;
> + int buf_size, res;
> u8 csum, *buf, *pp;
> - u32 buf_size;
>
> buf_size = RAS_TABLE_HEADER_SIZE +
> control->ras_num_recs * RAS_TABLE_RECORD_SIZE;
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 1/4] drm/amdgpu: fix a signedness bug in __verify_ras_table_checksum()
2021-07-04 15:18 ` [PATCH 1/4] drm/amdgpu: fix a signedness bug in __verify_ras_table_checksum() Luben Tuikov
@ 2021-07-06 0:52 ` Luben Tuikov
0 siblings, 0 replies; 6+ messages in thread
From: Luben Tuikov @ 2021-07-06 0:52 UTC (permalink / raw)
To: Dan Carpenter, Alex Deucher
Cc: Christian König, Pan, Xinhui, David Airlie, Daniel Vetter,
Hawking Zhang, Guchun Chen, John Clements, Dennis Li, amd-gfx,
dri-devel, kernel-janitors
Alex,
I think we should pull these through amd-staging-drm-next.
Regards,
Luben
On 2021-07-04 11:18 a.m., Luben Tuikov wrote:
> Series is,
> Reviewed-by: Luben Tuikov <luben.tuikov@amd.com>
>
> Regards,
> Luben
>
> On 2021-07-03 5:44 a.m., Dan Carpenter wrote:
>> If amdgpu_eeprom_read() returns a negative error code then the error
>> handling checks:
>>
>> if (res < buf_size) {
>>
>> The problem is that "buf_size" is a u32 so negative values are type
>> promoted to a high positive values and the condition is false. Fix
>> this by changing the type of "buf_size" to int.
>>
>> Fixes: 79beb6114014 ("drm/amdgpu: Optimize EEPROM RAS table I/O")
>> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>> ---
>> It's hard for me to tell the exact upper bound that "buf_size" can be,
>> but if it's over USHRT_MAX then we are well toasted.
>>
>> drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c | 3 +--
>> 1 file changed, 1 insertion(+), 2 deletions(-)
>>
>> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c
>> index fc70620369e4..f07a456506ef 100644
>> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c
>> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ras_eeprom.c
>> @@ -978,9 +978,8 @@ const struct file_operations amdgpu_ras_debugfs_eeprom_table_ops = {
>> static int __verify_ras_table_checksum(struct amdgpu_ras_eeprom_control *control)
>> {
>> struct amdgpu_device *adev = to_amdgpu_device(control);
>> - int res;
>> + int buf_size, res;
>> u8 csum, *buf, *pp;
>> - u32 buf_size;
>>
>> buf_size = RAS_TABLE_HEADER_SIZE +
>> control->ras_num_recs * RAS_TABLE_RECORD_SIZE;
^ permalink raw reply [flat|nested] 6+ messages in thread