[bug report] drm/i915: Engine discovery query

From: Dan Carpenter <dan.carpenter@oracle.com>
To: tvrtko.ursulin@intel.com
Cc: intel-gfx@lists.freedesktop.org
Subject: [bug report] drm/i915: Engine discovery query
Date: Wed, 29 May 2019 14:52:43 +0300	[thread overview]
Message-ID: <20190529115243.GA22431@mwanda> (raw)

Hello Tvrtko Ursulin,

The patch c5d3e39caa45: "drm/i915: Engine discovery query" from May
22, 2019, leads to the following static checker warning:

	drivers/gpu/drm/i915/i915_query.c:134 query_engine_info()
	warn: calling '__copy_to_user()' without access_ok()

drivers/gpu/drm/i915/i915_query.c
    97  query_engine_info(struct drm_i915_private *i915,
    98                    struct drm_i915_query_item *query_item)
    99  {
   100          struct drm_i915_query_engine_info __user *query_ptr =
   101                                  u64_to_user_ptr(query_item->data_ptr);

query_item->data_ptr comes from the ioctl and hasn't been checked.

   102          struct drm_i915_engine_info __user *info_ptr;
   103          struct drm_i915_query_engine_info query;
   104          struct drm_i915_engine_info info = { };
   105          struct intel_engine_cs *engine;
   106          enum intel_engine_id id;
   107          int len, ret;
   108  
   109          if (query_item->flags)
   110                  return -EINVAL;
   111  
   112          len = sizeof(struct drm_i915_query_engine_info) +
   113                RUNTIME_INFO(i915)->num_engines *
   114                sizeof(struct drm_i915_engine_info);
   115  
   116          ret = copy_query_item(&query, sizeof(query), len, query_item);
   117          if (ret != 0)
   118                  return ret;
   119  
   120          if (query.num_engines || query.rsvd[0] || query.rsvd[1] ||
   121              query.rsvd[2])
   122                  return -EINVAL;
   123  
   124          info_ptr = &query_ptr->engines[0];
   125  
   126          for_each_engine(engine, i915, id) {
   127                  info.engine.engine_class = engine->uabi_class;
   128                  info.engine.engine_instance = engine->instance;
   129                  info.capabilities = engine->uabi_capabilities;
   130  
   131                  if (__copy_to_user(info_ptr, &info, sizeof(info)))
                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   132                          return -EFAULT;
   133  
   134                  query.num_engines++;
   135                  info_ptr++;
   136          }
   137  
   138          if (__copy_to_user(query_ptr, &query, sizeof(query)))
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
I do think that these should be regular copy_to_user().

   139                  return -EFAULT;
   140  
   141          return len;

regards,
dan carpenter
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx