From: bugzilla-daemon@bugzilla.kernel.org
To: dri-devel@lists.freedesktop.org
Subject: [Bug 188621] New: Function kfd_wait_on_events() does not set error code when the call to copy_from_user() fails
Date: Fri, 25 Nov 2016 10:42:36 +0000 [thread overview]
Message-ID: <bug-188621-2300@https.bugzilla.kernel.org/> (raw)
https://bugzilla.kernel.org/show_bug.cgi?id=188621
Bug ID: 188621
Summary: Function kfd_wait_on_events() does not set error code
when the call to copy_from_user() fails
Product: Drivers
Version: 2.5
Kernel Version: linux-4.9-rc6
Hardware: All
OS: Linux
Tree: Mainline
Status: NEW
Severity: normal
Priority: P1
Component: Video(DRI - non Intel)
Assignee: drivers_video-dri@kernel-bugs.osdl.org
Reporter: bianpan2010@ruc.edu.cn
Regression: No
The return value of copy_from_user() indicates the number of bytes that cannot
be copied, and there may be something wrong when the value is non-zero. In
function kfd_wait_on_events() defined in file
drivers/gpu/drm/amd/amdkfd/kfd_events.c, variable ret takes the error code. At
line 743, the value of ret must be 0, and thus it will return 0 when
copy_from_user() fails. 0 indicates there is no error, which is contrary to the
fact. Maybe it is better to assign "-EFAULT" to ret when the check of the
return value of copy_from_user() fails at line 741. Codes related to this bug
are summarised as follows.
kfd_wait_on_events @@ drivers/gpu/drm/amd/amdkfd/kfd_events.c
718 int kfd_wait_on_events(struct kfd_process *p,
719 uint32_t num_events, void __user *data,
720 bool all, uint32_t user_timeout_ms,
721 enum kfd_event_wait_result *wait_result)
722 {
...
726 int ret = 0;
...
730 mutex_lock(&p->event_mutex);
731
732 event_waiters = alloc_event_waiters(num_events);
733 if (!event_waiters) {
734 ret = -ENOMEM;
735 goto fail;
736 }
737
738 for (i = 0; i < num_events; i++) {
739 struct kfd_event_data event_data;
740
741 if (copy_from_user(&event_data, &events[i],
742 sizeof(struct kfd_event_data)))
743 goto fail; // insert "ret = -EFAULT;" before this jump
instruction?
744
745 ret = init_event_waiter(p, &event_waiters[i],
746 event_data.event_id, i);
747 if (ret)
748 goto fail;
749 }
...
796 fail:
797 if (event_waiters)
798 free_waiters(num_events, event_waiters);
799
800 mutex_unlock(&p->event_mutex);
801
802 *wait_result = KFD_WAIT_ERROR;
803
804 return ret;
805 }
Thanks very much!
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
next reply other threads:[~2016-11-25 10:42 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-11-25 10:42 bugzilla-daemon [this message]
2016-11-25 11:53 ` [Bug 188621] Function kfd_wait_on_events() does not set error code when the call to copy_from_user() fails bugzilla-daemon
2016-12-01 8:22 ` bugzilla-daemon
2016-12-01 8:36 ` bugzilla-daemon
2017-01-16 15:40 ` bugzilla-daemon
2017-05-11 9:33 ` bugzilla-daemon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-188621-2300@https.bugzilla.kernel.org/ \
--to=bugzilla-daemon@bugzilla.kernel.org \
--cc=dri-devel@lists.freedesktop.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.