[bug report] drm/i915: Engine discovery query

[bug report] drm/i915: Engine discovery query

[Dan Carpenter]

Hello Tvrtko Ursulin,

The patch c5d3e39caa45: "drm/i915: Engine discovery query" from May
22, 2019, leads to the following static checker warning:

	drivers/gpu/drm/i915/i915_query.c:134 query_engine_info()
	warn: calling '__copy_to_user()' without access_ok()

drivers/gpu/drm/i915/i915_query.c
    97  query_engine_info(struct drm_i915_private *i915,
    98                    struct drm_i915_query_item *query_item)
    99  {
   100          struct drm_i915_query_engine_info __user *query_ptr =
   101                                  u64_to_user_ptr(query_item->data_ptr);

query_item->data_ptr comes from the ioctl and hasn't been checked.

   102          struct drm_i915_engine_info __user *info_ptr;
   103          struct drm_i915_query_engine_info query;
   104          struct drm_i915_engine_info info = { };
   105          struct intel_engine_cs *engine;
   106          enum intel_engine_id id;
   107          int len, ret;
   108  
   109          if (query_item->flags)
   110                  return -EINVAL;
   111  
   112          len = sizeof(struct drm_i915_query_engine_info) +
   113                RUNTIME_INFO(i915)->num_engines *
   114                sizeof(struct drm_i915_engine_info);
   115  
   116          ret = copy_query_item(&query, sizeof(query), len, query_item);
   117          if (ret != 0)
   118                  return ret;
   119  
   120          if (query.num_engines || query.rsvd[0] || query.rsvd[1] ||
   121              query.rsvd[2])
   122                  return -EINVAL;
   123  
   124          info_ptr = &query_ptr->engines[0];
   125  
   126          for_each_engine(engine, i915, id) {
   127                  info.engine.engine_class = engine->uabi_class;
   128                  info.engine.engine_instance = engine->instance;
   129                  info.capabilities = engine->uabi_capabilities;
   130  
   131                  if (__copy_to_user(info_ptr, &info, sizeof(info)))
                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   132                          return -EFAULT;
   133  
   134                  query.num_engines++;
   135                  info_ptr++;
   136          }
   137  
   138          if (__copy_to_user(query_ptr, &query, sizeof(query)))
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
I do think that these should be regular copy_to_user().


   139                  return -EFAULT;
   140  
   141          return len;

regards,
dan carpenter
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx

Re: [bug report] drm/i915: Engine discovery query

[Chris Wilson]

Quoting Dan Carpenter (2019-05-29 12:52:43)
> Hello Tvrtko Ursulin,
> 
> The patch c5d3e39caa45: "drm/i915: Engine discovery query" from May
> 22, 2019, leads to the following static checker warning:
> 
>         drivers/gpu/drm/i915/i915_query.c:134 query_engine_info()
>         warn: calling '__copy_to_user()' without access_ok()
> 
> drivers/gpu/drm/i915/i915_query.c
>     97  query_engine_info(struct drm_i915_private *i915,
>     98                    struct drm_i915_query_item *query_item)
>     99  {
>    100          struct drm_i915_query_engine_info __user *query_ptr =
>    101                                  u64_to_user_ptr(query_item->data_ptr);
> 
> query_item->data_ptr comes from the ioctl and hasn't been checked.

copy_query_items() does the access_ok() check for the data portion after
the header.
-Chris
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx

Re: [bug report] drm/i915: Engine discovery query

[Dan Carpenter]

On Wed, May 29, 2019 at 01:08:59PM +0100, Chris Wilson wrote:
> Quoting Dan Carpenter (2019-05-29 12:52:43)
> > Hello Tvrtko Ursulin,
> > 
> > The patch c5d3e39caa45: "drm/i915: Engine discovery query" from May
> > 22, 2019, leads to the following static checker warning:
> > 
> >         drivers/gpu/drm/i915/i915_query.c:134 query_engine_info()
> >         warn: calling '__copy_to_user()' without access_ok()
> > 
> > drivers/gpu/drm/i915/i915_query.c
> >     97  query_engine_info(struct drm_i915_private *i915,
> >     98                    struct drm_i915_query_item *query_item)
> >     99  {
> >    100          struct drm_i915_query_engine_info __user *query_ptr =
> >    101                                  u64_to_user_ptr(query_item->data_ptr);
> > 
> > query_item->data_ptr comes from the ioctl and hasn't been checked.
> 
> copy_query_items() does the access_ok() check for the data portion after
> the header.

Ah yeah.  You're right.  Thanks!

regards,
dan carpenter

_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx