From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=LXHu=GH=lists.infradead.org=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-15.5 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH,
	DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,
	INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,UNPARSEABLE_RELAY,
	URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 7D9CBC433E0
	for <linux-arm-kernel@archiver.kernel.org>; Mon,  4 Jan 2021 18:33:47 +0000 (UTC)
Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id 436F522209
	for <linux-arm-kernel@archiver.kernel.org>; Mon,  4 Jan 2021 18:33:47 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 436F522209
Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=oracle.com
Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding:
	Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive:
	List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References:Message-ID:
	Subject:To:From:Date:Reply-To:Content-ID:Content-Description:Resent-Date:
	Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner;
	 bh=n2sz7X21ADXt89vzMiWpvv7LizTQ+eJpxEXNGBhARto=; b=tSBFcWpiVZoUpbwO3T6+vDu8k
	Ge4wSELzWh/u0iiM3vfxNuvwfYZMcbzerwwZ6wtj/Y23u86S8/SucNq3tWipoU4knAajL1im4qSxW
	5ex8QVbF9ux79xIxvrMbEsUhbzJIo9igyNxYHrZa+sQTnqSAGLasPiBD+oF4K26khrXLGqjPQ+VEH
	yxBMsQzJZxfoEumsP7wsaM5533bjKuIFUdAK0zHz6fsJdC6Qq5cx1BCb4fyaLw9rqbUjsWNyILUFA
	8xLSdf5Aj4scMXTuDcb+u8qPmNkG4ImlgRmIoAmpg/cVc6LxqEc3/8+IVtgvC80eJKjdfTI3Lqgnd
	G5TDrU/1Q==;
Received: from localhost ([::1] helo=merlin.infradead.org)
	by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux))
	id 1kwUeM-0006gP-NR; Mon, 04 Jan 2021 18:32:14 +0000
Received: from aserp2120.oracle.com ([141.146.126.78])
 by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux))
 id 1kwUeH-0006d5-Uk; Mon, 04 Jan 2021 18:32:10 +0000
Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1])
 by aserp2120.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 104IP40J091150;
 Mon, 4 Jan 2021 18:31:54 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com;
 h=date : from : to : cc
 : subject : message-id : references : mime-version : content-type :
 in-reply-to; s=corp-2020-01-29;
 bh=j7wrXXfTWvb/vcEaKzZG1GxLgg27D7M9T8jXvFJETlU=;
 b=gSvLwbI0DklVr5TXE57mfhkJjbNLhXcRwNCB0doH58UFVsUQoHafndGp+OYPoUOVeW+5
 K2pTOIsR4hjynTSPIn+e9JFFnasuMoTJNE2F1sJTxYM8P5Cqjx/WIPyurfPapHBhwNH/
 OLLTrpOyaMIB0MLGuAMyM6ostY/IXXZspKZWU32NII8h6DuajqyM4pHtTm/xWCwwaNQs
 gjVdZCa7KZUTwacdxUfnlcEpGB0GHr8p/nFSr4LpKGzZVvjfis8a50xbbh+X13Yyjqfv
 Cv7VXdKikgjkYzo+Ere96Z/y2fX5vK2vbE9tOVmdtl/ud3dHR84yZejjHdu7CekRBVFI FQ== 
Received: from userp3030.oracle.com (userp3030.oracle.com [156.151.31.80])
 by aserp2120.oracle.com with ESMTP id 35tgsknke1-1
 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL);
 Mon, 04 Jan 2021 18:31:54 +0000
Received: from pps.filterd (userp3030.oracle.com [127.0.0.1])
 by userp3030.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 104IPWE2029694;
 Mon, 4 Jan 2021 18:31:53 GMT
Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236])
 by userp3030.oracle.com with ESMTP id 35v2axha1t-1
 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
 Mon, 04 Jan 2021 18:31:53 +0000
Received: from abhmp0013.oracle.com (abhmp0013.oracle.com [141.146.116.19])
 by aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id 104IVpeQ023945;
 Mon, 4 Jan 2021 18:31:51 GMT
Received: from kadam (/102.36.221.92) by default (Oracle Beehive Gateway v4.0)
 with ESMTP ; Mon, 04 Jan 2021 18:31:50 +0000
Date: Mon, 4 Jan 2021 21:31:34 +0300
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Phil Elwell <phil@raspberrypi.com>
Subject: Re: [PATCH 1/2] staging: vchiq: Fix bulk userdata handling
Message-ID: <20210104183134.GV2809@kadam>
References: <20210104120929.294063-1-phil@raspberrypi.com>
 <20210104120929.294063-2-phil@raspberrypi.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <20210104120929.294063-2-phil@raspberrypi.com>
User-Agent: Mutt/1.9.4 (2018-02-28)
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9854
 signatures=668683
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999
 phishscore=0
 suspectscore=0 spamscore=0 malwarescore=0 adultscore=0 bulkscore=0
 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.12.0-2009150000 definitions=main-2101040119
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9854
 signatures=668683
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxscore=0
 spamscore=0 malwarescore=0
 phishscore=0 impostorscore=0 bulkscore=0 clxscore=1011 priorityscore=1501
 lowpriorityscore=0 adultscore=0 suspectscore=0 mlxlogscore=999
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000
 definitions=main-2101040119
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20210104_133210_132046_FC4EA975 
X-CRM114-Status: GOOD (  25.45  )
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/linux-arm-kernel>, 
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>, 
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
Cc: devel@driverdev.osuosl.org, Arnd Bergmann <arnd@arndb.de>,
 Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
 bcm-kernel-feedback-list@broadcom.com,
 Nicolas Saenz Julienne <nsaenzjulienne@suse.de>,
 linux-arm-kernel@lists.infradead.org, linux-rpi-kernel@lists.infradead.org
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org

On Mon, Jan 04, 2021 at 12:09:27PM +0000, Phil Elwell wrote:
> The addition of the local 'userdata' pointer to
> vchiq_irq_queue_bulk_tx_rx omitted the case where neither BLOCKING nor
> WAITING modes are used, in which case the value provided by the
> caller is replaced with a NULL.
> 
> Fixes: 4184da4f316a ("staging: vchiq: fix __user annotations")
> 
> Signed-off-by: Phil Elwell <phil@raspberrypi.com>
> ---
>  drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
> index f500a7043805..2a8883673ba1 100644
> --- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
> +++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
> @@ -958,7 +958,7 @@ static int vchiq_irq_queue_bulk_tx_rx(struct vchiq_instance *instance,
>  	struct vchiq_service *service;
>  	struct bulk_waiter_node *waiter = NULL;
>  	bool found = false;
> -	void *userdata = NULL;
> +	void *userdata;
>  	int status = 0;
>  	int ret;
>  
> @@ -997,6 +997,8 @@ static int vchiq_irq_queue_bulk_tx_rx(struct vchiq_instance *instance,
>  			"found bulk_waiter %pK for pid %d", waiter,
>  			current->pid);
>  		userdata = &waiter->bulk_waiter;
> +	} else {
> +		userdata = args->userdata;

"args->userdata" is marked as a user pointer so we really don't want to
mix user and kernel pointers here.  Presumably this opens up a large
security hole.

regards,
dan carpenter


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel