drivers/gpu/drm/msm/msm_gem_submit.c:202 submit_lookup_cmds() warn: impossible condition '(sz == (~0)) => (0-u32max == u64max)'

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Dan Carpenter <dan.carpenter@oracle.com>
To: kbuild@lists.01.org, Rob Clark <robdclark@chromium.org>
Cc: lkp@intel.com, kbuild-all@lists.01.org,
	linux-kernel@vger.kernel.org,
	"Kristian H. Kristensen" <hoegsberg@google.com>
Subject: drivers/gpu/drm/msm/msm_gem_submit.c:202 submit_lookup_cmds() warn: impossible condition '(sz == (~0)) => (0-u32max == u64max)'
Date: Mon, 1 Mar 2021 13:42:39 +0300	[thread overview]
Message-ID: <20210301104239.GQ2087@kadam> (raw)

[-- Attachment #1: Type: text/plain, Size: 5150 bytes --]

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head:   fe07bfda2fb9cdef8a4d4008a409bb02f35f1bd8
commit: 20224d715a882210428ea62bba93f1bc4a0afe23 drm/msm/submit: Move copy_from_user ahead of locking bos
config: arm64-randconfig-m031-20210301 (attached as .config)
compiler: aarch64-linux-gcc (GCC) 9.3.0

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>

smatch warnings:
drivers/gpu/drm/msm/msm_gem_submit.c:202 submit_lookup_cmds() warn: impossible condition '(sz == (~0)) => (0-u32max == u64max)'

vim +202 drivers/gpu/drm/msm/msm_gem_submit.c

20224d715a8822 Rob Clark 2020-10-23  158  static int submit_lookup_cmds(struct msm_gem_submit *submit,
20224d715a8822 Rob Clark 2020-10-23  159  		struct drm_msm_gem_submit *args, struct drm_file *file)
20224d715a8822 Rob Clark 2020-10-23  160  {
20224d715a8822 Rob Clark 2020-10-23  161  	unsigned i, sz;
20224d715a8822 Rob Clark 2020-10-23  162  	int ret = 0;
20224d715a8822 Rob Clark 2020-10-23  163  
20224d715a8822 Rob Clark 2020-10-23  164  	for (i = 0; i < args->nr_cmds; i++) {
20224d715a8822 Rob Clark 2020-10-23  165  		struct drm_msm_gem_submit_cmd submit_cmd;
20224d715a8822 Rob Clark 2020-10-23  166  		void __user *userptr =
20224d715a8822 Rob Clark 2020-10-23  167  			u64_to_user_ptr(args->cmds + (i * sizeof(submit_cmd)));
20224d715a8822 Rob Clark 2020-10-23  168  
20224d715a8822 Rob Clark 2020-10-23  169  		ret = copy_from_user(&submit_cmd, userptr, sizeof(submit_cmd));
20224d715a8822 Rob Clark 2020-10-23  170  		if (ret) {
20224d715a8822 Rob Clark 2020-10-23  171  			ret = -EFAULT;
20224d715a8822 Rob Clark 2020-10-23  172  			goto out;
20224d715a8822 Rob Clark 2020-10-23  173  		}
20224d715a8822 Rob Clark 2020-10-23  174  
20224d715a8822 Rob Clark 2020-10-23  175  		/* validate input from userspace: */
20224d715a8822 Rob Clark 2020-10-23  176  		switch (submit_cmd.type) {
20224d715a8822 Rob Clark 2020-10-23  177  		case MSM_SUBMIT_CMD_BUF:
20224d715a8822 Rob Clark 2020-10-23  178  		case MSM_SUBMIT_CMD_IB_TARGET_BUF:
20224d715a8822 Rob Clark 2020-10-23  179  		case MSM_SUBMIT_CMD_CTX_RESTORE_BUF:
20224d715a8822 Rob Clark 2020-10-23  180  			break;
20224d715a8822 Rob Clark 2020-10-23  181  		default:
20224d715a8822 Rob Clark 2020-10-23  182  			DRM_ERROR("invalid type: %08x\n", submit_cmd.type);
20224d715a8822 Rob Clark 2020-10-23  183  			return -EINVAL;
20224d715a8822 Rob Clark 2020-10-23  184  		}
20224d715a8822 Rob Clark 2020-10-23  185  
20224d715a8822 Rob Clark 2020-10-23  186  		if (submit_cmd.size % 4) {
20224d715a8822 Rob Clark 2020-10-23  187  			DRM_ERROR("non-aligned cmdstream buffer size: %u\n",
20224d715a8822 Rob Clark 2020-10-23  188  					submit_cmd.size);
20224d715a8822 Rob Clark 2020-10-23  189  			ret = -EINVAL;
20224d715a8822 Rob Clark 2020-10-23  190  			goto out;
20224d715a8822 Rob Clark 2020-10-23  191  		}
20224d715a8822 Rob Clark 2020-10-23  192  
20224d715a8822 Rob Clark 2020-10-23  193  		submit->cmd[i].type = submit_cmd.type;
20224d715a8822 Rob Clark 2020-10-23  194  		submit->cmd[i].size = submit_cmd.size / 4;
20224d715a8822 Rob Clark 2020-10-23  195  		submit->cmd[i].offset = submit_cmd.submit_offset / 4;
20224d715a8822 Rob Clark 2020-10-23  196  		submit->cmd[i].idx  = submit_cmd.submit_idx;
20224d715a8822 Rob Clark 2020-10-23  197  		submit->cmd[i].nr_relocs = submit_cmd.nr_relocs;
20224d715a8822 Rob Clark 2020-10-23  198  
20224d715a8822 Rob Clark 2020-10-23  199  		sz = array_size(submit_cmd.nr_relocs,
20224d715a8822 Rob Clark 2020-10-23  200  				sizeof(struct drm_msm_gem_submit_reloc));
20224d715a8822 Rob Clark 2020-10-23  201  		/* check for overflow: */
20224d715a8822 Rob Clark 2020-10-23 @202  		if (sz == SIZE_MAX) {
                                                            ^^^^^^^^^^^^^^
"sz" is an u32 so it can't equal ULONG_MAX on 64 bit systems.  I would
just leave this check out and let kmalloc() fail with a splat.

20224d715a8822 Rob Clark 2020-10-23  203  			ret = -ENOMEM;
20224d715a8822 Rob Clark 2020-10-23  204  			goto out;
20224d715a8822 Rob Clark 2020-10-23  205  		}
20224d715a8822 Rob Clark 2020-10-23  206  		submit->cmd[i].relocs = kmalloc(sz, GFP_KERNEL);
20224d715a8822 Rob Clark 2020-10-23  207  		ret = copy_from_user(submit->cmd[i].relocs, userptr, sz);
20224d715a8822 Rob Clark 2020-10-23  208  		if (ret) {
20224d715a8822 Rob Clark 2020-10-23  209  			ret = -EFAULT;
20224d715a8822 Rob Clark 2020-10-23  210  			goto out;
20224d715a8822 Rob Clark 2020-10-23  211  		}

The zero day bot will probably send you an email suggesting memdup_user()
here:

	tmp = memdup_user(userptr, sz);
	if (IS_ERR(copy)) {
		ret = PTR_ERR(tmp);
		goto out;
	}
	submit->cmd[i].relocs = tmp;

20224d715a8822 Rob Clark 2020-10-23  212  	}
20224d715a8822 Rob Clark 2020-10-23  213  
20224d715a8822 Rob Clark 2020-10-23  214  out:
20224d715a8822 Rob Clark 2020-10-23  215  	return ret;
20224d715a8822 Rob Clark 2020-10-23  216  }

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org

[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 33418 bytes --]

                 reply	other threads:[~2021-03-01 10:43 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210301104239.GQ2087@kadam \
    --to=dan.carpenter@oracle.com \
    --cc=hoegsberg@google.com \
    --cc=kbuild-all@lists.01.org \
    --cc=kbuild@lists.01.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=lkp@intel.com \
    --cc=robdclark@chromium.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox