lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAB0kiBKeBwHNm1B7RCYTK1KTUrWS4=NzTdLRV6sdDH1wqCFJHQ@mail.gmail.com>
Date: Sat, 17 Aug 2024 10:24:21 -0400
From: Chris Wulff <crwulff@...il.com>
To: Dan Carpenter <dan.carpenter@...aro.org>
Cc: oe-kbuild@...ts.linux.dev, linux-usb@...r.kernel.org, lkp@...el.com, 
	oe-kbuild-all@...ts.linux.dev, 
	Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Konstantin Aladyshev <aladyshev22@...il.com>, 
	David Sands <david.sands@...mp.com>, Jeff Johnson <quic_jjohnson@...cinc.com>, 
	Christophe JAILLET <christophe.jaillet@...adoo.fr>, linux-kernel@...r.kernel.org, 
	Chris Wulff <Chris.Wulff@...mp.com>
Subject: Re: [PATCH v4] USB: gadget: f_hid: Add GET_REPORT via userspace IOCTL

On Sat, Aug 17, 2024 at 2:49 AM Dan Carpenter <dan.carpenter@...aro.org> wrote:
>
> Hi,
>
> kernel test robot noticed the following build warnings:
>
> https://git-scm.com/docs/git-format-patch#_base_tree_information]
>
> url:    https://github.com/intel-lab-lkp/linux/commits/crwulff-gmail-com/USB-gadget-f_hid-Add-GET_REPORT-via-userspace-IOCTL/20240814-225520
> base:   https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
> patch link:    https://lore.kernel.org/r/20240814125525.3917130-2-crwulff%40gmail.com
> patch subject: [PATCH v4] USB: gadget: f_hid: Add GET_REPORT via userspace IOCTL
> config: x86_64-randconfig-161-20240817 (https://download.01.org/0day-ci/archive/20240817/202408171146.0RjWnTq8-lkp@intel.com/config)
> compiler: clang version 18.1.5 (https://github.com/llvm/llvm-project 617a15a9eac96088ae5e9134248d8236e34b91b1)
>
> If you fix the issue in a separate patch/commit (i.e. not just a new version of
> the same patch/commit), kindly add following tags
> | Reported-by: kernel test robot <lkp@...el.com>
> | Reported-by: Dan Carpenter <dan.carpenter@...aro.org>
> | Closes: https://lore.kernel.org/r/202408171146.0RjWnTq8-lkp@intel.com/
>
> smatch warnings:
> drivers/usb/gadget/function/f_hid.c:705 f_hidg_get_report() warn: inconsistent returns '&hidg->get_report_spinlock'.
> drivers/usb/gadget/function/f_hid.c:705 f_hidg_get_report() warn: inconsistent returns 'flags'.
>
> vim +705 drivers/usb/gadget/function/f_hid.c
>
> fce51fb916013b Chris Wulff 2024-08-14  653  static int f_hidg_get_report(struct file *file, struct usb_hidg_report __user *buffer)
> fce51fb916013b Chris Wulff 2024-08-14  654  {
> fce51fb916013b Chris Wulff 2024-08-14  655      struct f_hidg                   *hidg = file->private_data;
> fce51fb916013b Chris Wulff 2024-08-14  656      struct usb_composite_dev        *cdev = hidg->func.config->cdev;
> fce51fb916013b Chris Wulff 2024-08-14  657      unsigned long   flags;
> fce51fb916013b Chris Wulff 2024-08-14  658      struct report_entry *entry;
> fce51fb916013b Chris Wulff 2024-08-14  659      struct report_entry *ptr;
> fce51fb916013b Chris Wulff 2024-08-14  660      __u8 report_id;
> fce51fb916013b Chris Wulff 2024-08-14  661
> fce51fb916013b Chris Wulff 2024-08-14  662      entry = kmalloc(sizeof(*entry), GFP_KERNEL);
> fce51fb916013b Chris Wulff 2024-08-14  663      if (!entry)
> fce51fb916013b Chris Wulff 2024-08-14  664              return -ENOMEM;
> fce51fb916013b Chris Wulff 2024-08-14  665
> fce51fb916013b Chris Wulff 2024-08-14  666      if (copy_from_user(&entry->report_data, buffer,
> fce51fb916013b Chris Wulff 2024-08-14  667                              sizeof(struct usb_hidg_report))) {
> fce51fb916013b Chris Wulff 2024-08-14  668              ERROR(cdev, "copy_from_user error\n");
> fce51fb916013b Chris Wulff 2024-08-14  669              kfree(entry);
> fce51fb916013b Chris Wulff 2024-08-14  670              return -EINVAL;
> fce51fb916013b Chris Wulff 2024-08-14  671      }
> fce51fb916013b Chris Wulff 2024-08-14  672
> fce51fb916013b Chris Wulff 2024-08-14  673      report_id = entry->report_data.report_id;
> fce51fb916013b Chris Wulff 2024-08-14  674
> fce51fb916013b Chris Wulff 2024-08-14  675      spin_lock_irqsave(&hidg->get_report_spinlock, flags);
> fce51fb916013b Chris Wulff 2024-08-14  676      ptr = f_hidg_search_for_report(hidg, report_id);
> fce51fb916013b Chris Wulff 2024-08-14  677
> fce51fb916013b Chris Wulff 2024-08-14  678      if (ptr) {
> fce51fb916013b Chris Wulff 2024-08-14  679              /* Report already exists in list - update it */
> fce51fb916013b Chris Wulff 2024-08-14  680              if (copy_from_user(&ptr->report_data, buffer,
> fce51fb916013b Chris Wulff 2024-08-14  681                              sizeof(struct usb_hidg_report))) {
> fce51fb916013b Chris Wulff 2024-08-14  682                      ERROR(cdev, "copy_from_user error\n");
> fce51fb916013b Chris Wulff 2024-08-14  683                      kfree(entry);
> fce51fb916013b Chris Wulff 2024-08-14  684                      return -EINVAL;
>
> spin_unlock_irqrestore(&hidg->get_report_spinlock, flags);

This does appear to be legitimate. I will make sure the spinlock is
released on that error path and post a new version.

>
> fce51fb916013b Chris Wulff 2024-08-14  685              }
> fce51fb916013b Chris Wulff 2024-08-14  686              kfree(entry);
> fce51fb916013b Chris Wulff 2024-08-14  687      } else {
> fce51fb916013b Chris Wulff 2024-08-14  688              /* Report does not exist in list - add it */
> fce51fb916013b Chris Wulff 2024-08-14  689              list_add_tail(&entry->node, &hidg->report_list);
> fce51fb916013b Chris Wulff 2024-08-14  690      }
> fce51fb916013b Chris Wulff 2024-08-14  691
> fce51fb916013b Chris Wulff 2024-08-14  692      /* If there is no response pending then do nothing further */
> fce51fb916013b Chris Wulff 2024-08-14  693      if (hidg->get_report_returned) {
> fce51fb916013b Chris Wulff 2024-08-14  694              spin_unlock_irqrestore(&hidg->get_report_spinlock, flags);
> fce51fb916013b Chris Wulff 2024-08-14  695              return 0;
> fce51fb916013b Chris Wulff 2024-08-14  696      }
> fce51fb916013b Chris Wulff 2024-08-14  697
> fce51fb916013b Chris Wulff 2024-08-14  698      /* If this userspace response serves the current pending report */
> fce51fb916013b Chris Wulff 2024-08-14  699      if (hidg->get_report_req_report_id == report_id) {
> fce51fb916013b Chris Wulff 2024-08-14  700              hidg->get_report_returned = true;
> fce51fb916013b Chris Wulff 2024-08-14  701              wake_up(&hidg->get_queue);
> fce51fb916013b Chris Wulff 2024-08-14  702      }
> fce51fb916013b Chris Wulff 2024-08-14  703
> fce51fb916013b Chris Wulff 2024-08-14  704      spin_unlock_irqrestore(&hidg->get_report_spinlock, flags);
> fce51fb916013b Chris Wulff 2024-08-14 @705      return 0;
> fce51fb916013b Chris Wulff 2024-08-14  706  }
>
> --
> 0-DAY CI Kernel Test Service
> https://github.com/intel/lkp-tests/wiki
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ