| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <202501151212.S309qHCR-lkp@intel.com>
Date: Wed, 15 Jan 2025 12:51:43 +0800
From: kernel test robot <lkp@...el.com>
To: Tvrtko Ursulin <tvrtko.ursulin@...el.com>
Cc: oe-kbuild-all@...ts.linux.dev, linux-kernel@...r.kernel.org,
Rodrigo Vivi <rodrigo.vivi@...el.com>
Subject: drivers/gpu/drm/i915/gem/i915_gem_context.c:2162:9-16: WARNING
opportunity for memdup_user
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: 619f0b6fad524f08d493a98d55bac9ab8895e3a6
commit: 0f1bb41bf39695c84c83ce6f69e125b562d1d7ab drm/i915: Support replaying GPU hangs with captured context image
date: 8 months ago
config: x86_64-randconfig-101-20250115 (https://download.01.org/0day-ci/archive/20250115/202501151212.S309qHCR-lkp@intel.com/config)
compiler: gcc-12 (Debian 12.2.0-14) 12.2.0
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@...el.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202501151212.S309qHCR-lkp@intel.com/
cocci warnings: (new ones prefixed by >>)
>> drivers/gpu/drm/i915/gem/i915_gem_context.c:2162:9-16: WARNING opportunity for memdup_user
vim +2162 drivers/gpu/drm/i915/gem/i915_gem_context.c
2108
2109 static int set_context_image(struct i915_gem_context *ctx,
2110 struct drm_i915_gem_context_param *args)
2111 {
2112 struct i915_gem_context_param_context_image user;
2113 struct intel_context *ce;
2114 struct file *shmem_state;
2115 unsigned long lookup;
2116 void *state;
2117 int ret = 0;
2118
2119 if (!IS_ENABLED(CONFIG_DRM_I915_REPLAY_GPU_HANGS_API))
2120 return -EINVAL;
2121
2122 if (!ctx->i915->params.enable_debug_only_api)
2123 return -EINVAL;
2124
2125 if (args->size < sizeof(user))
2126 return -EINVAL;
2127
2128 if (copy_from_user(&user, u64_to_user_ptr(args->value), sizeof(user)))
2129 return -EFAULT;
2130
2131 if (user.mbz)
2132 return -EINVAL;
2133
2134 if (user.flags & ~(I915_CONTEXT_IMAGE_FLAG_ENGINE_INDEX))
2135 return -EINVAL;
2136
2137 lookup = 0;
2138 if (user.flags & I915_CONTEXT_IMAGE_FLAG_ENGINE_INDEX)
2139 lookup |= LOOKUP_USER_INDEX;
2140
2141 ce = lookup_user_engine(ctx, lookup, &user.engine);
2142 if (IS_ERR(ce))
2143 return PTR_ERR(ce);
2144
2145 if (user.size < ce->engine->context_size) {
2146 ret = -EINVAL;
2147 goto out_ce;
2148 }
2149
2150 if (drm_WARN_ON_ONCE(&ctx->i915->drm,
2151 test_bit(CONTEXT_ALLOC_BIT, &ce->flags))) {
2152 /*
2153 * This is racy but for a debug only API, if userspace is keen
2154 * to create and configure contexts, while simultaneously using
2155 * them from a second thread, let them suffer by potentially not
2156 * executing with the context image they just raced to apply.
2157 */
2158 ret = -EBUSY;
2159 goto out_ce;
2160 }
2161
> 2162 state = kmalloc(ce->engine->context_size, GFP_KERNEL);
2163 if (!state) {
2164 ret = -ENOMEM;
2165 goto out_ce;
2166 }
2167
2168 if (copy_from_user(state, u64_to_user_ptr(user.image),
2169 ce->engine->context_size)) {
2170 ret = -EFAULT;
2171 goto out_state;
2172 }
2173
2174 shmem_state = shmem_create_from_data(ce->engine->name,
2175 state, ce->engine->context_size);
2176 if (IS_ERR(shmem_state)) {
2177 ret = PTR_ERR(shmem_state);
2178 goto out_state;
2179 }
2180
2181 if (intel_context_set_own_state(ce)) {
2182 ret = -EBUSY;
2183 fput(shmem_state);
2184 goto out_state;
2185 }
2186
2187 ce->default_state = shmem_state;
2188
2189 args->size = sizeof(user);
2190
2191 out_state:
2192 kfree(state);
2193 out_ce:
2194 intel_context_put(ce);
2195 return ret;
2196 }
2197
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
Powered by blists - more mailing lists