[Bug 188621] New: Function kfd_wait_on_events() does not set error code when the call to copy_from_user() fails

Fri Nov 25 10:42:36 UTC 2016

https://bugzilla.kernel.org/show_bug.cgi?id=188621

            Bug ID: 188621
           Summary: Function kfd_wait_on_events() does not set error code
                    when the call to copy_from_user() fails
           Product: Drivers
           Version: 2.5
    Kernel Version: linux-4.9-rc6
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: Video(DRI - non Intel)
          Assignee: drivers_video-dri at kernel-bugs.osdl.org
          Reporter: bianpan2010 at ruc.edu.cn
        Regression: No

The return value of copy_from_user() indicates the number of bytes that cannot
be copied, and there may be something wrong when the value is non-zero. In
function kfd_wait_on_events() defined in file
drivers/gpu/drm/amd/amdkfd/kfd_events.c, variable ret takes the error code. At
line 743, the value of ret must be 0, and thus it will return 0 when
copy_from_user() fails. 0 indicates there is no error, which is contrary to the
fact. Maybe it is better to assign "-EFAULT" to ret when the check of the
return value of copy_from_user() fails at line 741. Codes related to this bug
are summarised as follows.

kfd_wait_on_events @@ drivers/gpu/drm/amd/amdkfd/kfd_events.c
718 int kfd_wait_on_events(struct kfd_process *p,
719                uint32_t num_events, void __user *data,
720                bool all, uint32_t user_timeout_ms,
721                enum kfd_event_wait_result *wait_result)
722 {
        ...
726     int ret = 0;
        ...
730     mutex_lock(&p->event_mutex);
731 
732     event_waiters = alloc_event_waiters(num_events);
733     if (!event_waiters) {
734         ret = -ENOMEM;
735         goto fail;
736     }
737 
738     for (i = 0; i < num_events; i++) {
739         struct kfd_event_data event_data;
740 
741         if (copy_from_user(&event_data, &events[i],
742                 sizeof(struct kfd_event_data)))
743             goto fail;   // insert "ret = -EFAULT;" before this jump
instruction?
744 
745         ret = init_event_waiter(p, &event_waiters[i],
746                 event_data.event_id, i);
747         if (ret)
748             goto fail;
749     }
        ...
796 fail:
797     if (event_waiters)
798         free_waiters(num_events, event_waiters);
799 
800     mutex_unlock(&p->event_mutex);
801 
802     *wait_result = KFD_WAIT_ERROR;
803 
804     return ret;
805 }

Thanks very much!

-- 
You are receiving this mail because:
You are watching the assignee of the bug.