[Intel-gfx] [bug report] drm/i915: Engine discovery query
Dan Carpenter
dan.carpenter at oracle.com
Wed May 29 11:52:43 UTC 2019
Hello Tvrtko Ursulin,
The patch c5d3e39caa45: "drm/i915: Engine discovery query" from May
22, 2019, leads to the following static checker warning:
drivers/gpu/drm/i915/i915_query.c:134 query_engine_info()
warn: calling '__copy_to_user()' without access_ok()
drivers/gpu/drm/i915/i915_query.c
97 query_engine_info(struct drm_i915_private *i915,
98 struct drm_i915_query_item *query_item)
99 {
100 struct drm_i915_query_engine_info __user *query_ptr =
101 u64_to_user_ptr(query_item->data_ptr);
query_item->data_ptr comes from the ioctl and hasn't been checked.
102 struct drm_i915_engine_info __user *info_ptr;
103 struct drm_i915_query_engine_info query;
104 struct drm_i915_engine_info info = { };
105 struct intel_engine_cs *engine;
106 enum intel_engine_id id;
107 int len, ret;
108
109 if (query_item->flags)
110 return -EINVAL;
111
112 len = sizeof(struct drm_i915_query_engine_info) +
113 RUNTIME_INFO(i915)->num_engines *
114 sizeof(struct drm_i915_engine_info);
115
116 ret = copy_query_item(&query, sizeof(query), len, query_item);
117 if (ret != 0)
118 return ret;
119
120 if (query.num_engines || query.rsvd[0] || query.rsvd[1] ||
121 query.rsvd[2])
122 return -EINVAL;
123
124 info_ptr = &query_ptr->engines[0];
125
126 for_each_engine(engine, i915, id) {
127 info.engine.engine_class = engine->uabi_class;
128 info.engine.engine_instance = engine->instance;
129 info.capabilities = engine->uabi_capabilities;
130
131 if (__copy_to_user(info_ptr, &info, sizeof(info)))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
132 return -EFAULT;
133
134 query.num_engines++;
135 info_ptr++;
136 }
137
138 if (__copy_to_user(query_ptr, &query, sizeof(query)))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
I do think that these should be regular copy_to_user().
139 return -EFAULT;
140
141 return len;
regards,
dan carpenter
More information about the Intel-gfx
mailing list