Re: [PATCHv2 17/17] media: v4l2-compat-ioctl32: fix several __user annotations
> >>> @@ -898,7 +899,8 @@ static int put_v4l2_ext_controls32(struct file *file, > >>> if (ctrl_is_pointer(file, id)) > >>> size -= sizeof(ucontrols->value64); > >>> > >>> - if (copy_in_user(ucontrols, kcontrols, size)) > >>> + if (copy_in_user(ucontrols, > >>> + (unsigned int __user *)kcontrols, size)) > >> > >> This is rather ugly. Would it be better to do something like this: > >> > >>struct v4l2_ext_control __user *kcontrols > >>struct v4l2_ext_control *kcontrols_tmp; > >> > >>get_user(kcontrols_tmp, >controls); > >>kcontrols = (void __user __force *)kcontrols_tmp; > > > > Nah, having two pointers with the same value, one with __user and another > > one without it will make it really hard for people to review. > > > >> > >> And then there is no need to change anything else. > >> > >> Regardless of the chosen solution, this needs comments to explain what is > >> going > >> on here, just as with v4l2_buffer above. > > > > Actually, the problem here happens before that. The problem > > here (and on the previous one) is that get_user() expects that > > the second argument to be a Kernelspace pointer. > > You mean the first argument? I'm actually not entirely sure if this is > correct since __get_user calls __typeof__, but that might not know about > __user. Anyway, it does not really matter for this patch and the uaccess.h > code gives me a headache :-) __typeof__ gets the type of the var, but __user is not a type. it is something else (see include/linux/compiler_types.h): #ifdef __CHECKER__ # define __user __attribute__((noderef, address_space(1))) ... #else /* __CHECKER__ */ # ifdef STRUCTLEAK_PLUGIN # define __user __attribute__((user)) # else # define __user # endif ... #endif /* __CHECKER__ */ It is only built for sparse/smatch and uses __attribute__ definition, with I guess __type_of__() won't parse. Also, on almost all places where get_user() is called, what you expect is to fill a Kernelspace var with something that came from userspace. So, it expects that the first argument to be a pointer to an area that is at Kernelspace. > > > > > So, in this routine, it does (simplified): > > > > struct v4l2_ext_control32 __user *ucontrols; > > struct v4l2_ext_control *kcontrols; > > > > ... > > get_user(kcontrols, >controls); > > > > Then, every time it needs to get something related to it, > > it needs the __user, like here: > > > > if (get_user(id, (unsigned int __user *)>id) > > ... > > > > In this specific case, only copy_in_user() was missing it; all the other > > __user casts are there already. > > > > > >> Note: the whole 'u' and 'k' naming is now hopelessly out of date > >> and > >> confusing. It should really be '32' and '64' to denote 32 bit vs > >> 64 bit layout. The pointers are now always in userspace, so 'k' no > >> longer > >> makes sense. > > > > Yes, we need this change, but this should be at a separate patch. > > > > I can do it, after we cleanup v4l2-compat-ioctl32.c from their namespace > > mess. > > Of course, this is a separate patch. > > > > > > >> > >>> return -EFAULT; > >>> > >>> ucontrols++; > >>> @@ -954,7 +956,7 @@ static int get_v4l2_edid32(struct v4l2_edid __user > >>> *kp, > >>> assign_in_user(>start_block, >start_block) || > >>> assign_in_user(>blocks, >blocks) || > >>> get_user(tmp, >edid) || > >>> - put_user(compat_ptr(tmp), >edid) || > >>> + put_user((void __force *)compat_ptr(tmp), >edid) || > >>> copy_in_user(kp->reserved, up->reserved, sizeof(kp->reserved))) > >>> return -EFAULT; > >>> return 0; > >>> @@ -970,7 +972,7 @@ static int put_v4l2_edid32(struct v4l2_edid __user > >>> *kp, > >>> assign_in_user(>start_block, >start_block) || > >>> assign_in_user(>blocks, >blocks) || > >>> get_user(edid, >edid) || > >>> - put_user(ptr_to_compat(edid), >edid) || > >>> + put_user(ptr_to_compat((void __user *)edid), >edid) || > >>> copy_in_user(up->reserved, kp->reserved, sizeof(up->reserved))) > >>> return -EFAULT; > >>> return 0; > >>> > >> > >> Otherwise this patch looks good. > >> > >> Regards, > >> > >>Hans > > > > Would be ok if I fold (or add as a separate patch) the enclosed diff? > > > > Thanks, > > Mauro > > > > > > diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c > > b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c > > index 1057ab8ce2b6..5c3408bdfd89 100644 > > --- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c > > +++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c > > @@ -617,6 +617,15 @@ static int put_v4l2_buffer32(struct v4l2_buffer __user > > *kp, > > > > if (num_planes == 0) > > return 0; > > + /* > > +* We
Re: [PATCHv2 17/17] media: v4l2-compat-ioctl32: fix several __user annotations
On 04/16/2018 04:50 PM, Mauro Carvalho Chehab wrote: > Em Mon, 16 Apr 2018 14:03:45 +0200 > Hans Verkuilescreveu: > >> On 04/13/2018 08:07 PM, Mauro Carvalho Chehab wrote: >>> Smatch report several issues with bad __user annotations: >>> >>> drivers/media/v4l2-core/v4l2-compat-ioctl32.c:447:21: warning: incorrect >>> type in argument 1 (different address spaces) >>> drivers/media/v4l2-core/v4l2-compat-ioctl32.c:447:21:expected void >>> [noderef] *uptr >>> drivers/media/v4l2-core/v4l2-compat-ioctl32.c:447:21:got void >>> * >>> drivers/media/v4l2-core/v4l2-compat-ioctl32.c:621:21: warning: incorrect >>> type in argument 1 (different address spaces) >>> drivers/media/v4l2-core/v4l2-compat-ioctl32.c:621:21:expected void >>> const volatile [noderef] * >>> drivers/media/v4l2-core/v4l2-compat-ioctl32.c:621:21:got struct >>> v4l2_plane [noderef] ** >>> drivers/media/v4l2-core/v4l2-compat-ioctl32.c:693:13: warning: incorrect >>> type in argument 1 (different address spaces) >>> drivers/media/v4l2-core/v4l2-compat-ioctl32.c:693:13:expected void >>> [noderef] *uptr >>> drivers/media/v4l2-core/v4l2-compat-ioctl32.c:693:13:got void >>> *[assigned] base >>> drivers/media/v4l2-core/v4l2-compat-ioctl32.c:871:13: warning: incorrect >>> type in assignment (different address spaces) >>> drivers/media/v4l2-core/v4l2-compat-ioctl32.c:871:13:expected struct >>> v4l2_ext_control [noderef] *kcontrols >>> drivers/media/v4l2-core/v4l2-compat-ioctl32.c:871:13:got struct >>> v4l2_ext_control * >>> drivers/media/v4l2-core/v4l2-compat-ioctl32.c:957:13: warning: incorrect >>> type in assignment (different address spaces) >>> drivers/media/v4l2-core/v4l2-compat-ioctl32.c:957:13:expected >>> unsigned char [usertype] *__pu_val >>> drivers/media/v4l2-core/v4l2-compat-ioctl32.c:957:13:got void >>> [noderef] * >>> drivers/media/v4l2-core/v4l2-compat-ioctl32.c:973:13: warning: incorrect >>> type in argument 1 (different address spaces) >>> drivers/media/v4l2-core/v4l2-compat-ioctl32.c:973:13:expected void >>> [noderef] *uptr >>> drivers/media/v4l2-core/v4l2-compat-ioctl32.c:973:13:got void >>> *[assigned] edid >>> >>> Fix them. >>> >>> Signed-off-by: Mauro Carvalho Chehab >>> --- >>> drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 32 >>> ++- >>> 1 file changed, 17 insertions(+), 15 deletions(-) >>> >>> diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c >>> b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c >>> index d03a44d89649..0b9dfe7dbfe7 100644 >>> --- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c >>> +++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c >>> @@ -443,8 +443,8 @@ static int put_v4l2_plane32(struct v4l2_plane __user >>> *up, >>> return -EFAULT; >>> break; >>> case V4L2_MEMORY_USERPTR: >>> - if (get_user(p, >m.userptr) || >>> - put_user((compat_ulong_t)ptr_to_compat((__force void *)p), >>> + if (get_user(p, >m.userptr)|| >>> + put_user((compat_ulong_t)ptr_to_compat((void __user *)p), >>> >m.userptr)) >>> return -EFAULT; >>> break; >>> @@ -587,7 +587,7 @@ static int put_v4l2_buffer32(struct v4l2_buffer __user >>> *kp, >>> u32 length; >>> enum v4l2_memory memory; >>> struct v4l2_plane32 __user *uplane32; >>> - struct v4l2_plane __user *uplane; >>> + struct v4l2_plane *uplane; >> >> This needs a comment (either here or before the get_user below). It really >> is a >> pointer to userspace, but since videodev2.h has it without __user (since it >> is >> copied to kernel space in v4l2-ioctl.c) we need to define it as a regular >> pointer >> here and cast it to a __user pointer in the put_v4l2_plane32() call. >> >> This is not trivially obvious, so a comment would help a lot. > > > >> >>> compat_caddr_t p; >>> int ret; >>> >>> @@ -617,15 +617,14 @@ static int put_v4l2_buffer32(struct v4l2_buffer >>> __user *kp, >>> >>> if (num_planes == 0) >>> return 0; >>> - >>> - if (get_user(uplane, ((__force struct v4l2_plane __user >>> **)>m.planes))) >>> + if (get_user(uplane, >m.planes)) >>> return -EFAULT; >>> if (get_user(p, >m.planes)) >>> return -EFAULT; >>> uplane32 = compat_ptr(p); >>> >>> while (num_planes--) { >>> - ret = put_v4l2_plane32(uplane, uplane32, memory); >>> + ret = put_v4l2_plane32((void __user *)uplane, uplane32, >>> memory); >>> if (ret) >>> return ret; >>> ++uplane; >>> @@ -675,7 +674,7 @@ static int get_v4l2_framebuffer32(struct >>> v4l2_framebuffer __user *kp, >>> >>> if (!access_ok(VERIFY_READ, up, sizeof(*up)) || >>>
Re: [PATCHv2 17/17] media: v4l2-compat-ioctl32: fix several __user annotations
Em Mon, 16 Apr 2018 14:03:45 +0200 Hans Verkuilescreveu: > On 04/13/2018 08:07 PM, Mauro Carvalho Chehab wrote: > > Smatch report several issues with bad __user annotations: > > > > drivers/media/v4l2-core/v4l2-compat-ioctl32.c:447:21: warning: incorrect > > type in argument 1 (different address spaces) > > drivers/media/v4l2-core/v4l2-compat-ioctl32.c:447:21:expected void > > [noderef] *uptr > > drivers/media/v4l2-core/v4l2-compat-ioctl32.c:447:21:got void > > * > > drivers/media/v4l2-core/v4l2-compat-ioctl32.c:621:21: warning: incorrect > > type in argument 1 (different address spaces) > > drivers/media/v4l2-core/v4l2-compat-ioctl32.c:621:21:expected void > > const volatile [noderef] * > > drivers/media/v4l2-core/v4l2-compat-ioctl32.c:621:21:got struct > > v4l2_plane [noderef] ** > > drivers/media/v4l2-core/v4l2-compat-ioctl32.c:693:13: warning: incorrect > > type in argument 1 (different address spaces) > > drivers/media/v4l2-core/v4l2-compat-ioctl32.c:693:13:expected void > > [noderef] *uptr > > drivers/media/v4l2-core/v4l2-compat-ioctl32.c:693:13:got void > > *[assigned] base > > drivers/media/v4l2-core/v4l2-compat-ioctl32.c:871:13: warning: incorrect > > type in assignment (different address spaces) > > drivers/media/v4l2-core/v4l2-compat-ioctl32.c:871:13:expected struct > > v4l2_ext_control [noderef] *kcontrols > > drivers/media/v4l2-core/v4l2-compat-ioctl32.c:871:13:got struct > > v4l2_ext_control * > > drivers/media/v4l2-core/v4l2-compat-ioctl32.c:957:13: warning: incorrect > > type in assignment (different address spaces) > > drivers/media/v4l2-core/v4l2-compat-ioctl32.c:957:13:expected > > unsigned char [usertype] *__pu_val > > drivers/media/v4l2-core/v4l2-compat-ioctl32.c:957:13:got void > > [noderef] * > > drivers/media/v4l2-core/v4l2-compat-ioctl32.c:973:13: warning: incorrect > > type in argument 1 (different address spaces) > > drivers/media/v4l2-core/v4l2-compat-ioctl32.c:973:13:expected void > > [noderef] *uptr > > drivers/media/v4l2-core/v4l2-compat-ioctl32.c:973:13:got void > > *[assigned] edid > > > > Fix them. > > > > Signed-off-by: Mauro Carvalho Chehab > > --- > > drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 32 > > ++- > > 1 file changed, 17 insertions(+), 15 deletions(-) > > > > diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c > > b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c > > index d03a44d89649..0b9dfe7dbfe7 100644 > > --- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c > > +++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c > > @@ -443,8 +443,8 @@ static int put_v4l2_plane32(struct v4l2_plane __user > > *up, > > return -EFAULT; > > break; > > case V4L2_MEMORY_USERPTR: > > - if (get_user(p, >m.userptr) || > > - put_user((compat_ulong_t)ptr_to_compat((__force void *)p), > > + if (get_user(p, >m.userptr)|| > > + put_user((compat_ulong_t)ptr_to_compat((void __user *)p), > > >m.userptr)) > > return -EFAULT; > > break; > > @@ -587,7 +587,7 @@ static int put_v4l2_buffer32(struct v4l2_buffer __user > > *kp, > > u32 length; > > enum v4l2_memory memory; > > struct v4l2_plane32 __user *uplane32; > > - struct v4l2_plane __user *uplane; > > + struct v4l2_plane *uplane; > > This needs a comment (either here or before the get_user below). It really is > a > pointer to userspace, but since videodev2.h has it without __user (since it is > copied to kernel space in v4l2-ioctl.c) we need to define it as a regular > pointer > here and cast it to a __user pointer in the put_v4l2_plane32() call. > > This is not trivially obvious, so a comment would help a lot. > > > compat_caddr_t p; > > int ret; > > > > @@ -617,15 +617,14 @@ static int put_v4l2_buffer32(struct v4l2_buffer > > __user *kp, > > > > if (num_planes == 0) > > return 0; > > - > > - if (get_user(uplane, ((__force struct v4l2_plane __user > > **)>m.planes))) > > + if (get_user(uplane, >m.planes)) > > return -EFAULT; > > if (get_user(p, >m.planes)) > > return -EFAULT; > > uplane32 = compat_ptr(p); > > > > while (num_planes--) { > > - ret = put_v4l2_plane32(uplane, uplane32, memory); > > + ret = put_v4l2_plane32((void __user *)uplane, uplane32, > > memory); > > if (ret) > > return ret; > > ++uplane; > > @@ -675,7 +674,7 @@ static int get_v4l2_framebuffer32(struct > > v4l2_framebuffer __user *kp, > > > > if (!access_ok(VERIFY_READ, up, sizeof(*up)) || > > get_user(tmp, >base) || > > - put_user((__force void
Re: [PATCHv2 17/17] media: v4l2-compat-ioctl32: fix several __user annotations
On 04/13/2018 08:07 PM, Mauro Carvalho Chehab wrote: > Smatch report several issues with bad __user annotations: > > drivers/media/v4l2-core/v4l2-compat-ioctl32.c:447:21: warning: incorrect > type in argument 1 (different address spaces) > drivers/media/v4l2-core/v4l2-compat-ioctl32.c:447:21:expected void > [noderef] *uptr > drivers/media/v4l2-core/v4l2-compat-ioctl32.c:447:21:got void * > drivers/media/v4l2-core/v4l2-compat-ioctl32.c:621:21: warning: incorrect > type in argument 1 (different address spaces) > drivers/media/v4l2-core/v4l2-compat-ioctl32.c:621:21:expected void > const volatile [noderef] * > drivers/media/v4l2-core/v4l2-compat-ioctl32.c:621:21:got struct > v4l2_plane [noderef] ** > drivers/media/v4l2-core/v4l2-compat-ioctl32.c:693:13: warning: incorrect > type in argument 1 (different address spaces) > drivers/media/v4l2-core/v4l2-compat-ioctl32.c:693:13:expected void > [noderef] *uptr > drivers/media/v4l2-core/v4l2-compat-ioctl32.c:693:13:got void > *[assigned] base > drivers/media/v4l2-core/v4l2-compat-ioctl32.c:871:13: warning: incorrect > type in assignment (different address spaces) > drivers/media/v4l2-core/v4l2-compat-ioctl32.c:871:13:expected struct > v4l2_ext_control [noderef] *kcontrols > drivers/media/v4l2-core/v4l2-compat-ioctl32.c:871:13:got struct > v4l2_ext_control * > drivers/media/v4l2-core/v4l2-compat-ioctl32.c:957:13: warning: incorrect > type in assignment (different address spaces) > drivers/media/v4l2-core/v4l2-compat-ioctl32.c:957:13:expected unsigned > char [usertype] *__pu_val > drivers/media/v4l2-core/v4l2-compat-ioctl32.c:957:13:got void [noderef] > * > drivers/media/v4l2-core/v4l2-compat-ioctl32.c:973:13: warning: incorrect > type in argument 1 (different address spaces) > drivers/media/v4l2-core/v4l2-compat-ioctl32.c:973:13:expected void > [noderef] *uptr > drivers/media/v4l2-core/v4l2-compat-ioctl32.c:973:13:got void > *[assigned] edid > > Fix them. > > Signed-off-by: Mauro Carvalho Chehab> --- > drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 32 > ++- > 1 file changed, 17 insertions(+), 15 deletions(-) > > diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c > b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c > index d03a44d89649..0b9dfe7dbfe7 100644 > --- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c > +++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c > @@ -443,8 +443,8 @@ static int put_v4l2_plane32(struct v4l2_plane __user *up, > return -EFAULT; > break; > case V4L2_MEMORY_USERPTR: > - if (get_user(p, >m.userptr) || > - put_user((compat_ulong_t)ptr_to_compat((__force void *)p), > + if (get_user(p, >m.userptr)|| > + put_user((compat_ulong_t)ptr_to_compat((void __user *)p), >>m.userptr)) > return -EFAULT; > break; > @@ -587,7 +587,7 @@ static int put_v4l2_buffer32(struct v4l2_buffer __user > *kp, > u32 length; > enum v4l2_memory memory; > struct v4l2_plane32 __user *uplane32; > - struct v4l2_plane __user *uplane; > + struct v4l2_plane *uplane; This needs a comment (either here or before the get_user below). It really is a pointer to userspace, but since videodev2.h has it without __user (since it is copied to kernel space in v4l2-ioctl.c) we need to define it as a regular pointer here and cast it to a __user pointer in the put_v4l2_plane32() call. This is not trivially obvious, so a comment would help a lot. > compat_caddr_t p; > int ret; > > @@ -617,15 +617,14 @@ static int put_v4l2_buffer32(struct v4l2_buffer __user > *kp, > > if (num_planes == 0) > return 0; > - > - if (get_user(uplane, ((__force struct v4l2_plane __user > **)>m.planes))) > + if (get_user(uplane, >m.planes)) > return -EFAULT; > if (get_user(p, >m.planes)) > return -EFAULT; > uplane32 = compat_ptr(p); > > while (num_planes--) { > - ret = put_v4l2_plane32(uplane, uplane32, memory); > + ret = put_v4l2_plane32((void __user *)uplane, uplane32, > memory); > if (ret) > return ret; > ++uplane; > @@ -675,7 +674,7 @@ static int get_v4l2_framebuffer32(struct v4l2_framebuffer > __user *kp, > > if (!access_ok(VERIFY_READ, up, sizeof(*up)) || > get_user(tmp, >base) || > - put_user((__force void *)compat_ptr(tmp), >base) || > + put_user((void __force *)compat_ptr(tmp), >base) || > assign_in_user(>capability, >capability) || > assign_in_user(>flags, >flags) || > copy_in_user(>fmt, >fmt, sizeof(kp->fmt))) > @@