tree: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y
head: 38c92ba3580f0d00e57a55caf8f880aa1a0f2a50
commit: ade5180681d778d36b569ad35cc175ab22196c5f [1449/1774] Input: joydev - prevent potential read overflow in ioctl
config: h8300-randconfig-r031-20210718 (attached as .config)
compiler: h8300-linux-gcc (GCC) 10.3.0
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit/?id=ade5180681d778d36b569ad35cc175ab22196c5f
git remote add linux-stable-rc https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
git fetch --no-tags linux-stable-rc linux-4.4.y
git checkout ade5180681d778d36b569ad35cc175ab22196c5f
# save the attached .config to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-10.3.0 make.cross ARCH=h8300
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <[email protected]>
All warnings (new ones prefixed by >>):
In file included from arch/h8300/include/generated/asm/uaccess.h:1,
from include/linux/poll.h:11,
from drivers/input/joydev.c:27:
include/asm-generic/uaccess.h: In function '__put_user_fn':
include/asm-generic/uaccess.h:178:16: warning: operand of '?:' changes signedness from 'int' to 'size_t' {aka 'long unsigned int'} due to unsignedness of other operand [-Wsign-compare]
178 | return size ? -EFAULT : size;
drivers/input/joydev.c: In function 'joydev_handle_JSIOCSAXMAP':
drivers/input/joydev.c:451:16: warning: comparison of integer expressions of different signedness: 'int' and 'size_t' {aka 'long unsigned int'} [-Wsign-compare]
451 | for (i = 0; i < len && i < joydev->nabs; i++) {
| ^
drivers/input/joydev.c: In function 'joydev_handle_JSIOCSBTNMAP':
>> drivers/input/joydev.c:485:16: warning: comparison of integer expressions of different signedness: 'int' and 'long unsigned int' [-Wsign-compare]
485 | for (i = 0; i < (len / 2) && i < joydev->nkey; i++) {
| ^
drivers/input/joydev.c: In function 'joydev_ioctl_common':
drivers/input/joydev.c:566:52: warning: operand of '?:' changes signedness from 'int' to 'size_t' {aka 'long unsigned int'} due to unsignedness of other operand [-Wsign-compare]
566 | return copy_to_user(argp, joydev->abspam, len) ? -EFAULT : len;
drivers/input/joydev.c:573:52: warning: operand of '?:' changes signedness from 'int' to 'size_t' {aka 'long unsigned int'} due to unsignedness of other operand [-Wsign-compare]
573 | return copy_to_user(argp, joydev->keypam, len) ? -EFAULT : len;
drivers/input/joydev.c:581:42: warning: operand of '?:' changes signedness from 'int' to 'size_t' {aka 'long unsigned int'} due to unsignedness of other operand [-Wsign-compare]
581 | return copy_to_user(argp, name, len) ? -EFAULT : len;
vim +485 drivers/input/joydev.c
467
468 static int joydev_handle_JSIOCSBTNMAP(struct joydev *joydev,
469 void __user *argp, size_t len)
470 {
471 __u16 *keypam;
472 int i;
473 int retval = 0;
474
475 if (len % sizeof(*keypam))
476 return -EINVAL;
477
478 len = min(len, sizeof(joydev->keypam));
479
480 /* Validate the map. */
481 keypam = memdup_user(argp, len);
482 if (IS_ERR(keypam))
483 return PTR_ERR(keypam);
484
> 485 for (i = 0; i < (len / 2) && i < joydev->nkey; i++) {
486 if (keypam[i] > KEY_MAX || keypam[i] < BTN_MISC) {
487 retval = -EINVAL;
488 goto out;
489 }
490 }
491
492 memcpy(joydev->keypam, keypam, len);
493
494 for (i = 0; i < joydev->nkey; i++)
495 joydev->keymap[keypam[i] - BTN_MISC] = i;
496
497 out:
498 kfree(keypam);
499 return retval;
500 }
501
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/[email protected]
On Mon, Jul 19, 2021 at 11:39:16AM +0800, kernel test robot wrote:
> drivers/input/joydev.c: In function 'joydev_handle_JSIOCSAXMAP':
> drivers/input/joydev.c:451:16: warning: comparison of integer expressions of different signedness: 'int' and 'size_t' {aka 'long unsigned int'} [-Wsign-compare]
> 451 | for (i = 0; i < len && i < joydev->nabs; i++) {
We should figure out a way to turn this warning off in the compiler.
It's a stupid warning. It never fixes any bugs. It sometimes
introduces bugs.
In the kernel if you are in drivers/ and you have a loop which iterates
over 2 million times that's probably a bug. But GCC is very very
stupid and not designed to be a static analysis tool. It does not know
which loops can iterate more than 2 million times. Even when it knows
that the loop only loops up to 5 or 10 times it still warns that maybe
it will loop over 2 million times. INSULTS AND DISPARAGEMENT!
Seriously, please disable this warning unless you can point to one
single bug that it has fixed.
regards,
dan carpenter
On 7/19/21 3:17 PM, Dan Carpenter wrote:
> On Mon, Jul 19, 2021 at 11:39:16AM +0800, kernel test robot wrote:
>> drivers/input/joydev.c: In function 'joydev_handle_JSIOCSAXMAP':
>> drivers/input/joydev.c:451:16: warning: comparison of integer expressions of different signedness: 'int' and 'size_t' {aka 'long unsigned int'} [-Wsign-compare]
>> 451 | for (i = 0; i < len && i < joydev->nabs; i++) {
> We should figure out a way to turn this warning off in the compiler.
>
> It's a stupid warning. It never fixes any bugs. It sometimes
> introduces bugs.
>
> In the kernel if you are in drivers/ and you have a loop which iterates
> over 2 million times that's probably a bug. But GCC is very very
> stupid and not designed to be a static analysis tool. It does not know
> which loops can iterate more than 2 million times. Even when it knows
> that the loop only loops up to 5 or 10 times it still warns that maybe
> it will loop over 2 million times. INSULTS AND DISPARAGEMENT!
>
> Seriously, please disable this warning unless you can point to one
> single bug that it has fixed.
Hi Dan,
Thanks for the explanation, we'll stop reporting this warning.
Best Regards,
Rong Chen
>
> regards,
> dan carpenter