On Fri, Sep 22, 2023 at 1:32 PM Kees Cook <[email protected]> wrote:
>
> Prepare for the coming implementation by GCC and Clang of the __counted_by
> attribute. Flexible array members annotated with __counted_by can have
> their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS
> (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family
> functions).
>
> As found with Coccinelle[1], add __counted_by for struct smu10_voltage_dependency_table.
>
> [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci
>
> Cc: Evan Quan <[email protected]>
> Cc: Alex Deucher <[email protected]>
> Cc: "Christian König" <[email protected]>
> Cc: "Pan, Xinhui" <[email protected]>
> Cc: David Airlie <[email protected]>
> Cc: Daniel Vetter <[email protected]>
> Cc: Xiaojian Du <[email protected]>
> Cc: Huang Rui <[email protected]>
> Cc: Kevin Wang <[email protected]>
> Cc: [email protected]
> Cc: [email protected]
> Signed-off-by: Kees Cook <[email protected]>
Acked-by: Alex Deucher <[email protected]>
> ---
> drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu10_hwmgr.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu10_hwmgr.h b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu10_hwmgr.h
> index 808e0ecbe1f0..42adc2a3dcbc 100644
> --- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu10_hwmgr.h
> +++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu10_hwmgr.h
> @@ -192,7 +192,7 @@ struct smu10_clock_voltage_dependency_record {
>
> struct smu10_voltage_dependency_table {
> uint32_t count;
> - struct smu10_clock_voltage_dependency_record entries[];
> + struct smu10_clock_voltage_dependency_record entries[] __counted_by(count);
> };
>
> struct smu10_clock_voltage_information {
> --
> 2.34.1
>
Am 22.09.23 um 19:41 schrieb Alex Deucher:
> On Fri, Sep 22, 2023 at 1:32 PM Kees Cook <[email protected]> wrote:
>> Prepare for the coming implementation by GCC and Clang of the __counted_by
>> attribute. Flexible array members annotated with __counted_by can have
>> their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS
>> (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family
>> functions).
>>
>> As found with Coccinelle[1], add __counted_by for struct smu10_voltage_dependency_table.
>>
>> [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci
>>
>> Cc: Evan Quan <[email protected]>
>> Cc: Alex Deucher <[email protected]>
>> Cc: "Christian König" <[email protected]>
>> Cc: "Pan, Xinhui" <[email protected]>
>> Cc: David Airlie <[email protected]>
>> Cc: Daniel Vetter <[email protected]>
>> Cc: Xiaojian Du <[email protected]>
>> Cc: Huang Rui <[email protected]>
>> Cc: Kevin Wang <[email protected]>
>> Cc: [email protected]
>> Cc: [email protected]
>> Signed-off-by: Kees Cook <[email protected]>
> Acked-by: Alex Deucher <[email protected]>
Mhm, I'm not sure if this is a good idea. That is a structure filled in
by the firmware, isn't it?
That would imply that we might need to byte swap count before it is
checkable.
Regards,
Christian.
>
>> ---
>> drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu10_hwmgr.h | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu10_hwmgr.h b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu10_hwmgr.h
>> index 808e0ecbe1f0..42adc2a3dcbc 100644
>> --- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu10_hwmgr.h
>> +++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu10_hwmgr.h
>> @@ -192,7 +192,7 @@ struct smu10_clock_voltage_dependency_record {
>>
>> struct smu10_voltage_dependency_table {
>> uint32_t count;
>> - struct smu10_clock_voltage_dependency_record entries[];
>> + struct smu10_clock_voltage_dependency_record entries[] __counted_by(count);
>> };
>>
>> struct smu10_clock_voltage_information {
>> --
>> 2.34.1
>>
On Mon, Sep 25, 2023 at 2:30 AM Christian König
<[email protected]> wrote:
>
> Am 22.09.23 um 19:41 schrieb Alex Deucher:
> > On Fri, Sep 22, 2023 at 1:32 PM Kees Cook <[email protected]> wrote:
> >> Prepare for the coming implementation by GCC and Clang of the __counted_by
> >> attribute. Flexible array members annotated with __counted_by can have
> >> their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS
> >> (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family
> >> functions).
> >>
> >> As found with Coccinelle[1], add __counted_by for struct smu10_voltage_dependency_table.
> >>
> >> [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci
> >>
> >> Cc: Evan Quan <[email protected]>
> >> Cc: Alex Deucher <[email protected]>
> >> Cc: "Christian König" <[email protected]>
> >> Cc: "Pan, Xinhui" <[email protected]>
> >> Cc: David Airlie <[email protected]>
> >> Cc: Daniel Vetter <[email protected]>
> >> Cc: Xiaojian Du <[email protected]>
> >> Cc: Huang Rui <[email protected]>
> >> Cc: Kevin Wang <[email protected]>
> >> Cc: [email protected]
> >> Cc: [email protected]
> >> Signed-off-by: Kees Cook <[email protected]>
> > Acked-by: Alex Deucher <[email protected]>
>
> Mhm, I'm not sure if this is a good idea. That is a structure filled in
> by the firmware, isn't it?
>
> That would imply that we might need to byte swap count before it is
> checkable.
True. Good point. Same for the other amdgpu patch.
Alex
>
> Regards,
> Christian.
>
> >
> >> ---
> >> drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu10_hwmgr.h | 2 +-
> >> 1 file changed, 1 insertion(+), 1 deletion(-)
> >>
> >> diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu10_hwmgr.h b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu10_hwmgr.h
> >> index 808e0ecbe1f0..42adc2a3dcbc 100644
> >> --- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu10_hwmgr.h
> >> +++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu10_hwmgr.h
> >> @@ -192,7 +192,7 @@ struct smu10_clock_voltage_dependency_record {
> >>
> >> struct smu10_voltage_dependency_table {
> >> uint32_t count;
> >> - struct smu10_clock_voltage_dependency_record entries[];
> >> + struct smu10_clock_voltage_dependency_record entries[] __counted_by(count);
> >> };
> >>
> >> struct smu10_clock_voltage_information {
> >> --
> >> 2.34.1
> >>
>
On Mon, Sep 25, 2023 at 10:07 AM Alex Deucher <[email protected]> wrote:
>
> On Mon, Sep 25, 2023 at 2:30 AM Christian König
> <[email protected]> wrote:
> >
> > Am 22.09.23 um 19:41 schrieb Alex Deucher:
> > > On Fri, Sep 22, 2023 at 1:32 PM Kees Cook <[email protected]> wrote:
> > >> Prepare for the coming implementation by GCC and Clang of the __counted_by
> > >> attribute. Flexible array members annotated with __counted_by can have
> > >> their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS
> > >> (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family
> > >> functions).
> > >>
> > >> As found with Coccinelle[1], add __counted_by for struct smu10_voltage_dependency_table.
> > >>
> > >> [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci
> > >>
> > >> Cc: Evan Quan <[email protected]>
> > >> Cc: Alex Deucher <[email protected]>
> > >> Cc: "Christian König" <[email protected]>
> > >> Cc: "Pan, Xinhui" <[email protected]>
> > >> Cc: David Airlie <[email protected]>
> > >> Cc: Daniel Vetter <[email protected]>
> > >> Cc: Xiaojian Du <[email protected]>
> > >> Cc: Huang Rui <[email protected]>
> > >> Cc: Kevin Wang <[email protected]>
> > >> Cc: [email protected]
> > >> Cc: [email protected]
> > >> Signed-off-by: Kees Cook <[email protected]>
> > > Acked-by: Alex Deucher <[email protected]>
> >
> > Mhm, I'm not sure if this is a good idea. That is a structure filled in
> > by the firmware, isn't it?
> >
> > That would imply that we might need to byte swap count before it is
> > checkable.
>
> True. Good point. Same for the other amdgpu patch.
Actually the other patch is fine. That's just a local structure.
Alex
>
> Alex
>
> >
> > Regards,
> > Christian.
> >
> > >
> > >> ---
> > >> drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu10_hwmgr.h | 2 +-
> > >> 1 file changed, 1 insertion(+), 1 deletion(-)
> > >>
> > >> diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu10_hwmgr.h b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu10_hwmgr.h
> > >> index 808e0ecbe1f0..42adc2a3dcbc 100644
> > >> --- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu10_hwmgr.h
> > >> +++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu10_hwmgr.h
> > >> @@ -192,7 +192,7 @@ struct smu10_clock_voltage_dependency_record {
> > >>
> > >> struct smu10_voltage_dependency_table {
> > >> uint32_t count;
> > >> - struct smu10_clock_voltage_dependency_record entries[];
> > >> + struct smu10_clock_voltage_dependency_record entries[] __counted_by(count);
> > >> };
> > >>
> > >> struct smu10_clock_voltage_information {
> > >> --
> > >> 2.34.1
> > >>
> >
On Mon, Sep 25, 2023 at 08:30:30AM +0200, Christian König wrote:
> Am 22.09.23 um 19:41 schrieb Alex Deucher:
> > On Fri, Sep 22, 2023 at 1:32 PM Kees Cook <[email protected]> wrote:
> > > Prepare for the coming implementation by GCC and Clang of the __counted_by
> > > attribute. Flexible array members annotated with __counted_by can have
> > > their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS
> > > (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family
> > > functions).
> > >
> > > As found with Coccinelle[1], add __counted_by for struct smu10_voltage_dependency_table.
> > >
> > > [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci
> > >
> > > Cc: Evan Quan <[email protected]>
> > > Cc: Alex Deucher <[email protected]>
> > > Cc: "Christian König" <[email protected]>
> > > Cc: "Pan, Xinhui" <[email protected]>
> > > Cc: David Airlie <[email protected]>
> > > Cc: Daniel Vetter <[email protected]>
> > > Cc: Xiaojian Du <[email protected]>
> > > Cc: Huang Rui <[email protected]>
> > > Cc: Kevin Wang <[email protected]>
> > > Cc: [email protected]
> > > Cc: [email protected]
> > > Signed-off-by: Kees Cook <[email protected]>
> > Acked-by: Alex Deucher <[email protected]>
>
> Mhm, I'm not sure if this is a good idea. That is a structure filled in by
> the firmware, isn't it?
>
> That would imply that we might need to byte swap count before it is
> checkable.
The script found this instance because of this:
static int smu10_get_clock_voltage_dependency_table(struct pp_hwmgr *hwmgr,
struct smu10_voltage_dependency_table **pptable,
uint32_t num_entry, const DpmClock_t *pclk_dependency_table)
{
uint32_t i;
struct smu10_voltage_dependency_table *ptable;
ptable = kzalloc(struct_size(ptable, entries, num_entry), GFP_KERNEL);
if (NULL == ptable)
return -ENOMEM;
ptable->count = num_entry;
So the implication is that it's native byte order... but you tell me! I
certainly don't want this annotation if it's going to break stuff. :)
--
Kees Cook
On Mon, Sep 25, 2023 at 1:52 PM Kees Cook <[email protected]> wrote:
>
> On Mon, Sep 25, 2023 at 08:30:30AM +0200, Christian König wrote:
> > Am 22.09.23 um 19:41 schrieb Alex Deucher:
> > > On Fri, Sep 22, 2023 at 1:32 PM Kees Cook <[email protected]> wrote:
> > > > Prepare for the coming implementation by GCC and Clang of the __counted_by
> > > > attribute. Flexible array members annotated with __counted_by can have
> > > > their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS
> > > > (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family
> > > > functions).
> > > >
> > > > As found with Coccinelle[1], add __counted_by for struct smu10_voltage_dependency_table.
> > > >
> > > > [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci
> > > >
> > > > Cc: Evan Quan <[email protected]>
> > > > Cc: Alex Deucher <[email protected]>
> > > > Cc: "Christian König" <[email protected]>
> > > > Cc: "Pan, Xinhui" <[email protected]>
> > > > Cc: David Airlie <[email protected]>
> > > > Cc: Daniel Vetter <[email protected]>
> > > > Cc: Xiaojian Du <[email protected]>
> > > > Cc: Huang Rui <[email protected]>
> > > > Cc: Kevin Wang <[email protected]>
> > > > Cc: [email protected]
> > > > Cc: [email protected]
> > > > Signed-off-by: Kees Cook <[email protected]>
> > > Acked-by: Alex Deucher <[email protected]>
> >
> > Mhm, I'm not sure if this is a good idea. That is a structure filled in by
> > the firmware, isn't it?
> >
> > That would imply that we might need to byte swap count before it is
> > checkable.
>
> The script found this instance because of this:
>
> static int smu10_get_clock_voltage_dependency_table(struct pp_hwmgr *hwmgr,
> struct smu10_voltage_dependency_table **pptable,
> uint32_t num_entry, const DpmClock_t *pclk_dependency_table)
> {
> uint32_t i;
> struct smu10_voltage_dependency_table *ptable;
>
> ptable = kzalloc(struct_size(ptable, entries, num_entry), GFP_KERNEL);
> if (NULL == ptable)
> return -ENOMEM;
>
> ptable->count = num_entry;
>
> So the implication is that it's native byte order... but you tell me! I
> certainly don't want this annotation if it's going to break stuff. :)
In this case, the code is for an integrated GPU in an x86 CPU so the
firmware and driver endianness match. You wouldn't find a stand alone
dGPU that uses this structure. In this case it's ok. False alarm.
Alex