Received: by 2002:a05:7208:9594:b0:7e:5202:c8b4 with SMTP id gs20csp2588rbb; Fri, 23 Feb 2024 09:50:22 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCWu+AYRLmTb9EqVk3xTflBKbBMtnc1nunQpDF2ipCkzekTes8H7fZeJ7VREyD87lMhK3AL+K7nSE0rcYRtXL6lMquz7MaeUfJWQp30L8A== X-Google-Smtp-Source: AGHT+IEzbvm7FB63ionIneQ1QNHJ09etb/43PaAoWL0p80mOFV7zc4CP0Q0+yh9bu8oywKQKjtOo X-Received: by 2002:a17:90a:7409:b0:29a:7303:f7d7 with SMTP id a9-20020a17090a740900b0029a7303f7d7mr486188pjg.38.1708710622502; Fri, 23 Feb 2024 09:50:22 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1708710622; cv=pass; d=google.com; s=arc-20160816; b=KHA7JhvbTv1H8MAjLC4pyitSYPbV0JyXK0rtONt+Mni13HufKDn3MkPd8iauYZJmrh e8xmc0fdvImDUpsWTvbgZEKWjKPgE92Oagnwrf+/J2kKQUMgDV9VHLogkSTzo6NYOvQF zLDM5iD+EVJ047ROTJO1MYvgLTD2/vjF13N16M8KeWCWqQ5y3pOAwGwB4ly8jKnFzxtd OPyjDzonm5Oz67OhWCbFfyCYeQwAXHQ6XYVo87u54tG9lbPuEZFAA7CG1V7z6bm3pSeG /nqGp+erOeI9H9n7Q71r2HIVGblDCHWvyIU0dBvb/Mc+rvHJwQOGairI/RNI1uA05Zfr 4LtA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:organization:references :in-reply-to:message-id:subject:cc:to:from:date; bh=onYuFF3+HHSVgPltMRcu4XKL89aDrqZaf3xWDLSN1zs=; fh=ZjUSewBdMSRF0+t57yk0Ed1/9/oN7rAHAn5TRHjp1e4=; b=O3AjiTsbIeo6BWpv7h7ZRgQ94Xsgr6tEpI1rnVqXS2FGeuGMgUIp69kSfkKPqhamUV pprIyHac17xt2XpTr0mfYWgVSpZKMHUUep+4UmJtFJvTGvyC2CCbB8X20BFRixmc8sTu mC1IrAlwCjfjm6x7OJeljkxyqQEZZKCGJ8ypLLE8zfr74uBkuXyfWWEyL0vtRfIy53DI uXUHRIqOnoo5DjVuPADqxjLK9k5RRpGdfTRL/MGMT9uGdSv0KUP6s/nZlKMY3QlwkZZB eTQc225wZvKgZgFkb70kSSgDPZN4dAX5T/5hcSRhHwABFjKnY4xcsCShI8RgmRTGL1g4 2V8g==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=huawei.com dmarc=pass fromdomain=huawei.com); spf=pass (google.com: domain of linux-kernel+bounces-78912-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-78912-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id v17-20020a17090a899100b002955c8628ecsi1523661pjn.31.2024.02.23.09.50.22 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 23 Feb 2024 09:50:22 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-78912-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=huawei.com dmarc=pass fromdomain=huawei.com); spf=pass (google.com: domain of linux-kernel+bounces-78912-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-78912-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 70235284AC6 for ; Fri, 23 Feb 2024 17:50:13 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 25280141997; Fri, 23 Feb 2024 17:46:13 +0000 (UTC) Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C85B3140385; Fri, 23 Feb 2024 17:45:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.176.79.56 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708710371; cv=none; b=hyp9kbULb+rjWBnxJCqQbb23GzEkDRC4vd9NAElnazWTYm7LrvmfO3PomzueSs9eQpuojy57DTuQfIDFWKaCaAmfY1KDT8JWaUZQoDqsldede4ZzQxs3cs8fpYm+TqBi7WUlLxDUtERqwMJm2i9tTNlOiFPd/wOx4vNn0YmiHSs= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708710371; c=relaxed/simple; bh=yIsTcxtkN/WzBu1vfOj5fn+iwsswL34PWc3ew06vqz0=; h=Date:From:To:CC:Subject:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=KoBFe8Q1l2CqjiBdcCKO/EtiUcN4xR7z2wrw0oFWP95nnEfpigqxsQzzLibOpoz1N9N+/+7AzTNi/kSHCl3duyQf4vKJJkE2Cx6qtsSmM5wnaMyRpOWSRdvPFX8RJnvBGTqyIq1qZtbsTWYmppwSUUe6EugkBV+1ZeQhYloQez0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=Huawei.com; spf=pass smtp.mailfrom=huawei.com; arc=none smtp.client-ip=185.176.79.56 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=Huawei.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huawei.com Received: from mail.maildlp.com (unknown [172.18.186.216]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4ThHQF5r0zz6K8mr; Sat, 24 Feb 2024 01:42:13 +0800 (CST) Received: from lhrpeml500005.china.huawei.com (unknown [7.191.163.240]) by mail.maildlp.com (Postfix) with ESMTPS id 1B52E140684; Sat, 24 Feb 2024 01:45:53 +0800 (CST) Received: from localhost (10.202.227.76) by lhrpeml500005.china.huawei.com (7.191.163.240) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.35; Fri, 23 Feb 2024 17:45:52 +0000 Date: Fri, 23 Feb 2024 17:45:51 +0000 From: Jonathan Cameron To: Kees Cook CC: Jonathan Cameron , Lars-Peter Clausen , Uwe =?ISO-8859-1?Q?Kleine-K=F6nig?= , Andy Shevchenko , Nuno =?ISO-8859-1?Q?S=E1?= , , Nathan Chancellor , Nick Desaulniers , "Bill Wendling" , Justin Stitt , , , Subject: Re: [PATCH] [RFC] iio: pressure: dlhl60d: Check mask_width for IRQs Message-ID: <20240223174551.00007411@Huawei.com> In-Reply-To: <202402230912.50332AF1@keescook> References: <20240222222335.work.759-kees@kernel.org> <20240223170918.00006b16@Huawei.com> <202402230912.50332AF1@keescook> Organization: Huawei Technologies Research and Development (UK) Ltd. X-Mailer: Claws Mail 4.1.0 (GTK 3.24.33; x86_64-w64-mingw32) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: lhrpeml500005.china.huawei.com (7.191.163.240) To lhrpeml500005.china.huawei.com (7.191.163.240) On Fri, 23 Feb 2024 09:14:53 -0800 Kees Cook wrote: > On Fri, Feb 23, 2024 at 05:09:18PM +0000, Jonathan Cameron wrote: > > On Thu, 22 Feb 2024 14:23:39 -0800 > > Kees Cook wrote: > > =20 > > > Clang tripped over a FORTIFY warning in this code, and while it seems= it > > > may be a false positive in Clang due to loop unwinding, the code in > > > question seems to make a lot of assumptions. =20 > >=20 > > Hi Kees, > >=20 > > The assumptions are mostly characteristics of how the IIO buffers work > > with the scan masks defined based on indexes in the driver provided > > struct iio_chan_spec arrays. > >=20 > > This driver is doing more work than it should need to as we long ago > > moved some of the more fiddly handling into the IIO core. > > =20 > > > Comments added, and the > > > Clang warning[1] has been worked around by growing the array size. > > > Also there was an uninitialized 4th byte in the __be32 array that was > > > being sent through to iio_push_to_buffers(). =20 > >=20 > > That is indeed not good - the buffer should have been zero initialized.= =20 >=20 > Okay, I'll get this respun and include the fix. >=20 > > =20 > > >=20 > > > Link: https://github.com/ClangBuiltLinux/linux/issues/2000 [1] > > > Signed-off-by: Kees Cook > > > --- > > > Cc: Jonathan Cameron > > > Cc: Lars-Peter Clausen > > > Cc: "Uwe Kleine-K=F6nig" > > > Cc: Andy Shevchenko > > > Cc: "Nuno S=E1" > > > Cc: linux-iio@vger.kernel.org > > > --- > > > drivers/iio/pressure/dlhl60d.c | 11 +++++++++-- > > > 1 file changed, 9 insertions(+), 2 deletions(-) > > >=20 > > > diff --git a/drivers/iio/pressure/dlhl60d.c b/drivers/iio/pressure/dl= hl60d.c > > > index 28c8269ba65d..9bbecd0bfe88 100644 > > > --- a/drivers/iio/pressure/dlhl60d.c > > > +++ b/drivers/iio/pressure/dlhl60d.c > > > @@ -250,20 +250,27 @@ static irqreturn_t dlh_trigger_handler(int irq,= void *private) > > > struct dlh_state *st =3D iio_priv(indio_dev); > > > int ret; > > > unsigned int chn, i =3D 0; > > > - __be32 tmp_buf[2]; > > > + /* This was only an array pair of 4 bytes. */ =20 > >=20 > > True, which is the right size as far as I can tell. > > If we need this to suppress a warning then comment should say that. =20 >=20 > Okay. I think I'll leave it as 2 and manually "unroll" the loop. Without the available mask that is a little fiddly you'll have deal with channel 0 only enabled, channel 1 only enabled and both channels 0 and channel 1 enabled. Not too bad though as only 2 channels. =20 >=20 > > =20 > > > + __be32 tmp_buf[4] =3D { }; > > > =20 > > > ret =3D dlh_start_capture_and_read(st); > > > if (ret) > > > goto out; > > > =20 > > > + /* Nothing was checking masklength vs ARRAY_SIZE(tmp_buf)? */ =20 > >=20 > > Not needed but no way a compiler could know that. > > =20 > > > + if (WARN_ON_ONCE(indio_dev->masklength > ARRAY_SIZE(tmp_buf))) > > > + goto out; > > > + > > > for_each_set_bit(chn, indio_dev->active_scan_mask, =20 > >=20 > > This is all a bit pointless if not 'wrong' other than the > > 4th byte uninitialized part. The limit can be hard coded as 2 as > > that's a characteristic of this driver. > >=20 > > For device that always read a particular set of channels they > > should provide indio_dev->available_scan_masks =3D { BIT(1) | BIT(0), 0= }; > > and then always push all the data making this always > >=20 > > memcpy(&tmp_buf[0], &st->rx_buf[1], 3); > > mempcy(&tmp_buf[1], &st->rx_buf[1] + 3, 3); =20 >=20 > Okay, so this could be unrolled manually to check just for bits 0 and 1? Ideally it wouldn't check them - the hardwork has been done to read both channels anyway and the IIO core handles userspace or in kernel consumers that want a subset of what is enabled, but that needs the available_scan_ma= sks to be set so that the IIO core knows all channels always enabled. >=20 > >=20 > > The buffer demux code in the IIO core will deal with repacking the data > > if only one channel is enabled. > > =20 > > > indio_dev->masklength) { > > > - memcpy(tmp_buf + i, > > > + /* This is copying 3 bytes. What about the 4th? */ > > > + memcpy(&tmp_buf[i], > > > &st->rx_buf[1] + chn * DLH_NUM_DATA_BYTES, > > > DLH_NUM_DATA_BYTES); > > > i++; > > > } > > > =20 > > > + /* How do we know the iio buffer_list has only 2 items? */ =20 > >=20 > > Can only include items from the channels array at indexes up to the max > > scan_index in there, so 0 and 1 in this case (1 might not be present if= only > > one channel is enabled). Sizes (and alignment) are given by storagebits= so > > 4 bytes for each. =20 >=20 > This code pattern seems repeated through all of iio, so I guess we'll > leave it as-is. It seems like it'd be nice to have a "length" argument > to iio_push_to_buffers(), just to sanity check, but that would need to > be a pretty large patch. :P yeah. Hindsight! We could add it in an incremental fashion though iio_push_to_bufs(struct iio_dev *indio_dev, void *buf, size_t buf_len) with a length parameter. The oddity that is iio_push_to_buffers_with_timestamp() would benefit here as that needs a bigger buffer than immediately apparent in the driver and we've had a few bugs around that over the years. It would probably be a one way check. I might have a play and see how useful this would be. >=20 > > =20 > > > iio_push_to_buffers(indio_dev, tmp_buf); > > > =20 > > > out: =20 >=20 > Thanks for looking at this! >=20 > -Kees >=20