[PATCH 1/2] drm/amdgpu: debugfs: fix error codes in write functions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



There are two error code bugs here.  The copy_to/from_user() functions
return the number of bytes remaining (a positive number).  We should
return -EFAULT if the copy fails.

Second if we fail because "context.resp_status" is non-zero then return
-EINVAL instead of zero.

Fixes: e50d9ba0d2cd ("drm/amdgpu: Add debugfs TA load/unload/invoke support")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
There are a bunch of exit paths where copy_from_user() fails and this
function returns -EINVAL which is wrong as well.  If the copy fails it
should be -EFAULT.  If the data is bad, then -EINVAL.

 drivers/gpu/drm/amd/amdgpu/amdgpu_psp_ta.c | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_psp_ta.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_psp_ta.c
index 247a476e6354..32bcc20b9e3f 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_psp_ta.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_psp_ta.c
@@ -159,9 +159,10 @@ static ssize_t ta_if_load_debugfs_write(struct file *fp, const char *buf, size_t
 	ta_bin = kzalloc(ta_bin_len, GFP_KERNEL);
 	if (!ta_bin)
 		ret = -ENOMEM;
-	ret = copy_from_user((void *)ta_bin, &buf[copy_pos], ta_bin_len);
-	if (ret)
+	if (copy_from_user((void *)ta_bin, &buf[copy_pos], ta_bin_len)) {
+		ret = -EFAULT;
 		goto err_free_bin;
+	}
 
 	ret = psp_ras_terminate(psp);
 	if (ret) {
@@ -180,11 +181,14 @@ static ssize_t ta_if_load_debugfs_write(struct file *fp, const char *buf, size_t
 	if (ret || context.resp_status) {
 		dev_err(adev->dev, "TA load via debugfs failed (%d) status %d\n",
 			 ret, context.resp_status);
+		if (!ret)
+			ret = -EINVAL;
 		goto err_free_bin;
 	}
 
 	context.initialized = true;
-	ret = copy_to_user((char *)buf, (void *)&context.session_id, sizeof(uint32_t));
+	if (copy_to_user((char *)buf, (void *)&context.session_id, sizeof(uint32_t)))
+		ret = -EFAULT;
 
 err_free_bin:
 	kfree(ta_bin);
@@ -251,9 +255,10 @@ static ssize_t ta_if_invoke_debugfs_write(struct file *fp, const char *buf, size
 	shared_buf = kzalloc(shared_buf_len, GFP_KERNEL);
 	if (!shared_buf)
 		ret = -ENOMEM;
-	ret = copy_from_user((void *)shared_buf, &buf[copy_pos], shared_buf_len);
-	if (ret)
+	if (copy_from_user((void *)shared_buf, &buf[copy_pos], shared_buf_len)) {
+		ret = -EFAULT;
 		goto err_free_shared_buf;
+	}
 
 	context.session_id = ta_id;
 
@@ -264,10 +269,13 @@ static ssize_t ta_if_invoke_debugfs_write(struct file *fp, const char *buf, size
 	if (ret || context.resp_status) {
 		dev_err(adev->dev, "TA invoke via debugfs failed (%d) status %d\n",
 			 ret, context.resp_status);
+		if (!ret)
+			ret = -EINVAL;
 		goto err_free_ta_shared_buf;
 	}
 
-	ret = copy_to_user((char *)buf, context.mem_context.shared_buf, shared_buf_len);
+	if (copy_to_user((char *)buf, context.mem_context.shared_buf, shared_buf_len))
+		ret = -EFAULT;
 
 err_free_ta_shared_buf:
 	psp_ta_free_shared_buf(&context.mem_context);
-- 
2.35.1




[Index of Archives]     [Linux DRI Users]     [Linux Intel Graphics]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [XFree86]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [XFree86]
  Powered by Linux