On Thu, Oct 7, 2021 at 8:11 PM Thierry Reding <thierry.reding@xxxxxxxxx> wrote:
>
> On Mon, Sep 27, 2021 at 02:41:40PM +0200, Arnd Bergmann wrote:
> > From: Arnd Bergmann <arnd@xxxxxxxx>
> >
> > Building the bpmp-debugfs driver for Arm results in a warning for stack usage:
> >
> > drivers/firmware/tegra/bpmp-debugfs.c:321:16: error: stack frame size of 1224 bytes in function 'bpmp_debug_store' [-Werror,-Wframe-larger-than=]
> > static ssize_t bpmp_debug_store(struct file *file, const char __user *buf,
> >
> > It should be possible to rearrange the code to not require two separate
> > buffers for the file name, but the easiest workaround is to use dynamic
> > allocation.
> >
> > Fixes: 5e37b9c137ee ("firmware: tegra: Add support for in-band debug")
> > Link: https://lore.kernel.org/all/20201204193714.3134651-1-arnd@xxxxxxxxxx/
> > Signed-off-by: Arnd Bergmann <arnd@xxxxxxxx>
> > ---
> > I sent this one in 2020 but got no reply. It still appears to be
> > required, please have a look.
> > ---
> > drivers/firmware/tegra/bpmp-debugfs.c | 16 +++++++++++-----
> > 1 file changed, 11 insertions(+), 5 deletions(-)
>
> If this is not a problem on 64-bit ARM, then perhaps we should add that
> as a dependency. BPMP is only available in Tegra210 and later, all of
> which are 64-bit.
>
> But dynamic allocation also doesn't sound that bad. This is debugfs
> support, after all, so shouldn't be in any fast path.
Right, it stays below the warning threshold on 64-bit kernels, but using this
much stack is still a bad idea, so fixing it in the driver seems better than
hiding it in Kconfig.
> > diff --git a/drivers/firmware/tegra/bpmp-debugfs.c b/drivers/firmware/tegra/bpmp-debugfs.c
> > index 3e9fa4b54358..f6888cee83ee 100644
> > --- a/drivers/firmware/tegra/bpmp-debugfs.c
> > +++ b/drivers/firmware/tegra/bpmp-debugfs.c
> > @@ -74,28 +74,34 @@ static void seqbuf_seek(struct seqbuf *seqbuf, ssize_t offset)
> > static const char *get_filename(struct tegra_bpmp *bpmp,
> > const struct file *file, char *buf, int size)
> > {
> > - char root_path_buf[512];
> > + char *root_path_buf;
> > const char *root_path;
> > - const char *filename;
> > + const char *filename = NULL;
> > size_t root_len;
> >
> > + root_path_buf = kzalloc(512, GFP_KERNEL);
> > + if (!root_path_buf)
> > + goto out;
> > +
> > root_path = dentry_path(bpmp->debugfs_mirror, root_path_buf,
> > sizeof(root_path_buf));
> > if (IS_ERR(root_path))
> > - return NULL;
> > + goto out;
> >
> > root_len = strlen(root_path);
> >
> > filename = dentry_path(file->f_path.dentry, buf, size);
> > if (IS_ERR(filename))
> > - return NULL;
> > + goto out;
>
> Shouldn't this and...
>
> > if (strlen(filename) < root_len ||
> > strncmp(filename, root_path, root_len))
> > - return NULL;
> > + goto out;
>
> this reset filename to NULL? All callers check for !filename as their
> error condition.
>
> I can fix that up as I apply this, but perhaps shout if you did this on
> purpose and it needs to stay this way.
Indeed, you are absolutely correct. Thanks for finding the bug
and offering to fix it.
Arnd
