Re: [PATCH] hpet: Support 32-bit userspace

From: He Zhe
Date: Thu Jun 06 2024 - 05:48:57 EST




On 2024/6/6 16:12, Arnd Bergmann wrote:
> On Thu, Jun 6, 2024, at 08:13, He Zhe wrote:
>> diff --git a/drivers/char/hpet.c b/drivers/char/hpet.c
>> index d51fc8321d41..025a5905a370 100644
>> --- a/drivers/char/hpet.c
>> +++ b/drivers/char/hpet.c
>> @@ -269,7 +269,8 @@ hpet_read(struct file *file, char __user *buf,
>> size_t count, loff_t * ppos)
>> if (!devp->hd_ireqfreq)
>> return -EIO;
>>
>> - if (count < sizeof(unsigned long))
>> + if ((sizeof(int) != sizeof(long) && count < sizeof(compat_ulong_t)) ||
>> + (sizeof(int) == sizeof(long) && count < sizeof(unsigned long)))
>> return -EINVAL;
>>
>> add_wait_queue(&devp->hd_waitqueue, &wait);
>> @@ -294,9 +295,15 @@ hpet_read(struct file *file, char __user *buf,
>> size_t count, loff_t * ppos)
>> schedule();
>> }
>>
>> - retval = put_user(data, (unsigned long __user *)buf);
>> - if (!retval)
>> - retval = sizeof(unsigned long);
>> + if (sizeof(int) != sizeof(long) && count == sizeof(compat_ulong_t)) {
>> + retval = put_user(data, (compat_ulong_t __user *)buf);
>> + if (!retval)
>> + retval = sizeof(compat_ulong_t);
>> + } else {
>> + retval = put_user(data, (unsigned long __user *)buf);
>> + if (!retval)
>> + retval = sizeof(unsigned long);
>> + }
> This does not look right: you are changing the behavior for
> both 32-bit and 64-bit mode, and now choose the output based
> on how many bytes userspace asked for. This has at least two
> problems:
>
> - if userspace asks for 5 to 7 bytes on a 64-bit kernel,
> it returns 8 bytes, overflowing the provided buffer.
> - when 32-bit userspace asks for 8 or more bytes, it
> gets 8 bytes instead of 4.
>
> Instead, you should check in_compat_syscall() to see
> which output matches the running task.

Thanks. I have should have known this helper.

v2 sent to address the above and below issues.

Regards,
Zhe

>
>> @@ -651,14 +658,23 @@ struct compat_hpet_info {
>> unsigned short hi_timer;
>> };
>>
>> +#define COMPAT_HPET_INFO _IOR('h', 0x03, struct compat_hpet_info)
>> +#define COMPAT_HPET_IRQFREQ _IOW('h', 0x6, compat_ulong_t)
> Right, it looks this was missing from my original change 54066a57c584
> ("hpet: kill BKL, add compat_ioctl").
>
> COMPAT_HPET_IRQFREQ should probably have a comment about the
> command code being wrong.
>
>> mutex_lock(&hpet_mutex);
>> - err = hpet_ioctl_common(file->private_data, cmd, arg, &info);
>> + err = hpet_ioctl_common(file->private_data, cmd, (unsigned
>> long)compat_ptr(arg), &info);
>> mutex_unlock(&hpet_mutex);
> While this works on x86, this is not a correct use of
> compat_ptr() on architectures that modify the pointer
> in compat_ptr(). Since HPET_INFO is the only one that
> passes a pointer and that one is handled separately,
> you should just drop the compat_ptr() conversion here.
>
> Arnd