From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-17.6 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, MENTIONS_GIT_HOSTING,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 15F82C433E2 for ; Tue, 8 Sep 2020 18:11:59 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id B871420759 for ; Tue, 8 Sep 2020 18:11:58 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=sior-be.20150623.gappssmtp.com header.i=@sior-be.20150623.gappssmtp.com header.b="GRWuV3D+" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731524AbgIHSL4 (ORCPT ); Tue, 8 Sep 2020 14:11:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47032 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727088AbgIHSLj (ORCPT ); Tue, 8 Sep 2020 14:11:39 -0400 Received: from mail-ej1-x641.google.com (mail-ej1-x641.google.com [IPv6:2a00:1450:4864:20::641]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9C9A5C061573 for ; Tue, 8 Sep 2020 11:11:38 -0700 (PDT) Received: by mail-ej1-x641.google.com with SMTP id j11so23982593ejk.0 for ; Tue, 08 Sep 2020 11:11:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sior-be.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=2jeAKbPcMYL3zKYHWUAD80qBl6LQnPeUqzL2ybjhdJg=; b=GRWuV3D+NPs+O8PhfljngvbH+/zdl1IG8s+i5wlKJNll0vYKQc3oEZmRBq2GPksBfB KZqDXGLyapYUntSwXu7zK1WBhKrrjsmYheZ21l9UPvc2kysM5F4IbTnkh/il6rSNqwoL EdCab1UyiUXvyGG2hYYrI867vxh2q3cIXvimK6XSZJgxiaFUvNOV4Mln6uGZ2yinOj01 OpRJg968cPDL9fxOL2uFJCforjAmLjmTrsy4/frYWGR4IaBF8bCZ7fGBT6ABNkJ4qWa/ 8rXZp3U0TvvLv7/t94dXEBoHvAfxre9JV3R14nppWYwCg8WRqahVi/+t1FDgtIafF0Al PATg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=2jeAKbPcMYL3zKYHWUAD80qBl6LQnPeUqzL2ybjhdJg=; b=gCoFK2IkkpV/JReSOulyxJFre0xRSleCvZmyI0tMvPba7vy2x4GnSS4S8NZRswlAbi TOLSdrKlHZ3VeJdkPSqKI5nZFMq4E7K5KFuEvx1Cign3BwZeKdNbiBG50T9MRHz5xbdT 0XyxXjK03v3hZHtmbf7WABECzzLcDI2xRRNg0Ol94o/TJqvb17BdMhXMcesxX1j2l8fy dDEK3FbtO8/h+Ws0SRtcIBq3gwkM9Yl52al674bKr5WZmX1oCqKy7ZLK26DAc3NgMlfB Wjo4bRciPN6JyYfgUMgflPeFwwfNs9VJq9eccr0j0gnZwk7ORk+VDsKJ3xtVgwuBA/3J joGQ== X-Gm-Message-State: AOAM531sF5OQwJKgmXKLcGUVk4yFkfjwx4YfBQ8OSDv5062VO0d6X+W7 wy+1O4lEjAiSBzKWP4xgUljC3g== X-Google-Smtp-Source: ABdhPJzXcxEi0aj0yBJLuuB4LmRVp2OUfbxb1m0J1V/0WroShEQJp8UGXqXJyJVSx6nGyPsh9AglWA== X-Received: by 2002:a17:906:3552:: with SMTP id s18mr26864500eja.23.1599588697308; Tue, 08 Sep 2020 11:11:37 -0700 (PDT) Received: from aws.localdomain ([94.107.139.190]) by smtp.gmail.com with ESMTPSA id g20sm16127ejx.12.2020.09.08.11.11.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 08 Sep 2020 11:11:36 -0700 (PDT) From: Alejandro Sior Cc: Alejandro Sior , Zhenyu Wang , Zhi Wang , Jani Nikula , Joonas Lahtinen , Rodrigo Vivi , David Airlie , Daniel Vetter , intel-gvt-dev@lists.freedesktop.org, intel-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org Subject: [Intel-gfx][PATCH v2] drm/i915/gvt: Prevent NULL pointer dereference in intel_vgpu_reg_rw_edid() Date: Tue, 8 Sep 2020 20:11:21 +0200 Message-Id: <20200908181122.9100-1-aho@sior.be> X-Mailer: git-send-email 2.28.0 In-Reply-To: <743818af-fa38-e31a-1780-84a6a7e72e25@web.de> References: <743818af-fa38-e31a-1780-84a6a7e72e25@web.de> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit To: unlisted-recipients:; (no To-header on input) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In the function intel_vgpu_reg_rw_edid of kvmgt.c, pos can be equal to NULL for GPUs that do not properly support EDID. In those cases, when pos gets passed to the handle_edid functions, it gets added a short offset then it's dereferenced in memcpy's, leading to NULL pointer dereference kernel oops. More concretely, that kernel oops renders some Broadwell GPUs users unable to set up virtual machines with virtual GPU passthrough (virtual machines hang indefinitely when trying to make use of the virtual GPU), and make them unable to remove the virtual GPUs once the kernel oops has happened (it hangs indefinitely, and notably too when the kernel tries to shutdown). The issues that this causes and steps to reproduce are discussed in more details in this github issue post: https://github.com/intel/gvt-linux/issues/170#issuecomment-685806160 Check if pos is equal to NULL, and if it is, set ret to a negative value, making the module simply indicate that the access to EDID region has failed, without any fatal repercussion. Signed-off-by: Alejandro Sior --- Changes in v2: - removed middle name of author to comply with git name - rephrased the patch description with imperative phrasing - removed useless paragraph - made a paragraph more concise - fixed typos - made individual lines shorter than 75 chars drivers/gpu/drm/i915/gvt/kvmgt.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/i915/gvt/kvmgt.c b/drivers/gpu/drm/i915/gvt/kvmgt.c index ad8a9df49f29..49163363ba4a 100644 --- a/drivers/gpu/drm/i915/gvt/kvmgt.c +++ b/drivers/gpu/drm/i915/gvt/kvmgt.c @@ -557,7 +557,9 @@ static size_t intel_vgpu_reg_rw_edid(struct intel_vgpu *vgpu, char *buf, (struct vfio_edid_region *)kvmgt_vdev(vgpu)->region[i].data; loff_t pos = *ppos & VFIO_PCI_OFFSET_MASK; - if (pos < region->vfio_edid_regs.edid_offset) { + if (pos == NULL) { + ret = -EINVAL; + } else if (pos < region->vfio_edid_regs.edid_offset) { ret = handle_edid_regs(vgpu, region, buf, count, pos, iswrite); } else { pos -= EDID_BLOB_OFFSET; -- 2.28.0 From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-17.6 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, MENTIONS_GIT_HOSTING,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 18AF3C433E2 for ; Tue, 8 Sep 2020 18:11:42 +0000 (UTC) Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 54A4C20759 for ; Tue, 8 Sep 2020 18:11:41 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=sior-be.20150623.gappssmtp.com header.i=@sior-be.20150623.gappssmtp.com header.b="GRWuV3D+" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 54A4C20759 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=sior.be Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=dri-devel-bounces@lists.freedesktop.org Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 523F56E891; Tue, 8 Sep 2020 18:11:40 +0000 (UTC) Received: from mail-ej1-x641.google.com (mail-ej1-x641.google.com [IPv6:2a00:1450:4864:20::641]) by gabe.freedesktop.org (Postfix) with ESMTPS id A626C6E886 for ; Tue, 8 Sep 2020 18:11:38 +0000 (UTC) Received: by mail-ej1-x641.google.com with SMTP id u21so390563eja.2 for ; Tue, 08 Sep 2020 11:11:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sior-be.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=2jeAKbPcMYL3zKYHWUAD80qBl6LQnPeUqzL2ybjhdJg=; b=GRWuV3D+NPs+O8PhfljngvbH+/zdl1IG8s+i5wlKJNll0vYKQc3oEZmRBq2GPksBfB KZqDXGLyapYUntSwXu7zK1WBhKrrjsmYheZ21l9UPvc2kysM5F4IbTnkh/il6rSNqwoL EdCab1UyiUXvyGG2hYYrI867vxh2q3cIXvimK6XSZJgxiaFUvNOV4Mln6uGZ2yinOj01 OpRJg968cPDL9fxOL2uFJCforjAmLjmTrsy4/frYWGR4IaBF8bCZ7fGBT6ABNkJ4qWa/ 8rXZp3U0TvvLv7/t94dXEBoHvAfxre9JV3R14nppWYwCg8WRqahVi/+t1FDgtIafF0Al PATg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=2jeAKbPcMYL3zKYHWUAD80qBl6LQnPeUqzL2ybjhdJg=; b=rXc6OYNsq9FeJu8r53/YnALaRBoOwUsJMWJCxdVgYOv9otR8fNCKgQeH/osLEp5J4J 2s5P0DeDQm8r7HyhinB41ZH9I9KT14MNf7tAdqA8aYYNE/5t85afSQmlNm7rLIDc2sOT EK8JHe3HNxJkYI82Xps4GXNPlte7DkBPL8RgNKuC2NdWDSYiRJ0nqAuPOhy/rPmVJPmP ndFjbkqZsz1PTeN4elCtVf06bWyoYb5Q589aFS4bfpMzOGTRqGYJ5Z9MA8k77bxnAnqX +KS2sXBYzuH+/dkaAv1OPlYAazEhhgSlW4y0hJuhmPD9W/fTiwC7FkzLe67fn+0/yx2S H8mQ== X-Gm-Message-State: AOAM533WScohNC37UGeQuv5Be9UZNHI8/9FEsOyxTcA8xhi/grWVqj1o 8MK5bUB60Bv5hc6E643JGXLi2g== X-Google-Smtp-Source: ABdhPJzXcxEi0aj0yBJLuuB4LmRVp2OUfbxb1m0J1V/0WroShEQJp8UGXqXJyJVSx6nGyPsh9AglWA== X-Received: by 2002:a17:906:3552:: with SMTP id s18mr26864500eja.23.1599588697308; Tue, 08 Sep 2020 11:11:37 -0700 (PDT) Received: from aws.localdomain ([94.107.139.190]) by smtp.gmail.com with ESMTPSA id g20sm16127ejx.12.2020.09.08.11.11.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 08 Sep 2020 11:11:36 -0700 (PDT) From: Alejandro Sior To: Subject: [Intel-gfx][PATCH v2] drm/i915/gvt: Prevent NULL pointer dereference in intel_vgpu_reg_rw_edid() Date: Tue, 8 Sep 2020 20:11:21 +0200 Message-Id: <20200908181122.9100-1-aho@sior.be> X-Mailer: git-send-email 2.28.0 In-Reply-To: <743818af-fa38-e31a-1780-84a6a7e72e25@web.de> References: <743818af-fa38-e31a-1780-84a6a7e72e25@web.de> MIME-Version: 1.0 X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: dri-devel@lists.freedesktop.org, David Airlie , intel-gfx@lists.freedesktop.org, linux-kernel@vger.kernel.org, Alejandro Sior , Rodrigo Vivi , intel-gvt-dev@lists.freedesktop.org, Zhi Wang Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" In the function intel_vgpu_reg_rw_edid of kvmgt.c, pos can be equal to NULL for GPUs that do not properly support EDID. In those cases, when pos gets passed to the handle_edid functions, it gets added a short offset then it's dereferenced in memcpy's, leading to NULL pointer dereference kernel oops. More concretely, that kernel oops renders some Broadwell GPUs users unable to set up virtual machines with virtual GPU passthrough (virtual machines hang indefinitely when trying to make use of the virtual GPU), and make them unable to remove the virtual GPUs once the kernel oops has happened (it hangs indefinitely, and notably too when the kernel tries to shutdown). The issues that this causes and steps to reproduce are discussed in more details in this github issue post: https://github.com/intel/gvt-linux/issues/170#issuecomment-685806160 Check if pos is equal to NULL, and if it is, set ret to a negative value, making the module simply indicate that the access to EDID region has failed, without any fatal repercussion. Signed-off-by: Alejandro Sior --- Changes in v2: - removed middle name of author to comply with git name - rephrased the patch description with imperative phrasing - removed useless paragraph - made a paragraph more concise - fixed typos - made individual lines shorter than 75 chars drivers/gpu/drm/i915/gvt/kvmgt.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/i915/gvt/kvmgt.c b/drivers/gpu/drm/i915/gvt/kvmgt.c index ad8a9df49f29..49163363ba4a 100644 --- a/drivers/gpu/drm/i915/gvt/kvmgt.c +++ b/drivers/gpu/drm/i915/gvt/kvmgt.c @@ -557,7 +557,9 @@ static size_t intel_vgpu_reg_rw_edid(struct intel_vgpu *vgpu, char *buf, (struct vfio_edid_region *)kvmgt_vdev(vgpu)->region[i].data; loff_t pos = *ppos & VFIO_PCI_OFFSET_MASK; - if (pos < region->vfio_edid_regs.edid_offset) { + if (pos == NULL) { + ret = -EINVAL; + } else if (pos < region->vfio_edid_regs.edid_offset) { ret = handle_edid_regs(vgpu, region, buf, count, pos, iswrite); } else { pos -= EDID_BLOB_OFFSET; -- 2.28.0 _______________________________________________ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-17.6 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, MENTIONS_GIT_HOSTING,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id BA951C43461 for ; Tue, 8 Sep 2020 18:11:45 +0000 (UTC) Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id EE61B20759 for ; Tue, 8 Sep 2020 18:11:44 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=sior-be.20150623.gappssmtp.com header.i=@sior-be.20150623.gappssmtp.com header.b="GRWuV3D+" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org EE61B20759 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=sior.be Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=intel-gfx-bounces@lists.freedesktop.org Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id A7C106E890; Tue, 8 Sep 2020 18:11:40 +0000 (UTC) Received: from mail-ej1-x641.google.com (mail-ej1-x641.google.com [IPv6:2a00:1450:4864:20::641]) by gabe.freedesktop.org (Postfix) with ESMTPS id AE0576E890 for ; Tue, 8 Sep 2020 18:11:38 +0000 (UTC) Received: by mail-ej1-x641.google.com with SMTP id nw23so23888304ejb.4 for ; Tue, 08 Sep 2020 11:11:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sior-be.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=2jeAKbPcMYL3zKYHWUAD80qBl6LQnPeUqzL2ybjhdJg=; b=GRWuV3D+NPs+O8PhfljngvbH+/zdl1IG8s+i5wlKJNll0vYKQc3oEZmRBq2GPksBfB KZqDXGLyapYUntSwXu7zK1WBhKrrjsmYheZ21l9UPvc2kysM5F4IbTnkh/il6rSNqwoL EdCab1UyiUXvyGG2hYYrI867vxh2q3cIXvimK6XSZJgxiaFUvNOV4Mln6uGZ2yinOj01 OpRJg968cPDL9fxOL2uFJCforjAmLjmTrsy4/frYWGR4IaBF8bCZ7fGBT6ABNkJ4qWa/ 8rXZp3U0TvvLv7/t94dXEBoHvAfxre9JV3R14nppWYwCg8WRqahVi/+t1FDgtIafF0Al PATg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=2jeAKbPcMYL3zKYHWUAD80qBl6LQnPeUqzL2ybjhdJg=; b=Pm7oc9w7gwUU4xXHSCda6HNNv0Y7NPqXcn8Mz24IJpr8ByUZP9vZk18rY1PvCdx28i QnRx1oiz8xRr9zagXZIOFMWUFa39+DSgQhDGiUEzddFlwzAGd+wwnb7KD/iXQu8cxiG5 /mANvyWOxMq3WaiuR0A/PoJHIFuIQiV3GEjVGV8WZ4HjF+5WmDnxb2lRqMHGM9qWtgPM lqm80POjk8f3gjupq0UO1Xc5+e2ZxmtueShSRPhnhoAI5m4GnI3KivV18WJnGgU+cCh9 i7EUPT0vUaZw4jeX/YR0t8LDMirfGBAoEyQPxV4QRDyvIaeoRKYuUc94TCX+wI0PyDqo YGPQ== X-Gm-Message-State: AOAM532+BxTA13AKhis7z7WdNHS8A8WNHkZj0pUr/kmpdBHPCfLayzfx Y4oazISBW9zGpehGAKWIpAusMw== X-Google-Smtp-Source: ABdhPJzXcxEi0aj0yBJLuuB4LmRVp2OUfbxb1m0J1V/0WroShEQJp8UGXqXJyJVSx6nGyPsh9AglWA== X-Received: by 2002:a17:906:3552:: with SMTP id s18mr26864500eja.23.1599588697308; Tue, 08 Sep 2020 11:11:37 -0700 (PDT) Received: from aws.localdomain ([94.107.139.190]) by smtp.gmail.com with ESMTPSA id g20sm16127ejx.12.2020.09.08.11.11.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 08 Sep 2020 11:11:36 -0700 (PDT) From: Alejandro Sior To: Date: Tue, 8 Sep 2020 20:11:21 +0200 Message-Id: <20200908181122.9100-1-aho@sior.be> X-Mailer: git-send-email 2.28.0 In-Reply-To: <743818af-fa38-e31a-1780-84a6a7e72e25@web.de> References: <743818af-fa38-e31a-1780-84a6a7e72e25@web.de> MIME-Version: 1.0 Subject: [Intel-gfx] [PATCH v2] drm/i915/gvt: Prevent NULL pointer dereference in intel_vgpu_reg_rw_edid() X-BeenThere: intel-gfx@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Intel graphics driver community testing & development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: dri-devel@lists.freedesktop.org, David Airlie , intel-gfx@lists.freedesktop.org, linux-kernel@vger.kernel.org, intel-gvt-dev@lists.freedesktop.org Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: intel-gfx-bounces@lists.freedesktop.org Sender: "Intel-gfx" In the function intel_vgpu_reg_rw_edid of kvmgt.c, pos can be equal to NULL for GPUs that do not properly support EDID. In those cases, when pos gets passed to the handle_edid functions, it gets added a short offset then it's dereferenced in memcpy's, leading to NULL pointer dereference kernel oops. More concretely, that kernel oops renders some Broadwell GPUs users unable to set up virtual machines with virtual GPU passthrough (virtual machines hang indefinitely when trying to make use of the virtual GPU), and make them unable to remove the virtual GPUs once the kernel oops has happened (it hangs indefinitely, and notably too when the kernel tries to shutdown). The issues that this causes and steps to reproduce are discussed in more details in this github issue post: https://github.com/intel/gvt-linux/issues/170#issuecomment-685806160 Check if pos is equal to NULL, and if it is, set ret to a negative value, making the module simply indicate that the access to EDID region has failed, without any fatal repercussion. Signed-off-by: Alejandro Sior --- Changes in v2: - removed middle name of author to comply with git name - rephrased the patch description with imperative phrasing - removed useless paragraph - made a paragraph more concise - fixed typos - made individual lines shorter than 75 chars drivers/gpu/drm/i915/gvt/kvmgt.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/i915/gvt/kvmgt.c b/drivers/gpu/drm/i915/gvt/kvmgt.c index ad8a9df49f29..49163363ba4a 100644 --- a/drivers/gpu/drm/i915/gvt/kvmgt.c +++ b/drivers/gpu/drm/i915/gvt/kvmgt.c @@ -557,7 +557,9 @@ static size_t intel_vgpu_reg_rw_edid(struct intel_vgpu *vgpu, char *buf, (struct vfio_edid_region *)kvmgt_vdev(vgpu)->region[i].data; loff_t pos = *ppos & VFIO_PCI_OFFSET_MASK; - if (pos < region->vfio_edid_regs.edid_offset) { + if (pos == NULL) { + ret = -EINVAL; + } else if (pos < region->vfio_edid_regs.edid_offset) { ret = handle_edid_regs(vgpu, region, buf, count, pos, iswrite); } else { pos -= EDID_BLOB_OFFSET; -- 2.28.0 _______________________________________________ Intel-gfx mailing list Intel-gfx@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/intel-gfx