From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Sasha Levin <sashal@kernel.org>,
dri-devel@lists.freedesktop.org,
Javier Martinez Canillas <javierm@redhat.com>,
Peter Robinson <pbrobinson@gmail.com>,
Thomas Zimmermann <tzimmermann@suse.de>
Subject: [PATCH AUTOSEL 5.15 03/25] drm: Prevent drm_copy_field() to attempt copying a NULL pointer
Date: Sun, 9 Oct 2022 19:54:03 -0400 [thread overview]
Message-ID: <20221009235426.1231313-3-sashal@kernel.org> (raw)
In-Reply-To: <20221009235426.1231313-1-sashal@kernel.org>
From: Javier Martinez Canillas <javierm@redhat.com>
[ Upstream commit f6ee30407e883042482ad4ad30da5eaba47872ee ]
There are some struct drm_driver fields that are required by drivers since
drm_copy_field() attempts to copy them to user-space via DRM_IOCTL_VERSION.
But it can be possible that a driver has a bug and did not set some of the
fields, which leads to drm_copy_field() attempting to copy a NULL pointer:
[ +10.395966] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000000
[ +0.010955] Mem abort info:
[ +0.002835] ESR = 0x0000000096000004
[ +0.003872] EC = 0x25: DABT (current EL), IL = 32 bits
[ +0.005395] SET = 0, FnV = 0
[ +0.003113] EA = 0, S1PTW = 0
[ +0.003182] FSC = 0x04: level 0 translation fault
[ +0.004964] Data abort info:
[ +0.002919] ISV = 0, ISS = 0x00000004
[ +0.003886] CM = 0, WnR = 0
[ +0.003040] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000115dad000
[ +0.006536] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000
[ +0.006925] Internal error: Oops: 96000004 [#1] SMP
...
[ +0.011113] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ +0.007061] pc : __pi_strlen+0x14/0x150
[ +0.003895] lr : drm_copy_field+0x30/0x1a4
[ +0.004156] sp : ffff8000094b3a50
[ +0.003355] x29: ffff8000094b3a50 x28: ffff8000094b3b70 x27: 0000000000000040
[ +0.007242] x26: ffff443743c2ba00 x25: 0000000000000000 x24: 0000000000000040
[ +0.007243] x23: ffff443743c2ba00 x22: ffff8000094b3b70 x21: 0000000000000000
[ +0.007241] x20: 0000000000000000 x19: ffff8000094b3b90 x18: 0000000000000000
[ +0.007241] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaab14b9af40
[ +0.007241] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
[ +0.007239] x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa524ad67d4d8
[ +0.007242] x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : 6c6e6263606e7141
[ +0.007239] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000
[ +0.007241] x2 : 0000000000000000 x1 : ffff8000094b3b90 x0 : 0000000000000000
[ +0.007240] Call trace:
[ +0.002475] __pi_strlen+0x14/0x150
[ +0.003537] drm_version+0x84/0xac
[ +0.003448] drm_ioctl_kernel+0xa8/0x16c
[ +0.003975] drm_ioctl+0x270/0x580
[ +0.003448] __arm64_sys_ioctl+0xb8/0xfc
[ +0.003978] invoke_syscall+0x78/0x100
[ +0.003799] el0_svc_common.constprop.0+0x4c/0xf4
[ +0.004767] do_el0_svc+0x38/0x4c
[ +0.003357] el0_svc+0x34/0x100
[ +0.003185] el0t_64_sync_handler+0x11c/0x150
[ +0.004418] el0t_64_sync+0x190/0x194
[ +0.003716] Code: 92402c04 b200c3e8 f13fc09f 5400088c (a9400c02)
[ +0.006180] ---[ end trace 0000000000000000 ]---
Reported-by: Peter Robinson <pbrobinson@gmail.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://patchwork.freedesktop.org/patch/msgid/20220705100215.572498-3-javierm@redhat.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/drm_ioctl.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c
index 5669c6cf7135..fb5e6f86dea2 100644
--- a/drivers/gpu/drm/drm_ioctl.c
+++ b/drivers/gpu/drm/drm_ioctl.c
@@ -474,6 +474,12 @@ static int drm_copy_field(char __user *buf, size_t *buf_len, const char *value)
{
size_t len;
+ /* don't attempt to copy a NULL pointer */
+ if (WARN_ONCE(!value, "BUG: the value to copy was not set!")) {
+ *buf_len = 0;
+ return 0;
+ }
+
/* don't overflow userbuf */
len = strlen(value);
if (len > *buf_len)
--
2.35.1
WARNING: multiple messages have this Message-ID (diff)
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Javier Martinez Canillas <javierm@redhat.com>,
Peter Robinson <pbrobinson@gmail.com>,
Thomas Zimmermann <tzimmermann@suse.de>,
Sasha Levin <sashal@kernel.org>,
maarten.lankhorst@linux.intel.com, mripard@kernel.org,
airlied@gmail.com, daniel@ffwll.ch,
dri-devel@lists.freedesktop.org
Subject: [PATCH AUTOSEL 5.15 03/25] drm: Prevent drm_copy_field() to attempt copying a NULL pointer
Date: Sun, 9 Oct 2022 19:54:03 -0400 [thread overview]
Message-ID: <20221009235426.1231313-3-sashal@kernel.org> (raw)
In-Reply-To: <20221009235426.1231313-1-sashal@kernel.org>
From: Javier Martinez Canillas <javierm@redhat.com>
[ Upstream commit f6ee30407e883042482ad4ad30da5eaba47872ee ]
There are some struct drm_driver fields that are required by drivers since
drm_copy_field() attempts to copy them to user-space via DRM_IOCTL_VERSION.
But it can be possible that a driver has a bug and did not set some of the
fields, which leads to drm_copy_field() attempting to copy a NULL pointer:
[ +10.395966] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000000
[ +0.010955] Mem abort info:
[ +0.002835] ESR = 0x0000000096000004
[ +0.003872] EC = 0x25: DABT (current EL), IL = 32 bits
[ +0.005395] SET = 0, FnV = 0
[ +0.003113] EA = 0, S1PTW = 0
[ +0.003182] FSC = 0x04: level 0 translation fault
[ +0.004964] Data abort info:
[ +0.002919] ISV = 0, ISS = 0x00000004
[ +0.003886] CM = 0, WnR = 0
[ +0.003040] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000115dad000
[ +0.006536] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000
[ +0.006925] Internal error: Oops: 96000004 [#1] SMP
...
[ +0.011113] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ +0.007061] pc : __pi_strlen+0x14/0x150
[ +0.003895] lr : drm_copy_field+0x30/0x1a4
[ +0.004156] sp : ffff8000094b3a50
[ +0.003355] x29: ffff8000094b3a50 x28: ffff8000094b3b70 x27: 0000000000000040
[ +0.007242] x26: ffff443743c2ba00 x25: 0000000000000000 x24: 0000000000000040
[ +0.007243] x23: ffff443743c2ba00 x22: ffff8000094b3b70 x21: 0000000000000000
[ +0.007241] x20: 0000000000000000 x19: ffff8000094b3b90 x18: 0000000000000000
[ +0.007241] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaab14b9af40
[ +0.007241] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
[ +0.007239] x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa524ad67d4d8
[ +0.007242] x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : 6c6e6263606e7141
[ +0.007239] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000
[ +0.007241] x2 : 0000000000000000 x1 : ffff8000094b3b90 x0 : 0000000000000000
[ +0.007240] Call trace:
[ +0.002475] __pi_strlen+0x14/0x150
[ +0.003537] drm_version+0x84/0xac
[ +0.003448] drm_ioctl_kernel+0xa8/0x16c
[ +0.003975] drm_ioctl+0x270/0x580
[ +0.003448] __arm64_sys_ioctl+0xb8/0xfc
[ +0.003978] invoke_syscall+0x78/0x100
[ +0.003799] el0_svc_common.constprop.0+0x4c/0xf4
[ +0.004767] do_el0_svc+0x38/0x4c
[ +0.003357] el0_svc+0x34/0x100
[ +0.003185] el0t_64_sync_handler+0x11c/0x150
[ +0.004418] el0t_64_sync+0x190/0x194
[ +0.003716] Code: 92402c04 b200c3e8 f13fc09f 5400088c (a9400c02)
[ +0.006180] ---[ end trace 0000000000000000 ]---
Reported-by: Peter Robinson <pbrobinson@gmail.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://patchwork.freedesktop.org/patch/msgid/20220705100215.572498-3-javierm@redhat.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/drm_ioctl.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c
index 5669c6cf7135..fb5e6f86dea2 100644
--- a/drivers/gpu/drm/drm_ioctl.c
+++ b/drivers/gpu/drm/drm_ioctl.c
@@ -474,6 +474,12 @@ static int drm_copy_field(char __user *buf, size_t *buf_len, const char *value)
{
size_t len;
+ /* don't attempt to copy a NULL pointer */
+ if (WARN_ONCE(!value, "BUG: the value to copy was not set!")) {
+ *buf_len = 0;
+ return 0;
+ }
+
/* don't overflow userbuf */
len = strlen(value);
if (len > *buf_len)
--
2.35.1
next prev parent reply other threads:[~2022-10-09 23:54 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-09 23:54 [PATCH AUTOSEL 5.15 01/25] drm/nouveau/nouveau_bo: fix potential memory leak in nouveau_bo_alloc() Sasha Levin
2022-10-09 23:54 ` Sasha Levin
2022-10-09 23:54 ` [Nouveau] " Sasha Levin
2022-10-09 23:54 ` [PATCH AUTOSEL 5.15 02/25] drm: Use size_t type for len variable in drm_copy_field() Sasha Levin
2022-10-09 23:54 ` Sasha Levin
2022-10-09 23:54 ` Sasha Levin [this message]
2022-10-09 23:54 ` [PATCH AUTOSEL 5.15 03/25] drm: Prevent drm_copy_field() to attempt copying a NULL pointer Sasha Levin
2022-10-09 23:54 ` [PATCH AUTOSEL 5.15 04/25] drm/komeda: Fix handling of atomic commits in the atomic_commit_tail hook Sasha Levin
2022-10-09 23:54 ` Sasha Levin
2022-10-09 23:54 ` [PATCH AUTOSEL 5.15 05/25] gpu: lontium-lt9611: Fix NULL pointer dereference in lt9611_connector_init() Sasha Levin
2022-10-09 23:54 ` Sasha Levin
2022-10-09 23:54 ` [PATCH AUTOSEL 5.15 06/25] drm/amd/display: fix overflow on MIN_I64 definition Sasha Levin
2022-10-09 23:54 ` Sasha Levin
2022-10-09 23:54 ` Sasha Levin
2022-10-09 23:54 ` [PATCH AUTOSEL 5.15 07/25] ALSA: usb-audio: Add quirk to enable Avid Mbox 3 support Sasha Levin
2022-10-09 23:54 ` Sasha Levin
2022-10-09 23:54 ` [PATCH AUTOSEL 5.15 08/25] udmabuf: Set ubuf->sg = NULL if the creation of sg table fails Sasha Levin
2022-10-09 23:54 ` Sasha Levin
2022-10-09 23:54 ` [PATCH AUTOSEL 5.15 09/25] drm: bridge: dw_hdmi: only trigger hotplug event on link change Sasha Levin
2022-10-09 23:54 ` Sasha Levin
2022-10-09 23:54 ` [PATCH AUTOSEL 5.15 10/25] drm: hide unregistered connectors from GETCONNECTOR IOCTL Sasha Levin
2022-10-09 23:54 ` Sasha Levin
2022-10-09 23:54 ` [PATCH AUTOSEL 5.15 11/25] ALSA: usb-audio: Register card at the last interface Sasha Levin
2022-10-09 23:54 ` Sasha Levin
2022-10-09 23:54 ` [PATCH AUTOSEL 5.15 12/25] drm/vc4: vec: Fix timings for VEC modes Sasha Levin
2022-10-09 23:54 ` Sasha Levin
2022-10-09 23:54 ` [PATCH AUTOSEL 5.15 13/25] ACPI: video: Change disable_backlight_sysfs_if quirks to acpi_backlight=native Sasha Levin
2022-10-10 7:36 ` Hans de Goede
2022-10-09 23:54 ` [PATCH AUTOSEL 5.15 14/25] drm: panel-orientation-quirks: Add quirk for Anbernic Win600 Sasha Levin
2022-10-09 23:54 ` Sasha Levin
2022-10-09 23:54 ` [PATCH AUTOSEL 5.15 15/25] platform/chrome: cros_ec: Notify the PM of wake events during resume Sasha Levin
2022-10-09 23:54 ` [PATCH AUTOSEL 5.15 16/25] platform/x86: msi-laptop: Change DMI match / alias strings to fix module autoloading Sasha Levin
2022-10-09 23:54 ` [PATCH AUTOSEL 5.15 17/25] ASoC: SOF: pci: Change DMI match info to support all Chrome platforms Sasha Levin
2022-10-09 23:54 ` Sasha Levin
2022-10-09 23:54 ` [PATCH AUTOSEL 5.15 18/25] drm/amdgpu: fix initial connector audio value Sasha Levin
2022-10-09 23:54 ` Sasha Levin
2022-10-09 23:54 ` Sasha Levin
2022-10-09 23:54 ` [PATCH AUTOSEL 5.15 19/25] drm/meson: reorder driver deinit sequence to fix use-after-free bug Sasha Levin
2022-10-09 23:54 ` Sasha Levin
2022-10-09 23:54 ` Sasha Levin
2022-10-09 23:54 ` Sasha Levin
2022-10-09 23:54 ` [PATCH AUTOSEL 5.15 20/25] drm/meson: explicitly remove aggregate driver at module unload time Sasha Levin
2022-10-09 23:54 ` Sasha Levin
2022-10-09 23:54 ` Sasha Levin
2022-10-09 23:54 ` Sasha Levin
2022-10-09 23:54 ` [PATCH AUTOSEL 5.15 21/25] drm/exynos: Fix return type for mixer_mode_valid and hdmi_mode_valid Sasha Levin
2022-10-09 23:54 ` Sasha Levin
2022-10-09 23:54 ` Sasha Levin
2022-10-09 23:54 ` [PATCH AUTOSEL 5.15 22/25] mmc: sdhci-msm: add compatible string check for sdm670 Sasha Levin
2022-10-09 23:54 ` [PATCH AUTOSEL 5.15 23/25] drm/dp: Don't rewrite link config when setting phy test pattern Sasha Levin
2022-10-09 23:54 ` Sasha Levin
2022-10-09 23:54 ` [PATCH AUTOSEL 5.15 24/25] drm/amd/display: Remove interface for periodic interrupt 1 Sasha Levin
2022-10-09 23:54 ` Sasha Levin
2022-10-09 23:54 ` Sasha Levin
2022-10-09 23:54 ` [PATCH AUTOSEL 5.15 25/25] drm/amd/display: fix array-bounds error in dc_stream_remove_writeback() Sasha Levin
2022-10-09 23:54 ` Sasha Levin
2022-10-09 23:54 ` Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221009235426.1231313-3-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=javierm@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=pbrobinson@gmail.com \
--cc=stable@vger.kernel.org \
--cc=tzimmermann@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.