From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.7 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 890E6C433B4 for ; Thu, 8 Apr 2021 07:51:22 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 590BF61165 for ; Thu, 8 Apr 2021 07:51:22 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229903AbhDHHvb (ORCPT ); Thu, 8 Apr 2021 03:51:31 -0400 Received: from mx2.suse.de ([195.135.220.15]:58520 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229505AbhDHHva (ORCPT ); Thu, 8 Apr 2021 03:51:30 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id D7AAEACC4; Thu, 8 Apr 2021 07:51:18 +0000 (UTC) Date: Thu, 08 Apr 2021 09:51:18 +0200 Message-ID: From: Takashi Iwai To: Ville =?UTF-8?B?U3lyasOkbMOk?= Cc: Jani Nikula , Joonas Lahtinen , Rodrigo Vivi , intel-gfx@lists.freedesktop.org, linux-kernel@vger.kernel.org Subject: Re: [Intel-gfx] [PATCH v2] drm/i915: Fix invalid access to ACPI _DSM objects In-Reply-To: References: <20210402082317.871-1-tiwai@suse.de> User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI/1.14.6 (Maruoka) FLIM/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL/10.8 Emacs/25.3 (x86_64-suse-linux-gnu) MULE/6.0 (HANACHIRUSATO) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 07 Apr 2021 23:28:48 +0200, Ville Syrjälä wrote: > > On Wed, Apr 07, 2021 at 06:56:15PM +0200, Takashi Iwai wrote: > > On Wed, 07 Apr 2021 18:34:46 +0200, > > Ville Syrjälä wrote: > > > > > > On Fri, Apr 02, 2021 at 10:23:17AM +0200, Takashi Iwai wrote: > > > > intel_dsm_platform_mux_info() tries to parse the ACPI package data > > > > from _DSM for the debug information, but it assumes the fixed format > > > > without checking what values are stored in the elements actually. > > > > When an unexpected value is returned from BIOS, it may lead to GPF or > > > > NULL dereference, as reported recently. > > > > > > > > Add the checks of the contents in the returned values and skip the > > > > values for invalid cases. > > > > > > > > v1->v2: Check the info contents before dereferencing, too > > > > > > > > BugLink: http://bugzilla.opensuse.org/show_bug.cgi?id=1184074 > > > > Cc: > > > > Signed-off-by: Takashi Iwai > > > > --- > > > > drivers/gpu/drm/i915/display/intel_acpi.c | 22 ++++++++++++++++++++-- > > > > 1 file changed, 20 insertions(+), 2 deletions(-) > > > > > > > > diff --git a/drivers/gpu/drm/i915/display/intel_acpi.c b/drivers/gpu/drm/i915/display/intel_acpi.c > > > > index e21fb14d5e07..833d0c1be4f1 100644 > > > > --- a/drivers/gpu/drm/i915/display/intel_acpi.c > > > > +++ b/drivers/gpu/drm/i915/display/intel_acpi.c > > > > @@ -84,13 +84,31 @@ static void intel_dsm_platform_mux_info(acpi_handle dhandle) > > > > return; > > > > } > > > > > > > > + if (!pkg->package.count) { > > > > + DRM_DEBUG_DRIVER("no connection in _DSM\n"); > > > > + return; > > > > + } > > > > + > > > > connector_count = &pkg->package.elements[0]; > > > > DRM_DEBUG_DRIVER("MUX info connectors: %lld\n", > > > > (unsigned long long)connector_count->integer.value); > > > > for (i = 1; i < pkg->package.count; i++) { > > > > union acpi_object *obj = &pkg->package.elements[i]; > > > > - union acpi_object *connector_id = &obj->package.elements[0]; > > > > - union acpi_object *info = &obj->package.elements[1]; > > > > + union acpi_object *connector_id; > > > > + union acpi_object *info; > > > > + > > > > + if (obj->type != ACPI_TYPE_PACKAGE || obj->package.count < 2) { > > > > + DRM_DEBUG_DRIVER("Invalid object for MUX #%d\n", i); > > > > + continue; > > > > + } > > > > + > > > > + connector_id = &obj->package.elements[0]; > > > > > > You don't want to check connector_id->type as well? > > > > I added only the minimal checks that may lead to Oops. > > OK. I guess misinterpreting something else as an integer isn't > particular dangerous in this case. > > Pushed to drm-intel-next. Thanks. Great, thanks! > Oh, could you ask the bug reporter to attach an acpidump to the > bug? Might be good to have that stuff on record somewhere if/when > someone wants to actually figure out what's going on here. OK, I'll ask. > That said, maybe we should just nuke this whole thing instead? > Unless I'm missing someting this code doesn't seem to actually > do anything... Yeah, that looks nothing but showing the debug information and that can be checked via acpidump output, too... Takashi From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.7 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 97B16C433ED for ; Thu, 8 Apr 2021 07:51:22 +0000 (UTC) Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 4CC3F61157 for ; Thu, 8 Apr 2021 07:51:22 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 4CC3F61157 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=suse.de Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=intel-gfx-bounces@lists.freedesktop.org Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 8CEE06E9E3; Thu, 8 Apr 2021 07:51:21 +0000 (UTC) Received: from mx2.suse.de (mx2.suse.de [195.135.220.15]) by gabe.freedesktop.org (Postfix) with ESMTPS id 6649B6E9E3 for ; Thu, 8 Apr 2021 07:51:20 +0000 (UTC) X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id D7AAEACC4; Thu, 8 Apr 2021 07:51:18 +0000 (UTC) Date: Thu, 08 Apr 2021 09:51:18 +0200 Message-ID: From: Takashi Iwai To: Ville =?UTF-8?B?U3lyasOkbMOk?= In-Reply-To: References: <20210402082317.871-1-tiwai@suse.de> User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI/1.14.6 (Maruoka) FLIM/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL/10.8 Emacs/25.3 (x86_64-suse-linux-gnu) MULE/6.0 (HANACHIRUSATO) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Subject: Re: [Intel-gfx] [PATCH v2] drm/i915: Fix invalid access to ACPI _DSM objects X-BeenThere: intel-gfx@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Intel graphics driver community testing & development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: intel-gfx@lists.freedesktop.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: intel-gfx-bounces@lists.freedesktop.org Sender: "Intel-gfx" T24gV2VkLCAwNyBBcHIgMjAyMSAyMzoyODo0OCArMDIwMCwKVmlsbGUgU3lyasOkbMOkIHdyb3Rl Ogo+IAo+IE9uIFdlZCwgQXByIDA3LCAyMDIxIGF0IDA2OjU2OjE1UE0gKzAyMDAsIFRha2FzaGkg SXdhaSB3cm90ZToKPiA+IE9uIFdlZCwgMDcgQXByIDIwMjEgMTg6MzQ6NDYgKzAyMDAsCj4gPiBW aWxsZSBTeXJqw6Rsw6Qgd3JvdGU6Cj4gPiA+IAo+ID4gPiBPbiBGcmksIEFwciAwMiwgMjAyMSBh dCAxMDoyMzoxN0FNICswMjAwLCBUYWthc2hpIEl3YWkgd3JvdGU6Cj4gPiA+ID4gaW50ZWxfZHNt X3BsYXRmb3JtX211eF9pbmZvKCkgdHJpZXMgdG8gcGFyc2UgdGhlIEFDUEkgcGFja2FnZSBkYXRh Cj4gPiA+ID4gZnJvbSBfRFNNIGZvciB0aGUgZGVidWcgaW5mb3JtYXRpb24sIGJ1dCBpdCBhc3N1 bWVzIHRoZSBmaXhlZCBmb3JtYXQKPiA+ID4gPiB3aXRob3V0IGNoZWNraW5nIHdoYXQgdmFsdWVz IGFyZSBzdG9yZWQgaW4gdGhlIGVsZW1lbnRzIGFjdHVhbGx5Lgo+ID4gPiA+IFdoZW4gYW4gdW5l eHBlY3RlZCB2YWx1ZSBpcyByZXR1cm5lZCBmcm9tIEJJT1MsIGl0IG1heSBsZWFkIHRvIEdQRiBv cgo+ID4gPiA+IE5VTEwgZGVyZWZlcmVuY2UsIGFzIHJlcG9ydGVkIHJlY2VudGx5Lgo+ID4gPiA+ IAo+ID4gPiA+IEFkZCB0aGUgY2hlY2tzIG9mIHRoZSBjb250ZW50cyBpbiB0aGUgcmV0dXJuZWQg dmFsdWVzIGFuZCBza2lwIHRoZQo+ID4gPiA+IHZhbHVlcyBmb3IgaW52YWxpZCBjYXNlcy4KPiA+ ID4gPiAKPiA+ID4gPiB2MS0+djI6IENoZWNrIHRoZSBpbmZvIGNvbnRlbnRzIGJlZm9yZSBkZXJl ZmVyZW5jaW5nLCB0b28KPiA+ID4gPiAKPiA+ID4gPiBCdWdMaW5rOiBodHRwOi8vYnVnemlsbGEu b3BlbnN1c2Uub3JnL3Nob3dfYnVnLmNnaT9pZD0xMTg0MDc0Cj4gPiA+ID4gQ2M6IDxzdGFibGVA dmdlci5rZXJuZWwub3JnPgo+ID4gPiA+IFNpZ25lZC1vZmYtYnk6IFRha2FzaGkgSXdhaSA8dGl3 YWlAc3VzZS5kZT4KPiA+ID4gPiAtLS0KPiA+ID4gPiAgZHJpdmVycy9ncHUvZHJtL2k5MTUvZGlz cGxheS9pbnRlbF9hY3BpLmMgfCAyMiArKysrKysrKysrKysrKysrKysrKy0tCj4gPiA+ID4gIDEg ZmlsZSBjaGFuZ2VkLCAyMCBpbnNlcnRpb25zKCspLCAyIGRlbGV0aW9ucygtKQo+ID4gPiA+IAo+ ID4gPiA+IGRpZmYgLS1naXQgYS9kcml2ZXJzL2dwdS9kcm0vaTkxNS9kaXNwbGF5L2ludGVsX2Fj cGkuYyBiL2RyaXZlcnMvZ3B1L2RybS9pOTE1L2Rpc3BsYXkvaW50ZWxfYWNwaS5jCj4gPiA+ID4g aW5kZXggZTIxZmIxNGQ1ZTA3Li44MzNkMGMxYmU0ZjEgMTAwNjQ0Cj4gPiA+ID4gLS0tIGEvZHJp dmVycy9ncHUvZHJtL2k5MTUvZGlzcGxheS9pbnRlbF9hY3BpLmMKPiA+ID4gPiArKysgYi9kcml2 ZXJzL2dwdS9kcm0vaTkxNS9kaXNwbGF5L2ludGVsX2FjcGkuYwo+ID4gPiA+IEBAIC04NCwxMyAr ODQsMzEgQEAgc3RhdGljIHZvaWQgaW50ZWxfZHNtX3BsYXRmb3JtX211eF9pbmZvKGFjcGlfaGFu ZGxlIGRoYW5kbGUpCj4gPiA+ID4gIAkJcmV0dXJuOwo+ID4gPiA+ICAJfQo+ID4gPiA+ICAKPiA+ ID4gPiArCWlmICghcGtnLT5wYWNrYWdlLmNvdW50KSB7Cj4gPiA+ID4gKwkJRFJNX0RFQlVHX0RS SVZFUigibm8gY29ubmVjdGlvbiBpbiBfRFNNXG4iKTsKPiA+ID4gPiArCQlyZXR1cm47Cj4gPiA+ ID4gKwl9Cj4gPiA+ID4gKwo+ID4gPiA+ICAJY29ubmVjdG9yX2NvdW50ID0gJnBrZy0+cGFja2Fn ZS5lbGVtZW50c1swXTsKPiA+ID4gPiAgCURSTV9ERUJVR19EUklWRVIoIk1VWCBpbmZvIGNvbm5l Y3RvcnM6ICVsbGRcbiIsCj4gPiA+ID4gIAkJICAodW5zaWduZWQgbG9uZyBsb25nKWNvbm5lY3Rv cl9jb3VudC0+aW50ZWdlci52YWx1ZSk7Cj4gPiA+ID4gIAlmb3IgKGkgPSAxOyBpIDwgcGtnLT5w YWNrYWdlLmNvdW50OyBpKyspIHsKPiA+ID4gPiAgCQl1bmlvbiBhY3BpX29iamVjdCAqb2JqID0g JnBrZy0+cGFja2FnZS5lbGVtZW50c1tpXTsKPiA+ID4gPiAtCQl1bmlvbiBhY3BpX29iamVjdCAq Y29ubmVjdG9yX2lkID0gJm9iai0+cGFja2FnZS5lbGVtZW50c1swXTsKPiA+ID4gPiAtCQl1bmlv biBhY3BpX29iamVjdCAqaW5mbyA9ICZvYmotPnBhY2thZ2UuZWxlbWVudHNbMV07Cj4gPiA+ID4g KwkJdW5pb24gYWNwaV9vYmplY3QgKmNvbm5lY3Rvcl9pZDsKPiA+ID4gPiArCQl1bmlvbiBhY3Bp X29iamVjdCAqaW5mbzsKPiA+ID4gPiArCj4gPiA+ID4gKwkJaWYgKG9iai0+dHlwZSAhPSBBQ1BJ X1RZUEVfUEFDS0FHRSB8fCBvYmotPnBhY2thZ2UuY291bnQgPCAyKSB7Cj4gPiA+ID4gKwkJCURS TV9ERUJVR19EUklWRVIoIkludmFsaWQgb2JqZWN0IGZvciBNVVggIyVkXG4iLCBpKTsKPiA+ID4g PiArCQkJY29udGludWU7Cj4gPiA+ID4gKwkJfQo+ID4gPiA+ICsKPiA+ID4gPiArCQljb25uZWN0 b3JfaWQgPSAmb2JqLT5wYWNrYWdlLmVsZW1lbnRzWzBdOwo+ID4gPiAKPiA+ID4gWW91IGRvbid0 IHdhbnQgdG8gY2hlY2sgY29ubmVjdG9yX2lkLT50eXBlIGFzIHdlbGw/Cj4gPiAKPiA+IEkgYWRk ZWQgb25seSB0aGUgbWluaW1hbCBjaGVja3MgdGhhdCBtYXkgbGVhZCB0byBPb3BzLgo+IAo+IE9L LiBJIGd1ZXNzIG1pc2ludGVycHJldGluZyBzb21ldGhpbmcgZWxzZSBhcyBhbiBpbnRlZ2VyIGlz bid0Cj4gcGFydGljdWxhciBkYW5nZXJvdXMgaW4gdGhpcyBjYXNlLgo+IAo+IFB1c2hlZCB0byBk cm0taW50ZWwtbmV4dC4gVGhhbmtzLgoKR3JlYXQsIHRoYW5rcyEKCj4gT2gsIGNvdWxkIHlvdSBh c2sgdGhlIGJ1ZyByZXBvcnRlciB0byBhdHRhY2ggYW4gYWNwaWR1bXAgdG8gdGhlCj4gYnVnPyBN aWdodCBiZSBnb29kIHRvIGhhdmUgdGhhdCBzdHVmZiBvbiByZWNvcmQgc29tZXdoZXJlIGlmL3do ZW4KPiBzb21lb25lIHdhbnRzIHRvIGFjdHVhbGx5IGZpZ3VyZSBvdXQgd2hhdCdzIGdvaW5nIG9u IGhlcmUuCgpPSywgSSdsbCBhc2suCgo+IFRoYXQgc2FpZCwgbWF5YmUgd2Ugc2hvdWxkIGp1c3Qg bnVrZSB0aGlzIHdob2xlIHRoaW5nIGluc3RlYWQ/Cj4gVW5sZXNzIEknbSBtaXNzaW5nIHNvbWV0 aW5nIHRoaXMgY29kZSBkb2Vzbid0IHNlZW0gdG8gYWN0dWFsbHkKPiBkbyBhbnl0aGluZy4uLgoK WWVhaCwgdGhhdCBsb29rcyBub3RoaW5nIGJ1dCBzaG93aW5nIHRoZSBkZWJ1ZyBpbmZvcm1hdGlv biBhbmQgdGhhdApjYW4gYmUgY2hlY2tlZCB2aWEgYWNwaWR1bXAgb3V0cHV0LCB0b28uLi4KCgpU YWthc2hpCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fCklu dGVsLWdmeCBtYWlsaW5nIGxpc3QKSW50ZWwtZ2Z4QGxpc3RzLmZyZWVkZXNrdG9wLm9yZwpodHRw czovL2xpc3RzLmZyZWVkZXNrdG9wLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2ludGVsLWdmeAo=