From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 63E07C43460 for ; Wed, 7 Apr 2021 16:56:29 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 3B5486120E for ; Wed, 7 Apr 2021 16:56:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1347774AbhDGQ4h (ORCPT ); Wed, 7 Apr 2021 12:56:37 -0400 Received: from mx2.suse.de ([195.135.220.15]:54934 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1354404AbhDGQ4c (ORCPT ); Wed, 7 Apr 2021 12:56:32 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id 9DF10AD41; Wed, 7 Apr 2021 16:56:15 +0000 (UTC) Date: Wed, 07 Apr 2021 18:56:15 +0200 Message-ID: From: Takashi Iwai To: Ville =?UTF-8?B?U3lyasOkbMOk?= Cc: Jani Nikula , Joonas Lahtinen , Rodrigo Vivi , intel-gfx@lists.freedesktop.org, linux-kernel@vger.kernel.org Subject: Re: [Intel-gfx] [PATCH v2] drm/i915: Fix invalid access to ACPI _DSM objects In-Reply-To: References: <20210402082317.871-1-tiwai@suse.de> User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI/1.14.6 (Maruoka) FLIM/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL/10.8 Emacs/25.3 (x86_64-suse-linux-gnu) MULE/6.0 (HANACHIRUSATO) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 07 Apr 2021 18:34:46 +0200, Ville Syrjälä wrote: > > On Fri, Apr 02, 2021 at 10:23:17AM +0200, Takashi Iwai wrote: > > intel_dsm_platform_mux_info() tries to parse the ACPI package data > > from _DSM for the debug information, but it assumes the fixed format > > without checking what values are stored in the elements actually. > > When an unexpected value is returned from BIOS, it may lead to GPF or > > NULL dereference, as reported recently. > > > > Add the checks of the contents in the returned values and skip the > > values for invalid cases. > > > > v1->v2: Check the info contents before dereferencing, too > > > > BugLink: http://bugzilla.opensuse.org/show_bug.cgi?id=1184074 > > Cc: > > Signed-off-by: Takashi Iwai > > --- > > drivers/gpu/drm/i915/display/intel_acpi.c | 22 ++++++++++++++++++++-- > > 1 file changed, 20 insertions(+), 2 deletions(-) > > > > diff --git a/drivers/gpu/drm/i915/display/intel_acpi.c b/drivers/gpu/drm/i915/display/intel_acpi.c > > index e21fb14d5e07..833d0c1be4f1 100644 > > --- a/drivers/gpu/drm/i915/display/intel_acpi.c > > +++ b/drivers/gpu/drm/i915/display/intel_acpi.c > > @@ -84,13 +84,31 @@ static void intel_dsm_platform_mux_info(acpi_handle dhandle) > > return; > > } > > > > + if (!pkg->package.count) { > > + DRM_DEBUG_DRIVER("no connection in _DSM\n"); > > + return; > > + } > > + > > connector_count = &pkg->package.elements[0]; > > DRM_DEBUG_DRIVER("MUX info connectors: %lld\n", > > (unsigned long long)connector_count->integer.value); > > for (i = 1; i < pkg->package.count; i++) { > > union acpi_object *obj = &pkg->package.elements[i]; > > - union acpi_object *connector_id = &obj->package.elements[0]; > > - union acpi_object *info = &obj->package.elements[1]; > > + union acpi_object *connector_id; > > + union acpi_object *info; > > + > > + if (obj->type != ACPI_TYPE_PACKAGE || obj->package.count < 2) { > > + DRM_DEBUG_DRIVER("Invalid object for MUX #%d\n", i); > > + continue; > > + } > > + > > + connector_id = &obj->package.elements[0]; > > You don't want to check connector_id->type as well? I added only the minimal checks that may lead to Oops. Takashi > > > + info = &obj->package.elements[1]; > > + if (info->type != ACPI_TYPE_BUFFER || info->buffer.length < 4) { > > + DRM_DEBUG_DRIVER("Invalid info for MUX obj #%d\n", i); > > + continue; > > + } > > + > > DRM_DEBUG_DRIVER("Connector id: 0x%016llx\n", > > (unsigned long long)connector_id->integer.value); > > DRM_DEBUG_DRIVER(" port id: %s\n", > > -- > > 2.26.2 > > > > _______________________________________________ > > Intel-gfx mailing list > > Intel-gfx@lists.freedesktop.org > > https://lists.freedesktop.org/mailman/listinfo/intel-gfx > > -- > Ville Syrjälä > Intel > From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D0E98C433B4 for ; Wed, 7 Apr 2021 16:56:19 +0000 (UTC) Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 89B83610E6 for ; Wed, 7 Apr 2021 16:56:19 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 89B83610E6 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=suse.de Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=intel-gfx-bounces@lists.freedesktop.org Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 147F66E134; Wed, 7 Apr 2021 16:56:19 +0000 (UTC) Received: from mx2.suse.de (mx2.suse.de [195.135.220.15]) by gabe.freedesktop.org (Postfix) with ESMTPS id 5CA416E0EE for ; Wed, 7 Apr 2021 16:56:17 +0000 (UTC) X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id 9DF10AD41; Wed, 7 Apr 2021 16:56:15 +0000 (UTC) Date: Wed, 07 Apr 2021 18:56:15 +0200 Message-ID: From: Takashi Iwai To: Ville =?UTF-8?B?U3lyasOkbMOk?= In-Reply-To: References: <20210402082317.871-1-tiwai@suse.de> User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI/1.14.6 (Maruoka) FLIM/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL/10.8 Emacs/25.3 (x86_64-suse-linux-gnu) MULE/6.0 (HANACHIRUSATO) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Subject: Re: [Intel-gfx] [PATCH v2] drm/i915: Fix invalid access to ACPI _DSM objects X-BeenThere: intel-gfx@lists.freedesktop.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Intel graphics driver community testing & development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: intel-gfx@lists.freedesktop.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: intel-gfx-bounces@lists.freedesktop.org Sender: "Intel-gfx" T24gV2VkLCAwNyBBcHIgMjAyMSAxODozNDo0NiArMDIwMCwKVmlsbGUgU3lyasOkbMOkIHdyb3Rl Ogo+IAo+IE9uIEZyaSwgQXByIDAyLCAyMDIxIGF0IDEwOjIzOjE3QU0gKzAyMDAsIFRha2FzaGkg SXdhaSB3cm90ZToKPiA+IGludGVsX2RzbV9wbGF0Zm9ybV9tdXhfaW5mbygpIHRyaWVzIHRvIHBh cnNlIHRoZSBBQ1BJIHBhY2thZ2UgZGF0YQo+ID4gZnJvbSBfRFNNIGZvciB0aGUgZGVidWcgaW5m b3JtYXRpb24sIGJ1dCBpdCBhc3N1bWVzIHRoZSBmaXhlZCBmb3JtYXQKPiA+IHdpdGhvdXQgY2hl Y2tpbmcgd2hhdCB2YWx1ZXMgYXJlIHN0b3JlZCBpbiB0aGUgZWxlbWVudHMgYWN0dWFsbHkuCj4g PiBXaGVuIGFuIHVuZXhwZWN0ZWQgdmFsdWUgaXMgcmV0dXJuZWQgZnJvbSBCSU9TLCBpdCBtYXkg bGVhZCB0byBHUEYgb3IKPiA+IE5VTEwgZGVyZWZlcmVuY2UsIGFzIHJlcG9ydGVkIHJlY2VudGx5 Lgo+ID4gCj4gPiBBZGQgdGhlIGNoZWNrcyBvZiB0aGUgY29udGVudHMgaW4gdGhlIHJldHVybmVk IHZhbHVlcyBhbmQgc2tpcCB0aGUKPiA+IHZhbHVlcyBmb3IgaW52YWxpZCBjYXNlcy4KPiA+IAo+ ID4gdjEtPnYyOiBDaGVjayB0aGUgaW5mbyBjb250ZW50cyBiZWZvcmUgZGVyZWZlcmVuY2luZywg dG9vCj4gPiAKPiA+IEJ1Z0xpbms6IGh0dHA6Ly9idWd6aWxsYS5vcGVuc3VzZS5vcmcvc2hvd19i dWcuY2dpP2lkPTExODQwNzQKPiA+IENjOiA8c3RhYmxlQHZnZXIua2VybmVsLm9yZz4KPiA+IFNp Z25lZC1vZmYtYnk6IFRha2FzaGkgSXdhaSA8dGl3YWlAc3VzZS5kZT4KPiA+IC0tLQo+ID4gIGRy aXZlcnMvZ3B1L2RybS9pOTE1L2Rpc3BsYXkvaW50ZWxfYWNwaS5jIHwgMjIgKysrKysrKysrKysr KysrKysrKystLQo+ID4gIDEgZmlsZSBjaGFuZ2VkLCAyMCBpbnNlcnRpb25zKCspLCAyIGRlbGV0 aW9ucygtKQo+ID4gCj4gPiBkaWZmIC0tZ2l0IGEvZHJpdmVycy9ncHUvZHJtL2k5MTUvZGlzcGxh eS9pbnRlbF9hY3BpLmMgYi9kcml2ZXJzL2dwdS9kcm0vaTkxNS9kaXNwbGF5L2ludGVsX2FjcGku Ywo+ID4gaW5kZXggZTIxZmIxNGQ1ZTA3Li44MzNkMGMxYmU0ZjEgMTAwNjQ0Cj4gPiAtLS0gYS9k cml2ZXJzL2dwdS9kcm0vaTkxNS9kaXNwbGF5L2ludGVsX2FjcGkuYwo+ID4gKysrIGIvZHJpdmVy cy9ncHUvZHJtL2k5MTUvZGlzcGxheS9pbnRlbF9hY3BpLmMKPiA+IEBAIC04NCwxMyArODQsMzEg QEAgc3RhdGljIHZvaWQgaW50ZWxfZHNtX3BsYXRmb3JtX211eF9pbmZvKGFjcGlfaGFuZGxlIGRo YW5kbGUpCj4gPiAgCQlyZXR1cm47Cj4gPiAgCX0KPiA+ICAKPiA+ICsJaWYgKCFwa2ctPnBhY2th Z2UuY291bnQpIHsKPiA+ICsJCURSTV9ERUJVR19EUklWRVIoIm5vIGNvbm5lY3Rpb24gaW4gX0RT TVxuIik7Cj4gPiArCQlyZXR1cm47Cj4gPiArCX0KPiA+ICsKPiA+ICAJY29ubmVjdG9yX2NvdW50 ID0gJnBrZy0+cGFja2FnZS5lbGVtZW50c1swXTsKPiA+ICAJRFJNX0RFQlVHX0RSSVZFUigiTVVY IGluZm8gY29ubmVjdG9yczogJWxsZFxuIiwKPiA+ICAJCSAgKHVuc2lnbmVkIGxvbmcgbG9uZylj b25uZWN0b3JfY291bnQtPmludGVnZXIudmFsdWUpOwo+ID4gIAlmb3IgKGkgPSAxOyBpIDwgcGtn LT5wYWNrYWdlLmNvdW50OyBpKyspIHsKPiA+ICAJCXVuaW9uIGFjcGlfb2JqZWN0ICpvYmogPSAm cGtnLT5wYWNrYWdlLmVsZW1lbnRzW2ldOwo+ID4gLQkJdW5pb24gYWNwaV9vYmplY3QgKmNvbm5l Y3Rvcl9pZCA9ICZvYmotPnBhY2thZ2UuZWxlbWVudHNbMF07Cj4gPiAtCQl1bmlvbiBhY3BpX29i amVjdCAqaW5mbyA9ICZvYmotPnBhY2thZ2UuZWxlbWVudHNbMV07Cj4gPiArCQl1bmlvbiBhY3Bp X29iamVjdCAqY29ubmVjdG9yX2lkOwo+ID4gKwkJdW5pb24gYWNwaV9vYmplY3QgKmluZm87Cj4g PiArCj4gPiArCQlpZiAob2JqLT50eXBlICE9IEFDUElfVFlQRV9QQUNLQUdFIHx8IG9iai0+cGFj a2FnZS5jb3VudCA8IDIpIHsKPiA+ICsJCQlEUk1fREVCVUdfRFJJVkVSKCJJbnZhbGlkIG9iamVj dCBmb3IgTVVYICMlZFxuIiwgaSk7Cj4gPiArCQkJY29udGludWU7Cj4gPiArCQl9Cj4gPiArCj4g PiArCQljb25uZWN0b3JfaWQgPSAmb2JqLT5wYWNrYWdlLmVsZW1lbnRzWzBdOwo+IAo+IFlvdSBk b24ndCB3YW50IHRvIGNoZWNrIGNvbm5lY3Rvcl9pZC0+dHlwZSBhcyB3ZWxsPwoKSSBhZGRlZCBv bmx5IHRoZSBtaW5pbWFsIGNoZWNrcyB0aGF0IG1heSBsZWFkIHRvIE9vcHMuCgoKVGFrYXNoaQoK PiAKPiA+ICsJCWluZm8gPSAmb2JqLT5wYWNrYWdlLmVsZW1lbnRzWzFdOwo+ID4gKwkJaWYgKGlu Zm8tPnR5cGUgIT0gQUNQSV9UWVBFX0JVRkZFUiB8fCBpbmZvLT5idWZmZXIubGVuZ3RoIDwgNCkg ewo+ID4gKwkJCURSTV9ERUJVR19EUklWRVIoIkludmFsaWQgaW5mbyBmb3IgTVVYIG9iaiAjJWRc biIsIGkpOwo+ID4gKwkJCWNvbnRpbnVlOwo+ID4gKwkJfQo+ID4gKwo+ID4gIAkJRFJNX0RFQlVH X0RSSVZFUigiQ29ubmVjdG9yIGlkOiAweCUwMTZsbHhcbiIsCj4gPiAgCQkJICAodW5zaWduZWQg bG9uZyBsb25nKWNvbm5lY3Rvcl9pZC0+aW50ZWdlci52YWx1ZSk7Cj4gPiAgCQlEUk1fREVCVUdf RFJJVkVSKCIgIHBvcnQgaWQ6ICVzXG4iLAo+ID4gLS0gCj4gPiAyLjI2LjIKPiA+IAo+ID4gX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KPiA+IEludGVsLWdm eCBtYWlsaW5nIGxpc3QKPiA+IEludGVsLWdmeEBsaXN0cy5mcmVlZGVza3RvcC5vcmcKPiA+IGh0 dHBzOi8vbGlzdHMuZnJlZWRlc2t0b3Aub3JnL21haWxtYW4vbGlzdGluZm8vaW50ZWwtZ2Z4Cj4g Cj4gLS0gCj4gVmlsbGUgU3lyasOkbMOkCj4gSW50ZWwKPiAKX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX18KSW50ZWwtZ2Z4IG1haWxpbmcgbGlzdApJbnRlbC1n ZnhAbGlzdHMuZnJlZWRlc2t0b3Aub3JnCmh0dHBzOi8vbGlzdHMuZnJlZWRlc2t0b3Aub3JnL21h aWxtYW4vbGlzdGluZm8vaW50ZWwtZ2Z4Cg==