From: Marcin Slusarz <marcin.slusarz@gmail.com>
To: Heinz Diehl <htd@fritha.org>
Cc: "Martin Peres" <martin.peres@labri.fr>,
"Paweł Sikora" <pawel.sikora@agmk.net>,
"Daniel Vetter" <daniel.vetter@ffwll.ch>,
linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org,
"Ben Skeggs" <bskeggs@redhat.com>,
marcheu@chromium.org,
"Linus Torvalds" <torvalds@linux-foundation.org>,
"Heinz Diehl" <htd@fancy-poultry.org>
Subject: Re: Linux 3.7-rc1 (nouveau_bios_score oops).
Date: Sat, 20 Oct 2012 22:28:46 +0200 [thread overview]
Message-ID: <20121020202846.GA5826@joi.lan> (raw)
In-Reply-To: <20121020104238.GA1539@fritha.org>
On Sat, Oct 20, 2012 at 12:42:38PM +0200, Heinz Diehl wrote:
> On 20.10.2012, Martin Peres wrote:
>
> > Can you test the attached patch too ? I rebased the previous one I sent on
> > top on 3.7-rc1 as I accidentally used an older version.
>
> Yes, of course.
>
> Tried it. Unfortunately, the crash remains the same as reported.
Try this one.
Now, the question is: could 3.6 kernel get VBIOS by ACPI?
If yes, please mount debugfs and send vbios.rom to me please.
(cat /sys/kernel/debug/dri/0/vbios.rom > vbios.rom)
---
From: Marcin Slusarz <marcin.slusarz@gmail.com>
Subject: [PATCH] drm/nouveau: validate vbios size
Without checking, we could detect vbios size as 0, allocate 0-byte array
(kmalloc returns invalid pointer for such allocation) and crash in
nouveau_bios_score while checking for vbios signature.
Reported-by: Heinz Diehl <htd@fritha.org>
Signed-off-by: Marcin Slusarz <marcin.slusarz@gmail.com>
---
drivers/gpu/drm/nouveau/core/subdev/bios/base.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/nouveau/core/subdev/bios/base.c b/drivers/gpu/drm/nouveau/core/subdev/bios/base.c
index dcb5c2b..824eea0 100644
--- a/drivers/gpu/drm/nouveau/core/subdev/bios/base.c
+++ b/drivers/gpu/drm/nouveau/core/subdev/bios/base.c
@@ -72,7 +72,7 @@ nouveau_bios_shadow_of(struct nouveau_bios *bios)
}
data = of_get_property(dn, "NVDA,BMP", &size);
- if (data) {
+ if (data && size) {
bios->size = size;
bios->data = kmalloc(bios->size, GFP_KERNEL);
if (bios->data)
@@ -104,6 +104,9 @@ nouveau_bios_shadow_pramin(struct nouveau_bios *bios)
goto out;
bios->size = nv_rd08(bios, 0x700002) * 512;
+ if (!bios->size)
+ goto out;
+
bios->data = kmalloc(bios->size, GFP_KERNEL);
if (bios->data) {
for (i = 0; i < bios->size; i++)
@@ -155,6 +158,9 @@ nouveau_bios_shadow_prom(struct nouveau_bios *bios)
/* read entire bios image to system memory */
bios->size = nv_rd08(bios, 0x300002) * 512;
+ if (!bios->size)
+ goto out;
+
bios->data = kmalloc(bios->size, GFP_KERNEL);
if (bios->data) {
for (i = 0; i < bios->size; i++)
@@ -194,6 +200,8 @@ nouveau_bios_shadow_acpi(struct nouveau_bios *bios)
bios->size = 0;
if (nouveau_acpi_get_bios_chunk(data, 0, 3) == 3)
bios->size = data[2] * 512;
+ if (!bios->size)
+ return;
bios->data = kmalloc(bios->size, GFP_KERNEL);
for (i = 0; bios->data && i < bios->size; i += cnt) {
@@ -229,12 +237,14 @@ nouveau_bios_shadow_pci(struct nouveau_bios *bios)
static int
nouveau_bios_score(struct nouveau_bios *bios, const bool writeable)
{
- if (!bios->data || bios->data[0] != 0x55 || bios->data[1] != 0xAA) {
+ if (bios->size < 3 || !bios->data || bios->data[0] != 0x55 ||
+ bios->data[1] != 0xAA) {
nv_info(bios, "... signature not found\n");
return 0;
}
- if (nvbios_checksum(bios->data, bios->data[2] * 512)) {
+ if (nvbios_checksum(bios->data,
+ min_t(u32, bios->data[2] * 512, bios->size))) {
nv_info(bios, "... checksum invalid\n");
/* if a ro image is somewhat bad, it's probably all rubbish */
return writeable ? 2 : 1;
--
1.7.12
next prev parent reply other threads:[~2012-10-20 20:28 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1724445.dN2yMEzN6d@localhost>
2012-10-19 21:25 ` Linux 3.7-rc1 (nouveau_bios_score oops) Linus Torvalds
2012-10-19 22:41 ` Martin Peres
2012-10-19 22:52 ` Linus Torvalds
2012-10-20 9:26 ` Heinz Diehl
2012-10-20 9:40 ` Martin Peres
2012-10-20 10:42 ` Heinz Diehl
2012-10-20 20:28 ` Marcin Slusarz [this message]
2012-10-20 20:35 ` Marcin Slusarz
2012-10-20 21:20 ` Heinz Diehl
2012-10-20 21:42 ` Marcin Slusarz
2012-10-20 21:45 ` Marcin Slusarz
2012-10-21 8:54 ` Heinz Diehl
2012-10-20 22:19 ` Marcin Slusarz
2012-10-21 6:58 ` Paweł Sikora
2012-10-21 9:26 ` Heinz Diehl
2012-10-21 12:09 ` Marcin Slusarz
2012-10-21 13:31 ` Heinz Diehl
2012-10-21 14:38 ` Linus Torvalds
2012-10-21 14:49 ` Marcin Slusarz
2012-10-21 17:13 ` Linus Torvalds
2012-10-21 20:07 ` Lekensteyn
2012-10-22 0:07 ` Ben Skeggs
2012-10-25 17:53 ` Paweł Sikora
2012-10-25 18:06 ` Heinz Diehl
2012-10-26 19:51 ` Paweł Sikora
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121020202846.GA5826@joi.lan \
--to=marcin.slusarz@gmail.com \
--cc=bskeggs@redhat.com \
--cc=daniel.vetter@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=htd@fancy-poultry.org \
--cc=htd@fritha.org \
--cc=linux-kernel@vger.kernel.org \
--cc=marcheu@chromium.org \
--cc=martin.peres@labri.fr \
--cc=pawel.sikora@agmk.net \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).