From mboxrd@z Thu Jan 1 00:00:00 1970 From: Marcin Slusarz Subject: Re: Linux 3.7-rc1 (nouveau_bios_score oops). Date: Sat, 20 Oct 2012 22:35:20 +0200 Message-ID: <20121020203520.GB5826@joi.lan> References: <1724445.dN2yMEzN6d@localhost> <20121020092647.GA3186@fancy-poultry.org> <50827174.7070109@labri.fr> <20121020104238.GA1539@fritha.org> <20121020202846.GA5826@joi.lan> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: QUOTED-PRINTABLE Return-path: Content-Disposition: inline In-Reply-To: <20121020202846.GA5826@joi.lan> Sender: linux-kernel-owner@vger.kernel.org To: Heinz Diehl Cc: Martin Peres , Heinz Diehl , Linus Torvalds , =?utf-8?B?UGF3ZcWC?= Sikora , David Airlie , Ben Skeggs , Daniel Vetter , dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, marcheu@chromium.org List-Id: dri-devel@lists.freedesktop.org On Sat, Oct 20, 2012 at 10:28:46PM +0200, Marcin Slusarz wrote: > On Sat, Oct 20, 2012 at 12:42:38PM +0200, Heinz Diehl wrote: > > On 20.10.2012, Martin Peres wrote:=20 > >=20 > > > Can you test the attached patch too ? I rebased the previous one = I sent on > > > top on 3.7-rc1 as I accidentally used an older version. > >=20 > > Yes, of course. > >=20 > > Tried it. Unfortunately, the crash remains the same as reported. >=20 > Try this one. >=20 > Now, the question is: could 3.6 kernel get VBIOS by ACPI? > If yes, please mount debugfs and send vbios.rom to me please. > (cat /sys/kernel/debug/dri/0/vbios.rom > vbios.rom) >=20 > --- > From: Marcin Slusarz > Subject: [PATCH] drm/nouveau: validate vbios size >=20 > Without checking, we could detect vbios size as 0, allocate 0-byte ar= ray > (kmalloc returns invalid pointer for such allocation) and crash in > nouveau_bios_score while checking for vbios signature. >=20 > Reported-by: Heinz Diehl And of course: Reported-by: Pawe=C5=82 Sikora > Signed-off-by: Marcin Slusarz > --- > drivers/gpu/drm/nouveau/core/subdev/bios/base.c | 16 +++++++++++++--= - > 1 file changed, 13 insertions(+), 3 deletions(-) >=20 > diff --git a/drivers/gpu/drm/nouveau/core/subdev/bios/base.c b/driver= s/gpu/drm/nouveau/core/subdev/bios/base.c > index dcb5c2b..824eea0 100644 > --- a/drivers/gpu/drm/nouveau/core/subdev/bios/base.c > +++ b/drivers/gpu/drm/nouveau/core/subdev/bios/base.c > @@ -72,7 +72,7 @@ nouveau_bios_shadow_of(struct nouveau_bios *bios) > } > =20 > data =3D of_get_property(dn, "NVDA,BMP", &size); > - if (data) { > + if (data && size) { > bios->size =3D size; > bios->data =3D kmalloc(bios->size, GFP_KERNEL); > if (bios->data) > @@ -104,6 +104,9 @@ nouveau_bios_shadow_pramin(struct nouveau_bios *b= ios) > goto out; > =20 > bios->size =3D nv_rd08(bios, 0x700002) * 512; > + if (!bios->size) > + goto out; > + > bios->data =3D kmalloc(bios->size, GFP_KERNEL); > if (bios->data) { > for (i =3D 0; i < bios->size; i++) > @@ -155,6 +158,9 @@ nouveau_bios_shadow_prom(struct nouveau_bios *bio= s) > =20 > /* read entire bios image to system memory */ > bios->size =3D nv_rd08(bios, 0x300002) * 512; > + if (!bios->size) > + goto out; > + > bios->data =3D kmalloc(bios->size, GFP_KERNEL); > if (bios->data) { > for (i =3D 0; i < bios->size; i++) > @@ -194,6 +200,8 @@ nouveau_bios_shadow_acpi(struct nouveau_bios *bio= s) > bios->size =3D 0; > if (nouveau_acpi_get_bios_chunk(data, 0, 3) =3D=3D 3) > bios->size =3D data[2] * 512; > + if (!bios->size) > + return; > =20 > bios->data =3D kmalloc(bios->size, GFP_KERNEL); > for (i =3D 0; bios->data && i < bios->size; i +=3D cnt) { > @@ -229,12 +237,14 @@ nouveau_bios_shadow_pci(struct nouveau_bios *bi= os) > static int > nouveau_bios_score(struct nouveau_bios *bios, const bool writeable) > { > - if (!bios->data || bios->data[0] !=3D 0x55 || bios->data[1] !=3D 0x= AA) { > + if (bios->size < 3 || !bios->data || bios->data[0] !=3D 0x55 || > + bios->data[1] !=3D 0xAA) { > nv_info(bios, "... signature not found\n"); > return 0; > } > =20 > - if (nvbios_checksum(bios->data, bios->data[2] * 512)) { > + if (nvbios_checksum(bios->data, > + min_t(u32, bios->data[2] * 512, bios->size))) { > nv_info(bios, "... checksum invalid\n"); > /* if a ro image is somewhat bad, it's probably all rubbish */ > return writeable ? 2 : 1; > --=20