Re: BUG: unable to handle kernel NULL pointer dereference (drm_getunique)

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Johannes Weiner <hannes@saeurebad.de>
To: Sitsofe Wheeler <sitsofe@yahoo.com>
Cc: linux-kernel@vger.kernel.org
Cc: David Airlie <airlied@redhat.com>
Subject: Re: BUG: unable to handle kernel NULL pointer dereference (drm_getunique)
Date: Thu, 05 Jun 2008 02:54:48 +0200	[thread overview]
Message-ID: <87y75kaeg7.fsf@saeurebad.de> (raw)
In-Reply-To: <g276vj$7f0$2@ger.gmane.org> (Sitsofe Wheeler's message of "Thu, 05 Jun 2008 00:03:17 +0100")

Hi,

Sitsofe Wheeler <sitsofe@yahoo.com> writes:

> While flipping back and forth between the vts/Xorg and doing iperf test
> over the wifi connection the following error appeared in next-20080604.
>
> [ 4305.767435] BUG: unable to handle kernel NULL pointer dereference at 00000000
> [ 4305.767452] IP: [<c02511d4>] drm_getunique+0xc/0x30
> [ 4305.767466] *pde = 00000000
> [ 4305.767474] Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
> [ 4305.767483] last sysfs file: /sys/devices/system/cpu/cpu1/cache/index2/shared_cpu_map
> [ 4305.767492] Modules linked in:
> [ 4305.767498]
> [ 4305.767503] Pid: 8373, comm: unix2_chkpwd Tainted: G        W (2.6.26-rc4-next-20080604skw #177)
> [ 4305.767513] EIP: 0060:[<c02511d4>] EFLAGS: 00210246 CPU: 0
> [ 4305.767521] EIP is at drm_getunique+0xc/0x30
> [ 4305.767527] EAX: f7d8ea70 EBX: 00000000 ECX: 00000028 EDX: 00000000
> [ 4305.767535] ESI: f7d8ea70 EDI: 00005401 EBP: ed383f34 ESP: ed383f2c
> [ 4305.767543]  DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
> [ 4305.767550] Process unix2_chkpwd (pid: 8373, ti=ed382000 task=f6efdee0 task.ti=ed382000)
> [ 4305.767558] Stack: 00000000 c04940a4 ed383f58 c0250637 f1e03f50 f7d8ea70 f7d8eaf0 c02511c8
> [ 4305.767574]        c04944c4 d603b200 bfda0500 ed383f74 c017ebba bfda0500 00005401 d603b200
> [ 4305.767589]        d603b200 bfda0500 ed383f98 c017ee0a 00000001 ffffffea f1c0c100 ed383fb0
> [ 4305.767605] Call Trace:
> [ 4305.767611]  [<c0250637>] ? drm_ioctl+0x1b0/0x225
> [ 4305.767622]  [<c02511c8>] ? drm_getunique+0x0/0x30
> [ 4305.767632]  [<c017ebba>] ? vfs_ioctl+0x4e/0x67
> [ 4305.767643]  [<c017ee0a>] ? do_vfs_ioctl+0x237/0x245
> [ 4305.767652]  [<c017ee44>] ? sys_ioctl+0x2c/0x48
> [ 4305.767661]  [<c0102c35>] ? sysenter_past_esp+0x6a/0xa5

Hm, in drm_getunique, dev is not NULL as it was already dereferenced in
drm_ioctl.  file_priv is not used at all.  So only data is left.

data is kdata in drm_ioctl and only NULL if the ioctl request is neither
input nor output.

I have not found a check on cmd in the callpath that would filter out
malformed requests.  So the user would be allowed to pass in a valid
request number with wrong flags here, correct?

	Hannes

---
drm: check ioctl direction before dispatching

The userland might specify a valid ioctl request number with a wrong
direction.  Precheck the direction of the dispatcher function beforehand
because we prepare arguments based on this parameter and the dispatched
function relies on them being valid.

Signed-off-by: Johannes Weiner <hannes@saeurebad.de>
CC: David Airlie <airlied@redhat.com>
---

Compile-time tested only!

diff --git a/drivers/char/drm/drm_drv.c b/drivers/char/drm/drm_drv.c
index fc54140..1a27d04 100644
--- a/drivers/char/drm/drm_drv.c
+++ b/drivers/char/drm/drm_drv.c
@@ -475,6 +475,10 @@ int drm_ioctl(struct inode *inode, struct file *filp,
 	else
 		goto err_i1;
 
+	/* Make sure the direction is correct */
+	if (_IOC_DIR(ioctl->cmd) != _IOC_DIR(cmd))
+		goto err_i1;
+
 	func = ioctl->func;
 	/* is there a local override? */
 	if ((nr == DRM_IOCTL_NR(DRM_IOCTL_DMA)) && dev->driver->dma_ioctl)

next prev parent reply	other threads:[~2008-06-05  0:55 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-06-04 23:03 BUG: unable to handle kernel NULL pointer dereference (drm_getunique) Sitsofe Wheeler
2008-06-04 23:42 ` Johannes Weiner
2008-06-05  7:08   ` Sitsofe Wheeler
2008-06-05  0:54 ` Johannes Weiner [this message]
2008-06-05  2:21   ` Johannes Weiner
2008-06-05  3:05     ` Dave Airlie
2008-06-05 18:04       ` Johannes Weiner

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:fc54140 dfblob:1a27d04 )
 OR (
bs:"Re: BUG: unable to handle kernel NULL pointer dereference (drm_getunique)" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87y75kaeg7.fsf@saeurebad.de \
    --to=hannes@saeurebad.de \
    --cc=linux-kernel@vger.kernel.org \
    --cc=sitsofe@yahoo.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox