From: Greg KH <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, Wang YanQing <udknight@gmail.com>,
Michal Januszewski <spock@gentoo.org>,
Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
Subject: [ 24/68] video:uvesafb: Fix oops that uvesafb try to execute NX-protected page
Date: Thu, 19 Apr 2012 14:08:42 -0700 [thread overview]
Message-ID: <20120419210820.732241073@linuxfoundation.org> (raw)
In-Reply-To: <20120419210923.GA18589@kroah.com>
3.2-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wang YanQing <udknight@gmail.com>
commit b78f29ca0516266431688c5eb42d39ce42ec039a upstream.
This patch fix the oops below that catched in my machine
[ 81.560602] uvesafb: NVIDIA Corporation, GT216 Board - 0696a290, Chip Rev , OEM: NVIDIA, VBE v3.0
[ 81.609384] uvesafb: protected mode interface info at c000:d350
[ 81.609388] uvesafb: pmi: set display start = c00cd3b3, set palette = c00cd40e
[ 81.609390] uvesafb: pmi: ports = 3b4 3b5 3ba 3c0 3c1 3c4 3c5 3c6 3c7 3c8 3c9 3cc 3ce 3cf 3d0 3d1 3d2 3d3 3d4 3d5 3da
[ 81.614558] uvesafb: VBIOS/hardware doesn't support DDC transfers
[ 81.614562] uvesafb: no monitor limits have been set, default refresh rate will be used
[ 81.614994] uvesafb: scrolling: ypan using protected mode interface, yres_virtual=4915
[ 81.744147] kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
[ 81.744153] BUG: unable to handle kernel paging request at c00cd3b3
[ 81.744159] IP: [<c00cd3b3>] 0xc00cd3b2
[ 81.744167] *pdpt = 00000000016d6001 *pde = 0000000001c7b067 *pte = 80000000000cd163
[ 81.744171] Oops: 0011 [#1] SMP
[ 81.744174] Modules linked in: uvesafb(+) cfbcopyarea cfbimgblt cfbfillrect
[ 81.744178]
[ 81.744181] Pid: 3497, comm: modprobe Not tainted 3.3.0-rc4NX+ #71 Acer Aspire 4741 /Aspire 4741
[ 81.744185] EIP: 0060:[<c00cd3b3>] EFLAGS: 00010246 CPU: 0
[ 81.744187] EIP is at 0xc00cd3b3
[ 81.744189] EAX: 00004f07 EBX: 00000000 ECX: 00000000 EDX: 00000000
[ 81.744191] ESI: f763f000 EDI: f763f6e8 EBP: f57f3a0c ESP: f57f3a00
[ 81.744192] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
[ 81.744195] Process modprobe (pid: 3497, ti=f57f2000 task=f748c600 task.ti=f57f2000)
[ 81.744196] Stack:
[ 81.744197] f82512c5 f759341c 00000000 f57f3a30 c124a9bc 00000001 00000001 000001e0
[ 81.744202] f8251280 f763f000 f7593400 00000000 f57f3a40 c12598dd f5c0c000 00000000
[ 81.744206] f57f3b10 c1255efe c125a21a 00000006 f763f09c 00000000 c1c6cb60 f7593400
[ 81.744210] Call Trace:
[ 81.744215] [<f82512c5>] ? uvesafb_pan_display+0x45/0x60 [uvesafb]
[ 81.744222] [<c124a9bc>] fb_pan_display+0x10c/0x160
[ 81.744226] [<f8251280>] ? uvesafb_vbe_find_mode+0x180/0x180 [uvesafb]
[ 81.744230] [<c12598dd>] bit_update_start+0x1d/0x50
[ 81.744232] [<c1255efe>] fbcon_switch+0x39e/0x550
[ 81.744235] [<c125a21a>] ? bit_cursor+0x4ea/0x560
[ 81.744240] [<c129b6cb>] redraw_screen+0x12b/0x220
[ 81.744245] [<c128843b>] ? tty_do_resize+0x3b/0xc0
[ 81.744247] [<c129ef42>] vc_do_resize+0x3d2/0x3e0
[ 81.744250] [<c129efb4>] vc_resize+0x14/0x20
[ 81.744253] [<c12586bd>] fbcon_init+0x29d/0x500
[ 81.744255] [<c12984c4>] ? set_inverse_trans_unicode+0xe4/0x110
[ 81.744258] [<c129b378>] visual_init+0xb8/0x150
[ 81.744261] [<c129c16c>] bind_con_driver+0x16c/0x360
[ 81.744264] [<c129b47e>] ? register_con_driver+0x6e/0x190
[ 81.744267] [<c129c3a1>] take_over_console+0x41/0x50
[ 81.744269] [<c1257b7a>] fbcon_takeover+0x6a/0xd0
[ 81.744272] [<c12594b8>] fbcon_event_notify+0x758/0x790
[ 81.744277] [<c10929e2>] notifier_call_chain+0x42/0xb0
[ 81.744280] [<c1092d30>] __blocking_notifier_call_chain+0x60/0x90
[ 81.744283] [<c1092d7a>] blocking_notifier_call_chain+0x1a/0x20
[ 81.744285] [<c124a5a1>] fb_notifier_call_chain+0x11/0x20
[ 81.744288] [<c124b759>] register_framebuffer+0x1d9/0x2b0
[ 81.744293] [<c1061c73>] ? ioremap_wc+0x33/0x40
[ 81.744298] [<f82537c6>] uvesafb_probe+0xaba/0xc40 [uvesafb]
[ 81.744302] [<c12bb81f>] platform_drv_probe+0xf/0x20
[ 81.744306] [<c12ba558>] driver_probe_device+0x68/0x170
[ 81.744309] [<c12ba731>] __device_attach+0x41/0x50
[ 81.744313] [<c12b9088>] bus_for_each_drv+0x48/0x70
[ 81.744316] [<c12ba7f3>] device_attach+0x83/0xa0
[ 81.744319] [<c12ba6f0>] ? __driver_attach+0x90/0x90
[ 81.744321] [<c12b991f>] bus_probe_device+0x6f/0x90
[ 81.744324] [<c12b8a45>] device_add+0x5e5/0x680
[ 81.744329] [<c122a1a3>] ? kvasprintf+0x43/0x60
[ 81.744332] [<c121e6e4>] ? kobject_set_name_vargs+0x64/0x70
[ 81.744335] [<c121e6e4>] ? kobject_set_name_vargs+0x64/0x70
[ 81.744339] [<c12bbe9f>] platform_device_add+0xff/0x1b0
[ 81.744343] [<f8252906>] uvesafb_init+0x50/0x9b [uvesafb]
[ 81.744346] [<c100111f>] do_one_initcall+0x2f/0x170
[ 81.744350] [<f82528b6>] ? uvesafb_is_valid_mode+0x66/0x66 [uvesafb]
[ 81.744355] [<c10c6994>] sys_init_module+0xf4/0x1410
[ 81.744359] [<c1157fc0>] ? vfsmount_lock_local_unlock_cpu+0x30/0x30
[ 81.744363] [<c144cb10>] sysenter_do_call+0x12/0x36
[ 81.744365] Code: f5 00 00 00 32 f6 66 8b da 66 d1 e3 66 ba d4 03 8a e3 b0 1c 66 ef b0 1e 66 ef 8a e7 b0 1d 66 ef b0 1f 66 ef e8 fa 00 00 00 61 c3 <60> e8 c8 00 00 00 66 8b f3 66 8b da 66 ba d4 03 b0 0c 8a e5 66
[ 81.744388] EIP: [<c00cd3b3>] 0xc00cd3b3 SS:ESP 0068:f57f3a00
[ 81.744391] CR2: 00000000c00cd3b3
[ 81.744393] ---[ end trace 18b2c87c925b54d6 ]---
Signed-off-by: Wang YanQing <udknight@gmail.com>
Cc: Michal Januszewski <spock@gentoo.org>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/uvesafb.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
--- a/drivers/video/uvesafb.c
+++ b/drivers/video/uvesafb.c
@@ -815,8 +815,15 @@ static int __devinit uvesafb_vbe_init(st
par->pmi_setpal = pmi_setpal;
par->ypan = ypan;
- if (par->pmi_setpal || par->ypan)
- uvesafb_vbe_getpmi(task, par);
+ if (par->pmi_setpal || par->ypan) {
+ if (__supported_pte_mask & _PAGE_NX) {
+ par->pmi_setpal = par->ypan = 0;
+ printk(KERN_WARNING "uvesafb: NX protection is actively."
+ "We have better not to use the PMI.\n");
+ } else {
+ uvesafb_vbe_getpmi(task, par);
+ }
+ }
#else
/* The protected mode interface is not available on non-x86. */
par->pmi_setpal = par->ypan = 0;
next prev parent reply other threads:[~2012-04-19 21:08 UTC|newest]
Thread overview: 70+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-04-19 21:09 [ 00/68] 3.2.16-stable review Greg KH
2012-04-19 21:08 ` [ 01/68] drm/i915: mask transcoder select bits before setting them on LVDS Greg KH
2012-04-19 21:08 ` [ 02/68] drm/radeon/kms: fix DVO setup on some r4xx chips Greg KH
2012-04-19 21:08 ` [ 03/68] drm/i915/ringbuffer: Exclude last 2 cachlines of ring on 845g Greg KH
2012-04-19 21:08 ` [ 04/68] drm/radeon: only add the mm i2c bus if the hw_i2c module param is set Greg KH
2012-04-19 21:08 ` [ 05/68] drm/i915: properly compute dp dithering for user-created modes Greg KH
2012-04-19 21:08 ` [ 06/68] drm/i915: make rc6 module parameter read-only Greg KH
2012-04-19 21:08 ` [ 07/68] rtlwifi: Add missing DMA buffer unmapping for PCI drivers Greg KH
2012-04-19 21:08 ` [ 08/68] ARM: 7379/1: DT: fix atags_to_fdt() second call site Greg KH
2012-04-19 21:08 ` [ 09/68] ARM: 7384/1: ThumbEE: Disable userspace TEEHBR access for !CONFIG_ARM_THUMBEE Greg KH
2012-04-19 21:08 ` [ 10/68] md/bitmap: prevent bitmap_daemon_work running while initialising bitmap Greg KH
2012-04-19 21:08 ` [ 11/68] [PATCH] Bluetooth: uart-ldisc: Fix memory leak Greg KH
2012-04-19 21:08 ` [ 12/68] Bluetooth: hci_ldisc: fix NULL-pointer dereference on tty_close Greg KH
2012-04-19 21:08 ` [ 13/68] ext4: address scalability issue by removing extent cache statistics Greg KH
2012-04-19 21:08 ` [ 14/68] ia64: fix futex_atomic_cmpxchg_inatomic() Greg KH
2012-04-19 21:08 ` [ 15/68] drivers/rtc/rtc-pl031.c: enable clock on all ST variants Greg KH
2012-04-19 21:08 ` [ 16/68] hugetlb: fix race condition in hugetlb_fault() Greg KH
2012-04-19 21:08 ` [ 17/68] staging: iio: hmc5843: Fix crash in probe function Greg KH
2012-04-19 21:08 ` [ 18/68] tty: serial: altera_uart: Check for NULL platform_data in probe Greg KH
2012-04-19 21:08 ` [ 19/68] sparc64: Eliminate obsolete __handle_softirq() function Greg KH
2012-04-19 21:08 ` [ 20/68] sparc64: Fix bootup crash on sun4v Greg KH
2012-04-19 21:08 ` [ 21/68] cciss: Initialize scsi host max_sectors for tape drive support Greg KH
2012-04-19 21:08 ` [ 22/68] cciss: Fix scsi tape io with more than 255 scatter gather elements Greg KH
2012-04-19 21:08 ` [ 23/68] perf hists: Catch and handle out-of-date hist entry maps Greg KH
2012-04-19 21:08 ` Greg KH [this message]
2012-04-19 21:08 ` [ 25/68] nohz: Fix stale jiffies update in tick_nohz_restart() Greg KH
2012-04-19 21:08 ` [ 26/68] pch_uart: Fix MSI setting issue Greg KH
2012-04-19 21:08 ` [ 27/68] USB: serial: fix race between probe and open Greg KH
2012-04-19 21:08 ` [ 28/68] USB: pl2303: fix DTR/RTS being raised on baud rate change Greg KH
2012-04-19 21:08 ` [ 29/68] USB: option: re-add NOVATELWIRELESS_PRODUCT_HSPA_HIGHSPEED to option_id array Greg KH
2012-04-19 21:08 ` [ 30/68] USB: ftdi_sio: fix status line change handling for TIOCMIWAIT and TIOCGICOUNT Greg KH
2012-04-19 21:08 ` [ 31/68] USB: ftdi_sio: fix race condition in TIOCMIWAIT, and abort of TIOCMIWAIT when the device is removed Greg KH
2012-04-19 21:08 ` [ 32/68] USB: sierra: add support for Sierra Wireless MC7710 Greg KH
2012-04-19 21:08 ` [ 33/68] USB: dont clear urb->dev in scatter-gather library Greg KH
2012-04-19 21:08 ` [ 34/68] USB: dont ignore suspend errors for root hubs Greg KH
2012-04-19 21:08 ` [ 35/68] xhci: dont re-enable IE constantly Greg KH
2012-04-19 21:08 ` [ 36/68] xhci: Dont write zeroed pointers to xHC registers Greg KH
2012-04-19 21:08 ` [ 37/68] xhci: Restore event ring dequeue pointer on resume Greg KH
2012-04-19 21:08 ` [ 38/68] USB: fix bug of device descriptor got from superspeed device Greg KH
2012-04-19 21:08 ` [ 39/68] xHCI: add XHCI_RESET_ON_RESUME quirk for VIA xHCI host Greg KH
2012-04-19 21:08 ` [ 40/68] xHCI: Correct the #define XHCI_LEGACY_DISABLE_SMI Greg KH
2012-04-19 21:08 ` [ 41/68] [S390] fix tlb flushing for page table pages Greg KH
2012-04-19 21:09 ` [ 42/68] serial: PL011: clear pending interrupts Greg KH
2012-04-19 21:09 ` [ 43/68] serial: PL011: move interrupt clearing Greg KH
2012-04-19 21:09 ` [ 44/68] fcaps: clear the same personality flags as suid when fcaps are used Greg KH
2012-04-19 21:09 ` [ 45/68] [PATCH] ath9k: fix max noise floor threshold Greg KH
2012-04-19 21:09 ` [ 46/68] xhci: Fix register save/restore order Greg KH
2012-04-19 21:09 ` [ 47/68] Bluetooth: hci_core: fix NULL-pointer dereference at unregister Greg KH
2012-04-19 21:09 ` [ 48/68] pch_gpio: Support new device LAPIS Semiconductor ML7831 IOH Greg KH
2012-04-19 21:09 ` [ 49/68] gpio: Add missing spin_lock_init in gpio-pch driver Greg KH
2012-04-19 21:09 ` [ 50/68] usb: gadget: pch_udc: Fix disconnect issue Greg KH
2012-04-19 21:09 ` [ 51/68] usb: gadget: pch_udc: Fix wrong return value Greg KH
2012-04-19 21:09 ` [ 52/68] usb: gadget: pch_udc: Fix USB suspend issue Greg KH
2012-04-19 21:09 ` [ 53/68] usb: gadget: pch_udc: Fix usb/gadget/pch_udc: Fix ether gadget connect/disconnect issue Greg KH
2012-04-19 21:09 ` [ 54/68] usb: gadget: pch_udc: Reduce redundant interrupt Greg KH
2012-04-19 21:09 ` [ 55/68] ACPICA: Fix to allow region arguments to reference other scopes Greg KH
2012-04-19 21:09 ` [ 56/68] security: fix compile error in commoncap.c Greg KH
2012-04-19 21:09 ` [ 57/68] pch_gbe: Do not abort probe on bad MAC Greg KH
2012-04-19 21:09 ` [ 58/68] pch_gbe: memory corruption calling pch_gbe_validate_option() Greg KH
2012-04-19 21:09 ` [ 59/68] pch_dma: Support new device LAPIS Semiconductor ML7831 IOH Greg KH
2012-04-19 21:09 ` [ 60/68] spi-topcliff-pch: fix -Wuninitialized warning Greg KH
2012-04-19 21:09 ` [ 61/68] spi-topcliff-pch: Support new device LAPIS Semiconductor ML7831 IOH Greg KH
2012-04-19 21:09 ` [ 62/68] Bluetooth: Adding USB device 13d3:3375 as an Atheros AR3012 Greg KH
2012-04-19 21:09 ` [ 63/68] Bluetooth: Add Atheros maryann PIDVID support Greg KH
2012-04-19 21:09 ` [ 64/68] Bluetooth: Add support for BCM20702A0 [0a5c:21e3] Greg KH
2012-04-19 21:09 ` [ 65/68] futex: Do not leak robust list to unprivileged process Greg KH
2012-04-19 21:09 ` [ 66/68] drm/radeon/kms: fix the regression of DVI connector check Greg KH
2012-04-19 21:09 ` [ 67/68] drm/radeon: disable MSI on RV515 Greg KH
2012-04-19 21:09 ` [ 68/68] drm/radeon: fix load detect on rn50 with hardcoded EDIDs Greg KH
2012-04-21 12:55 ` [ 00/68] 3.2.16-stable review Ben Hutchings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120419210820.732241073@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=FlorianSchandinat@gmx.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=spock@gentoo.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=udknight@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).