From patchwork Sat Oct 20 20:28:46 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Marcin_=C5=9Alusarz?= X-Patchwork-Id: 1622061 Return-Path: X-Original-To: patchwork-dri-devel@patchwork.kernel.org Delivered-To: patchwork-process-083081@patchwork2.kernel.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) by patchwork2.kernel.org (Postfix) with ESMTP id 72976DF26F for ; Sat, 20 Oct 2012 20:28:40 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 55FB99E916 for ; Sat, 20 Oct 2012 13:28:39 -0700 (PDT) X-Original-To: dri-devel@lists.freedesktop.org Delivered-To: dri-devel@lists.freedesktop.org Received: from mail-we0-f177.google.com (mail-we0-f177.google.com [74.125.82.177]) by gabe.freedesktop.org (Postfix) with ESMTP id B0FB59E747 for ; Sat, 20 Oct 2012 13:28:27 -0700 (PDT) Received: by mail-we0-f177.google.com with SMTP id u50so803941wey.36 for ; Sat, 20 Oct 2012 13:28:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=OR7/n2Ow8seY2pdQe8EafH581lRr2PchsfeTzJD0E58=; b=werhK5wEM1Y7dTMBYArWvC013KT1cXa5j5RM+MrZ2eLtzJ94nNO1Kq64Kqg88A0i79 WwJZ+s5FqThX3ncDB4nPwk4GJOKAPv4zNQVl1OVNu53LaZfOKZFV7j+iVWsiqOwmATwi Bio71+x2guV+hEWlIxPTzoEJxDFkUsPUG29g2bgRapm9LlKU4/wxsSykWfDRRBW28D90 r/62h70d3DxU1snNbQdNjk9eoVjP4MvKskE1OmtlvUbnoQR/tcxIPPqucizXVG+DYAVV fvbw9la9Hj/PpTZQx3uxN2pY3a0xmycdIZ1wUvK4NcMFacJY2ylsm8gKUcCgA5JIMYuy fgwA== Received: by 10.216.90.129 with SMTP id e1mr2967023wef.87.1350764906581; Sat, 20 Oct 2012 13:28:26 -0700 (PDT) Received: from joi.lan (acdo110.neoplus.adsl.tpnet.pl. [83.9.164.110]) by mx.google.com with ESMTPS id cn6sm11630995wib.9.2012.10.20.13.28.23 (version=TLSv1/SSLv3 cipher=OTHER); Sat, 20 Oct 2012 13:28:25 -0700 (PDT) Date: Sat, 20 Oct 2012 22:28:46 +0200 From: Marcin Slusarz To: Heinz Diehl Subject: Re: Linux 3.7-rc1 (nouveau_bios_score oops). Message-ID: <20121020202846.GA5826@joi.lan> References: <1724445.dN2yMEzN6d@localhost> <20121020092647.GA3186@fancy-poultry.org> <50827174.7070109@labri.fr> <20121020104238.GA1539@fritha.org> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20121020104238.GA1539@fritha.org> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: Martin Peres , =?utf-8?B?UGF3ZcWC?= Sikora , Daniel Vetter , linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org, Ben Skeggs , marcheu@chromium.org, Linus Torvalds , Heinz Diehl X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: dri-devel-bounces+patchwork-dri-devel=patchwork.kernel.org@lists.freedesktop.org Errors-To: dri-devel-bounces+patchwork-dri-devel=patchwork.kernel.org@lists.freedesktop.org On Sat, Oct 20, 2012 at 12:42:38PM +0200, Heinz Diehl wrote: > On 20.10.2012, Martin Peres wrote: > > > Can you test the attached patch too ? I rebased the previous one I sent on > > top on 3.7-rc1 as I accidentally used an older version. > > Yes, of course. > > Tried it. Unfortunately, the crash remains the same as reported. Try this one. Now, the question is: could 3.6 kernel get VBIOS by ACPI? If yes, please mount debugfs and send vbios.rom to me please. (cat /sys/kernel/debug/dri/0/vbios.rom > vbios.rom) Reported-by: Pawe? Sikora --- From: Marcin Slusarz Subject: [PATCH] drm/nouveau: validate vbios size Without checking, we could detect vbios size as 0, allocate 0-byte array (kmalloc returns invalid pointer for such allocation) and crash in nouveau_bios_score while checking for vbios signature. Reported-by: Heinz Diehl Signed-off-by: Marcin Slusarz --- drivers/gpu/drm/nouveau/core/subdev/bios/base.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/nouveau/core/subdev/bios/base.c b/drivers/gpu/drm/nouveau/core/subdev/bios/base.c index dcb5c2b..824eea0 100644 --- a/drivers/gpu/drm/nouveau/core/subdev/bios/base.c +++ b/drivers/gpu/drm/nouveau/core/subdev/bios/base.c @@ -72,7 +72,7 @@ nouveau_bios_shadow_of(struct nouveau_bios *bios) } data = of_get_property(dn, "NVDA,BMP", &size); - if (data) { + if (data && size) { bios->size = size; bios->data = kmalloc(bios->size, GFP_KERNEL); if (bios->data) @@ -104,6 +104,9 @@ nouveau_bios_shadow_pramin(struct nouveau_bios *bios) goto out; bios->size = nv_rd08(bios, 0x700002) * 512; + if (!bios->size) + goto out; + bios->data = kmalloc(bios->size, GFP_KERNEL); if (bios->data) { for (i = 0; i < bios->size; i++) @@ -155,6 +158,9 @@ nouveau_bios_shadow_prom(struct nouveau_bios *bios) /* read entire bios image to system memory */ bios->size = nv_rd08(bios, 0x300002) * 512; + if (!bios->size) + goto out; + bios->data = kmalloc(bios->size, GFP_KERNEL); if (bios->data) { for (i = 0; i < bios->size; i++) @@ -194,6 +200,8 @@ nouveau_bios_shadow_acpi(struct nouveau_bios *bios) bios->size = 0; if (nouveau_acpi_get_bios_chunk(data, 0, 3) == 3) bios->size = data[2] * 512; + if (!bios->size) + return; bios->data = kmalloc(bios->size, GFP_KERNEL); for (i = 0; bios->data && i < bios->size; i += cnt) { @@ -229,12 +237,14 @@ nouveau_bios_shadow_pci(struct nouveau_bios *bios) static int nouveau_bios_score(struct nouveau_bios *bios, const bool writeable) { - if (!bios->data || bios->data[0] != 0x55 || bios->data[1] != 0xAA) { + if (bios->size < 3 || !bios->data || bios->data[0] != 0x55 || + bios->data[1] != 0xAA) { nv_info(bios, "... signature not found\n"); return 0; } - if (nvbios_checksum(bios->data, bios->data[2] * 512)) { + if (nvbios_checksum(bios->data, + min_t(u32, bios->data[2] * 512, bios->size))) { nv_info(bios, "... checksum invalid\n"); /* if a ro image is somewhat bad, it's probably all rubbish */ return writeable ? 2 : 1;