lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAErSpo5AeAstcSoJccw75pPUvC8t=36OggcmAOE-56nhW96b8A@mail.gmail.com>
Date:	Thu, 25 Oct 2012 12:33:09 -0600
From:	Bjorn Helgaas <bhelgaas@...gle.com>
To:	David Airlie <airlied@...ux.ie>,
	Daniel Vetter <daniel.vetter@...ll.ch>
Cc:	dri-devel@...ts.freedesktop.org, linux-pci@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: DRM agp_init error path oops

I think there's a latent bug in a DRM error path, at least when used
by i915.  In the scenario below, if dev->driver->bus->agp_init()
fails, we call drm_lastclose().  At least in i915_driver_lastclose(),
this dereferences dev->dev_private (at "1" below).

But dev->dev_private isn't initialized until "2", in i915_driver_load().

    i915_pci_probe
        drm_get_pci_dev
            drm_fill_in_dev
                drm_pci_agp_init                (dev->driver->bus->agp_init)
                drm_lastclose                   # error path when agp_init fails
                    i915_driver_lastclose       (dev->driver->lastclose)
                        intel_fb_restore_mode
1)
drm_fb_helper_restore_fbdev_mode(&dev->dev_private->fbdev->helper)
            i915_driver_load                    (dev->driver->load)
2)              dev->dev_private = (void *)dev_priv

We tripped over this because a different bug caused drm_pci_agp_init()
to fail when it shouldn't have.  Details about that bug are here:
https://bugzilla.kernel.org/show_bug.cgi?id=46481#c16

That bug has been fixed, but this dev_private initialization ordering
problem is still there, waiting to bite us again on the next machine
where drm_pci_agp_init() fails for some reason.

Bjorn
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ