lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.GSO.4.64.1301162045321.898@umail>
Date:	Wed, 16 Jan 2013 21:06:49 -0600 (CST)
From:	Ilija Hadzic <ihadzic@...earch.bell-labs.com>
To:	Shuah Khan <shuah.khan@...com>
cc:	airlied@...ux.ie, deathsimple@...afone.de, jglisse@...hat.com,
	airlied@...hat.com,
	"Deucher, Alexander" <alexander.deucher@....com>,
	Greg KH <gregkh@...uxfoundation.org>,
	LKML <linux-kernel@...r.kernel.org>,
	dri-devel@...ts.freedesktop.org, shuahkhan@...il.com
Subject: Re: [PATCH] drm/radeon: fix NULL pointer dereference in UMS mode in
 radeon_cs_parser_fini()


Actually, the code path affected by your patch is not executed in UMS mode 
at all. Notice that radeon_cs_parser_fini is only called from 
radeon_cs_ioctl which is a KMS-only ioctl (see radeon_kms.c).

The equivalent of the fix you are trying to do is in
a6b7e1a02b77ab8fe8775d20a88c53d8ba55482e (function patched by that one is 
the one used by legacy-CS ioctl), which you should go together 
with ff4bd0827764e10a428a9d39e6814c5478863f94 if you are backporting UMS 
fixes to 3.7. Both are needed to prevent kernel crashes in UMS mode.

-- Ilija

On Wed, 16 Jan 2013, Shuah Khan wrote:

> Fix parser->rdev NULL pointer dereference in radeon_cs_parser_fini().
> While back-porting drm/radeon: fix NULL pointer dereference in UMS mode
> patch (commit-id: ff4bd0827764e10a428a9d39e6814c5478863f94) to 3,7.y, noticed
> another instance of NULL pointer dereference in radeon_cs_parser_fini()
> function.
>
> Signed-off-by: Shuah Khan <shuah.khan@...com>
> CC: stable@...r.kernel.org 3.7
> ---
> drivers/gpu/drm/radeon/radeon_cs.c |    2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/radeon/radeon_cs.c b/drivers/gpu/drm/radeon/radeon_cs.c
> index 469661f..d1c282c 100644
> --- a/drivers/gpu/drm/radeon/radeon_cs.c
> +++ b/drivers/gpu/drm/radeon/radeon_cs.c
> @@ -329,7 +329,7 @@ static void radeon_cs_parser_fini(struct radeon_cs_parser *parser, int error)
> 	kfree(parser->relocs_ptr);
> 	for (i = 0; i < parser->nchunks; i++) {
> 		kfree(parser->chunks[i].kdata);
> -		if ((parser->rdev->flags & RADEON_IS_AGP)) {
> +		if (parser->rdev && (parser->rdev->flags & RADEON_IS_AGP)) {
> 			kfree(parser->chunks[i].kpage[0]);
> 			kfree(parser->chunks[i].kpage[1]);
> 		}
> -- 
> 1.7.9.5
>
>
>
> _______________________________________________
> dri-devel mailing list
> dri-devel@...ts.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/dri-devel
>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ