lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAMuHMdWy+aASNevg8nc9LTvR9QNrGYZQnB3sYYLDRfEU1w_idg@mail.gmail.com>
Date:   Mon, 4 Oct 2021 17:42:35 +0200
From:   Geert Uytterhoeven <geert@...ux-m68k.org>
To:     Douglas Anderson <dianders@...omium.org>
Cc:     Thierry Reding <thierry.reding@...il.com>,
        Rob Herring <robh+dt@...nel.org>,
        Sam Ravnborg <sam@...nborg.org>,
        "open list:OPEN FIRMWARE AND FLATTENED DEVICE TREE BINDINGS" 
        <devicetree@...r.kernel.org>, Steev Klimaszewski <steev@...i.org>,
        DRI Development <dri-devel@...ts.freedesktop.org>,
        linux-arm-msm <linux-arm-msm@...r.kernel.org>,
        David Airlie <airlied@...ux.ie>,
        Maarten Lankhorst <maarten.lankhorst@...ux.intel.com>,
        Thomas Zimmermann <tzimmermann@...e.de>,
        Linus W <linus.walleij@...aro.org>,
        Bjorn Andersson <bjorn.andersson@...aro.org>,
        Daniel Vetter <daniel@...ll.ch>,
        Maxime Ripard <mripard@...nel.org>,
        Jani Nikula <jani.nikula@...el.com>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Linux-Renesas <linux-renesas-soc@...r.kernel.org>
Subject: Re: [PATCH v5 02/15] drm/edid: Break out reading block 0 of the EDID

Hi Douglas,

On Tue, Sep 14, 2021 at 10:23 PM Douglas Anderson <dianders@...omium.org> wrote:
> A future change wants to be able to read just block 0 of the EDID, so
> break it out of drm_do_get_edid() into a sub-function.
>
> This is intended to be a no-op change--just code movement.
>
> Signed-off-by: Douglas Anderson <dianders@...omium.org>

Thanks for your patch, which is now commit bac9c29482248b00 ("drm/edid:
Break out reading block 0 of the EDID") in drm-next.

> --- a/drivers/gpu/drm/drm_edid.c
> +++ b/drivers/gpu/drm/drm_edid.c
> @@ -1905,6 +1905,44 @@ int drm_add_override_edid_modes(struct drm_connector *connector)
>  }
>  EXPORT_SYMBOL(drm_add_override_edid_modes);
>
> +static struct edid *drm_do_get_edid_base_block(
> +       int (*get_edid_block)(void *data, u8 *buf, unsigned int block,
> +                             size_t len),
> +       void *data, bool *edid_corrupt, int *null_edid_counter)
> +{
> +       int i;
> +       void *edid;
> +
> +       edid = kmalloc(EDID_LENGTH, GFP_KERNEL);
> +       if (edid == NULL)
> +               return NULL;
> +
> +       /* base block fetch */
> +       for (i = 0; i < 4; i++) {
> +               if (get_edid_block(data, edid, 0, EDID_LENGTH))
> +                       goto out;
> +               if (drm_edid_block_valid(edid, 0, false, edid_corrupt))
> +                       break;
> +               if (i == 0 && drm_edid_is_zero(edid, EDID_LENGTH)) {
> +                       if (null_edid_counter)
> +                               (*null_edid_counter)++;
> +                       goto carp;
> +               }
> +       }
> +       if (i == 4)
> +               goto carp;
> +
> +       return edid;
> +
> +carp:
> +       kfree(edid);
> +       return ERR_PTR(-EINVAL);
> +
> +out:
> +       kfree(edid);
> +       return NULL;
> +}
> +
>  /**
>   * drm_do_get_edid - get EDID data using a custom EDID block read function
>   * @connector: connector we're probing
> @@ -1938,25 +1976,16 @@ struct edid *drm_do_get_edid(struct drm_connector *connector,
>         if (override)
>                 return override;
>
> -       if ((edid = kmalloc(EDID_LENGTH, GFP_KERNEL)) == NULL)
> +       edid = (u8 *)drm_do_get_edid_base_block(get_edid_block, data,
> +                                               &connector->edid_corrupt,
> +                                               &connector->null_edid_counter);
> +       if (IS_ERR_OR_NULL(edid)) {
> +               if (IS_ERR(edid))

So edid is an error code, not a valid pointer...

> +                       connector_bad_edid(connector, edid, 1);

... while connector_bad_edid() expects edid to be a valid pointer,
causing a crash:

Unable to handle kernel NULL pointer dereference at virtual address
0000000000000068
Mem abort info:
  ESR = 0x96000004
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x04: level 0 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000004
  CM = 0, WnR = 0
[0000000000000068] user address but active_mm is swapper
Internal error: Oops: 96000004 [#1] PREEMPT SMP
CPU: 0 PID: 7 Comm: kworker/u4:0 Not tainted
5.15.0-rc3-arm64-renesas-00629-geb2d42841024-dirty #1313
Hardware name: Renesas Ebisu-4D board based on r8a77990 (DT)
Workqueue: events_unbound deferred_probe_work_func
pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : connector_bad_edid+0x28/0x1a8
lr : drm_do_get_edid+0x260/0x268
sp : ffff8000121336a0
x29: ffff8000121336a0 x28: ffff00000a373200 x27: 0000000000001ffe
PM: ==== always-on/ee160000.mmc: stop
x26: 0000000000000005 x25: 0000000000000041 x24: 0000000000000000
x23: ffff000008a25080 x22: ffff8000106bd990 x21: ffff0000081496c0
x20: 0000000000000001 x19: ffffffffffffffea x18: 0000000000000010
x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000
x8 : 0000000000000000 x7 : 0000000000000080 x6 : ffff000009c71000
x5 : 0000000000000000 x4 : 0000000000000069 x3 : ffff00000a3c2900
x2 : 0000000000000001 x1 : ffffffffffffffea x0 : ffff000009c71000
Call trace:
 connector_bad_edid+0x28/0x1a8
 drm_do_get_edid+0x260/0x268
 adv7511_get_edid+0xb4/0xd0
 adv7511_bridge_get_edid+0x10/0x18

>                 return NULL;
> -
> -       /* base block fetch */
> -       for (i = 0; i < 4; i++) {
> -               if (get_edid_block(data, edid, 0, EDID_LENGTH))
> -                       goto out;
> -               if (drm_edid_block_valid(edid, 0, false,
> -                                        &connector->edid_corrupt))
> -                       break;
> -               if (i == 0 && drm_edid_is_zero(edid, EDID_LENGTH)) {
> -                       connector->null_edid_counter++;
> -                       goto carp;
> -               }
>         }
> -       if (i == 4)
> -               goto carp;
>
> -       /* if there's no extensions, we're done */
> +       /* if there's no extensions or no connector, we're done */
>         valid_extensions = edid[0x7e];
>         if (valid_extensions == 0)
>                 return (struct edid *)edid;
> @@ -2010,8 +2039,6 @@ struct edid *drm_do_get_edid(struct drm_connector *connector,
>
>         return (struct edid *)edid;
>
> -carp:
> -       connector_bad_edid(connector, edid, 1);
>  out:
>         kfree(edid);
>         return NULL;

Gr{oetje,eeting}s,

                        Geert

-- 
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@...ux-m68k.org

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
                                -- Linus Torvalds

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ