| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 4 Oct 2021 17:42:35 +0200
From: Geert Uytterhoeven <geert@...ux-m68k.org>
To: Douglas Anderson <dianders@...omium.org>
Cc: Thierry Reding <thierry.reding@...il.com>,
Rob Herring <robh+dt@...nel.org>,
Sam Ravnborg <sam@...nborg.org>,
"open list:OPEN FIRMWARE AND FLATTENED DEVICE TREE BINDINGS"
<devicetree@...r.kernel.org>, Steev Klimaszewski <steev@...i.org>,
DRI Development <dri-devel@...ts.freedesktop.org>,
linux-arm-msm <linux-arm-msm@...r.kernel.org>,
David Airlie <airlied@...ux.ie>,
Maarten Lankhorst <maarten.lankhorst@...ux.intel.com>,
Thomas Zimmermann <tzimmermann@...e.de>,
Linus W <linus.walleij@...aro.org>,
Bjorn Andersson <bjorn.andersson@...aro.org>,
Daniel Vetter <daniel@...ll.ch>,
Maxime Ripard <mripard@...nel.org>,
Jani Nikula <jani.nikula@...el.com>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Linux-Renesas <linux-renesas-soc@...r.kernel.org>
Subject: Re: [PATCH v5 02/15] drm/edid: Break out reading block 0 of the EDID
Hi Douglas,
On Tue, Sep 14, 2021 at 10:23 PM Douglas Anderson <dianders@...omium.org> wrote:
> A future change wants to be able to read just block 0 of the EDID, so
> break it out of drm_do_get_edid() into a sub-function.
>
> This is intended to be a no-op change--just code movement.
>
> Signed-off-by: Douglas Anderson <dianders@...omium.org>
Thanks for your patch, which is now commit bac9c29482248b00 ("drm/edid:
Break out reading block 0 of the EDID") in drm-next.
> --- a/drivers/gpu/drm/drm_edid.c
> +++ b/drivers/gpu/drm/drm_edid.c
> @@ -1905,6 +1905,44 @@ int drm_add_override_edid_modes(struct drm_connector *connector)
> }
> EXPORT_SYMBOL(drm_add_override_edid_modes);
>
> +static struct edid *drm_do_get_edid_base_block(
> + int (*get_edid_block)(void *data, u8 *buf, unsigned int block,
> + size_t len),
> + void *data, bool *edid_corrupt, int *null_edid_counter)
> +{
> + int i;
> + void *edid;
> +
> + edid = kmalloc(EDID_LENGTH, GFP_KERNEL);
> + if (edid == NULL)
> + return NULL;
> +
> + /* base block fetch */
> + for (i = 0; i < 4; i++) {
> + if (get_edid_block(data, edid, 0, EDID_LENGTH))
> + goto out;
> + if (drm_edid_block_valid(edid, 0, false, edid_corrupt))
> + break;
> + if (i == 0 && drm_edid_is_zero(edid, EDID_LENGTH)) {
> + if (null_edid_counter)
> + (*null_edid_counter)++;
> + goto carp;
> + }
> + }
> + if (i == 4)
> + goto carp;
> +
> + return edid;
> +
> +carp:
> + kfree(edid);
> + return ERR_PTR(-EINVAL);
> +
> +out:
> + kfree(edid);
> + return NULL;
> +}
> +
> /**
> * drm_do_get_edid - get EDID data using a custom EDID block read function
> * @connector: connector we're probing
> @@ -1938,25 +1976,16 @@ struct edid *drm_do_get_edid(struct drm_connector *connector,
> if (override)
> return override;
>
> - if ((edid = kmalloc(EDID_LENGTH, GFP_KERNEL)) == NULL)
> + edid = (u8 *)drm_do_get_edid_base_block(get_edid_block, data,
> + &connector->edid_corrupt,
> + &connector->null_edid_counter);
> + if (IS_ERR_OR_NULL(edid)) {
> + if (IS_ERR(edid))
So edid is an error code, not a valid pointer...
> + connector_bad_edid(connector, edid, 1);
... while connector_bad_edid() expects edid to be a valid pointer,
causing a crash:
Unable to handle kernel NULL pointer dereference at virtual address
0000000000000068
Mem abort info:
ESR = 0x96000004
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x04: level 0 translation fault
Data abort info:
ISV = 0, ISS = 0x00000004
CM = 0, WnR = 0
[0000000000000068] user address but active_mm is swapper
Internal error: Oops: 96000004 [#1] PREEMPT SMP
CPU: 0 PID: 7 Comm: kworker/u4:0 Not tainted
5.15.0-rc3-arm64-renesas-00629-geb2d42841024-dirty #1313
Hardware name: Renesas Ebisu-4D board based on r8a77990 (DT)
Workqueue: events_unbound deferred_probe_work_func
pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : connector_bad_edid+0x28/0x1a8
lr : drm_do_get_edid+0x260/0x268
sp : ffff8000121336a0
x29: ffff8000121336a0 x28: ffff00000a373200 x27: 0000000000001ffe
PM: ==== always-on/ee160000.mmc: stop
x26: 0000000000000005 x25: 0000000000000041 x24: 0000000000000000
x23: ffff000008a25080 x22: ffff8000106bd990 x21: ffff0000081496c0
x20: 0000000000000001 x19: ffffffffffffffea x18: 0000000000000010
x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000
x8 : 0000000000000000 x7 : 0000000000000080 x6 : ffff000009c71000
x5 : 0000000000000000 x4 : 0000000000000069 x3 : ffff00000a3c2900
x2 : 0000000000000001 x1 : ffffffffffffffea x0 : ffff000009c71000
Call trace:
connector_bad_edid+0x28/0x1a8
drm_do_get_edid+0x260/0x268
adv7511_get_edid+0xb4/0xd0
adv7511_bridge_get_edid+0x10/0x18
> return NULL;
> -
> - /* base block fetch */
> - for (i = 0; i < 4; i++) {
> - if (get_edid_block(data, edid, 0, EDID_LENGTH))
> - goto out;
> - if (drm_edid_block_valid(edid, 0, false,
> - &connector->edid_corrupt))
> - break;
> - if (i == 0 && drm_edid_is_zero(edid, EDID_LENGTH)) {
> - connector->null_edid_counter++;
> - goto carp;
> - }
> }
> - if (i == 4)
> - goto carp;
>
> - /* if there's no extensions, we're done */
> + /* if there's no extensions or no connector, we're done */
> valid_extensions = edid[0x7e];
> if (valid_extensions == 0)
> return (struct edid *)edid;
> @@ -2010,8 +2039,6 @@ struct edid *drm_do_get_edid(struct drm_connector *connector,
>
> return (struct edid *)edid;
>
> -carp:
> - connector_bad_edid(connector, edid, 1);
> out:
> kfree(edid);
> return NULL;
Gr{oetje,eeting}s,
Geert
--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@...ux-m68k.org
In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
-- Linus Torvalds
Powered by blists - more mailing lists