linux

mirror of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2025-08-04 00:06:36 +00:00

History

Zwane Mwaikambo 73b62cdb93 drm/dp_aux_dev: check aux_dev before use in drm_dp_aux_dev_get_by_minor() I observed this when unplugging a DP monitor whilst a computer is asleep and then waking it up. This left DP chardev nodes still being present on the filesystem and accessing these device nodes caused an oops because drm_dp_aux_dev_get_by_minor() assumes a device exists if it is opened. This can also be reproduced by creating a device node with mknod(1) and issuing an open(2) [166164.933198] BUG: kernel NULL pointer dereference, address: 0000000000000018 [166164.933202] #PF: supervisor read access in kernel mode [166164.933204] #PF: error_code(0x0000) - not-present page [166164.933205] PGD 0 P4D 0 [166164.933208] Oops: 0000 [#1] PREEMPT SMP NOPTI [166164.933211] CPU: 4 PID: 99071 Comm: fwupd Tainted: G W 5.8.0-rc6+ #1 [166164.933213] Hardware name: LENOVO 20RD002VUS/20RD002VUS, BIOS R16ET25W (1.11 ) 04/21/2020 [166164.933232] RIP: 0010:drm_dp_aux_dev_get_by_minor+0x29/0x70 [drm_kms_helper] [166164.933234] Code: 00 0f 1f 44 00 00 55 48 89 e5 41 54 41 89 fc 48 c7 c7 60 01 a4 c0 e8 26 ab 30 d7 44 89 e6 48 c7 c7 80 01 a4 c0 e8 47 94 d6 d6 <8b> 50 18 49 89 c4 48 8d 78 18 85 d2 74 33 8d 4a 01 89 d0 f0 0f b1 [166164.933236] RSP: 0018:ffffb7d7c41cbbf0 EFLAGS: 00010246 [166164.933237] RAX: 0000000000000000 RBX: ffff8a90001fe900 RCX: 0000000000000000 [166164.933238] RDX: 0000000000000000 RSI: 0000000000000003 RDI: ffffffffc0a40180 [166164.933239] RBP: ffffb7d7c41cbbf8 R08: 0000000000000000 R09: ffff8a93e157d6d0 [166164.933240] R10: 0000000000000000 R11: ffffffffc0a40188 R12: 0000000000000003 [166164.933241] R13: ffff8a9402200e80 R14: ffff8a90001fe900 R15: 0000000000000000 [166164.933244] FS: 00007f7fb041eb00(0000) GS:ffff8a9411500000(0000) knlGS:0000000000000000 [166164.933245] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [166164.933246] CR2: 0000000000000018 CR3: 00000000352c2003 CR4: 00000000003606e0 [166164.933247] Call Trace: [166164.933264] auxdev_open+0x1b/0x40 [drm_kms_helper] [166164.933278] chrdev_open+0xa7/0x1c0 [166164.933282] ? cdev_put.part.0+0x20/0x20 [166164.933287] do_dentry_open+0x161/0x3c0 [166164.933291] vfs_open+0x2d/0x30 [166164.933297] path_openat+0xb27/0x10e0 [166164.933306] ? atime_needs_update+0x73/0xd0 [166164.933309] do_filp_open+0x91/0x100 [166164.933313] ? __alloc_fd+0xb2/0x150 [166164.933316] do_sys_openat2+0x210/0x2d0 [166164.933318] do_sys_open+0x46/0x80 [166164.933320] __x64_sys_openat+0x20/0x30 [166164.933328] do_syscall_64+0x52/0xc0 [166164.933336] entry_SYSCALL_64_after_hwframe+0x44/0xa9 (gdb) disassemble drm_dp_aux_dev_get_by_minor+0x29 Dump of assembler code for function drm_dp_aux_dev_get_by_minor: 0x0000000000017b10 <+0>: callq 0x17b15 <drm_dp_aux_dev_get_by_minor+5> 0x0000000000017b15 <+5>: push %rbp 0x0000000000017b16 <+6>: mov %rsp,%rbp 0x0000000000017b19 <+9>: push %r12 0x0000000000017b1b <+11>: mov %edi,%r12d 0x0000000000017b1e <+14>: mov $0x0,%rdi 0x0000000000017b25 <+21>: callq 0x17b2a <drm_dp_aux_dev_get_by_minor+26> 0x0000000000017b2a <+26>: mov %r12d,%esi 0x0000000000017b2d <+29>: mov $0x0,%rdi 0x0000000000017b34 <+36>: callq 0x17b39 <drm_dp_aux_dev_get_by_minor+41> 0x0000000000017b39 <+41>: mov 0x18(%rax),%edx <========= 0x0000000000017b3c <+44>: mov %rax,%r12 0x0000000000017b3f <+47>: lea 0x18(%rax),%rdi 0x0000000000017b43 <+51>: test %edx,%edx 0x0000000000017b45 <+53>: je 0x17b7a <drm_dp_aux_dev_get_by_minor+106> 0x0000000000017b47 <+55>: lea 0x1(%rdx),%ecx 0x0000000000017b4a <+58>: mov %edx,%eax 0x0000000000017b4c <+60>: lock cmpxchg %ecx,(%rdi) 0x0000000000017b50 <+64>: jne 0x17b76 <drm_dp_aux_dev_get_by_minor+102> 0x0000000000017b52 <+66>: test %edx,%edx 0x0000000000017b54 <+68>: js 0x17b6d <drm_dp_aux_dev_get_by_minor+93> 0x0000000000017b56 <+70>: test %ecx,%ecx 0x0000000000017b58 <+72>: js 0x17b6d <drm_dp_aux_dev_get_by_minor+93> 0x0000000000017b5a <+74>: mov $0x0,%rdi 0x0000000000017b61 <+81>: callq 0x17b66 <drm_dp_aux_dev_get_by_minor+86> 0x0000000000017b66 <+86>: mov %r12,%rax 0x0000000000017b69 <+89>: pop %r12 0x0000000000017b6b <+91>: pop %rbp 0x0000000000017b6c <+92>: retq 0x0000000000017b6d <+93>: xor %esi,%esi 0x0000000000017b6f <+95>: callq 0x17b74 <drm_dp_aux_dev_get_by_minor+100> 0x0000000000017b74 <+100>: jmp 0x17b5a <drm_dp_aux_dev_get_by_minor+74> 0x0000000000017b76 <+102>: mov %eax,%edx 0x0000000000017b78 <+104>: jmp 0x17b43 <drm_dp_aux_dev_get_by_minor+51> 0x0000000000017b7a <+106>: xor %r12d,%r12d 0x0000000000017b7d <+109>: jmp 0x17b5a <drm_dp_aux_dev_get_by_minor+74> End of assembler dump. (gdb) list drm_dp_aux_dev_get_by_minor+0x29 0x17b39 is in drm_dp_aux_dev_get_by_minor (drivers/gpu/drm/drm_dp_aux_dev.c:65). 60 static struct drm_dp_aux_dev drm_dp_aux_dev_get_by_minor(unsigned index) 61 { 62 struct drm_dp_aux_dev aux_dev = NULL; 63 64 mutex_lock(&aux_idr_mutex); 65 aux_dev = idr_find(&aux_idr, index); 66 if (!kref_get_unless_zero(&aux_dev->refcount)) 67 aux_dev = NULL; 68 mutex_unlock(&aux_idr_mutex); 69 (gdb) p/x &((struct drm_dp_aux_dev )(0x0))->refcount $8 = 0x18 Looking at the caller, checks on the minor are pushed down to drm_dp_aux_dev_get_by_minor() static int auxdev_open(struct inode inode, struct file file) { unsigned int minor = iminor(inode); struct drm_dp_aux_dev *aux_dev; aux_dev = drm_dp_aux_dev_get_by_minor(minor); <==== if (!aux_dev) return -ENODEV; file->private_data = aux_dev; return 0; } Fixes: `e94cb37b34` ("drm/dp: Add a drm_aux-dev module for reading/writing dpcd registers.") Cc: <stable@vger.kernel.org> # v4.6+ Signed-off-by: Zwane Mwaikambo <zwane@yosper.io> Reviewed-by: Lyude Paul <lyude@redhat.com> [added Cc to stable] Signed-off-by: Lyude Paul <lyude@redhat.com> Link: https://patchwork.freedesktop.org/patch/msgid/alpine.DEB.2.21.2010122231070.38717@montezuma.home		2020-10-15 13:58:54 -04:00
..
accessibility	Char/Misc driver fixes for 5.9-rc3	2020-08-26 10:50:50 -07:00
acpi	Merge branch 'acpi-mm'	2020-08-28 21:17:56 +02:00
amba
android
ata	libata-5.9-2020-09-04	2020-09-04 13:19:19 -07:00
atm	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2020-09-03 18:50:48 -07:00
auxdisplay	A trivial patch for auxdisplay:	2020-09-05 14:22:46 -07:00
base	Driver core fixes for 5.9-rc5	2020-09-13 09:02:59 -07:00
bcma
block	rbd: require global CAP_SYS_ADMIN for mapping and unmapping	2020-09-07 13:14:30 +02:00
bluetooth
bus	treewide: Use fallthrough pseudo-keyword	2020-08-23 17:36:59 -05:00
cdrom
char	Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6	2020-08-30 15:53:44 -07:00
clk	More ACPI updates for 5.9-rc1	2020-08-15 08:18:22 -07:00
clocksource	treewide: Use fallthrough pseudo-keyword	2020-08-23 17:36:59 -05:00
connector
counter	counter: microchip-tcb-capture: check the correct variable	2020-08-22 11:38:42 +01:00
cpufreq	cpufreq: intel_pstate: Fix intel_pstate_get_hwp_max() for turbo disabled	2020-09-01 21:15:00 +02:00
cpuidle	cpuidle: Make CPUIDLE_FLAG_TLB_FLUSHED generic	2020-08-26 12:41:53 +02:00
crypto	Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6	2020-08-30 15:53:44 -07:00
dax	libnvdimm fix for v5.9-rc5	2020-09-12 12:43:58 -07:00
dca
devfreq
dio
dma	dmaengine fixes for v5.9-rc4	2020-09-04 12:12:39 -07:00
dma-buf	dma-buf: use struct_size macro	2020-10-08 15:39:36 +02:00
edac	A fix to properly clear ghes_edac driver state on driver remove so that	2020-08-30 10:47:23 -07:00
eisa
extcon
firewire	treewide: Use fallthrough pseudo-keyword	2020-08-23 17:36:59 -05:00
firmware	Driver core fixes for 5.9-rc5	2020-09-13 09:02:59 -07:00
fpga
fsi
gnss
gpio	treewide: Use fallthrough pseudo-keyword	2020-08-23 17:36:59 -05:00
gpu	drm/dp_aux_dev: check aux_dev before use in drm_dp_aux_dev_get_by_minor()	2020-10-15 13:58:54 -04:00
greybus
hid	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid	2020-09-02 12:55:46 -07:00
hsi	treewide: Use fallthrough pseudo-keyword	2020-08-23 17:36:59 -05:00
hv	hyperv-fixes for 5.9-rc3	2020-08-26 10:44:15 -07:00
hwmon	hwmon fixes for v5.9-rc3	2020-08-29 12:37:00 -07:00
hwspinlock
hwtracing	treewide: Use fallthrough pseudo-keyword	2020-08-23 17:36:59 -05:00
i2c	i2c: algo: pca: Reapply i2c bus settings after reset	2020-09-09 10:22:40 +02:00
i3c	treewide: Use fallthrough pseudo-keyword	2020-08-23 17:36:59 -05:00
ide	treewide: Use fallthrough pseudo-keyword	2020-08-23 17:36:59 -05:00
idle	cpuidle: Make CPUIDLE_FLAG_TLB_FLUSHED generic	2020-08-26 12:41:53 +02:00
iio	Staging / IIO driver fixes for 5.9-rc5	2020-09-13 09:15:20 -07:00
infiniband	RDMA second 5.9-rc pull request	2020-09-11 10:02:36 -07:00
input	treewide: Use fallthrough pseudo-keyword	2020-08-23 17:36:59 -05:00
interconnect	interconnect: qcom: Fix small BW votes being truncated to zero	2020-09-04 00:07:12 +03:00
iommu	iommu/vt-d: Handle 36bit addressing for x86-32	2020-09-04 12:14:28 +02:00
ipack
irqchip	A set of fixes for interrupt chip drivers:	2020-08-30 11:56:54 -07:00
isdn	treewide: Use fallthrough pseudo-keyword	2020-08-23 17:36:59 -05:00
leds	LEDs changes for 5.9-rc1.	2020-08-05 19:24:27 -07:00
lightnvm	treewide: Use fallthrough pseudo-keyword	2020-08-23 17:36:59 -05:00
macintosh	treewide: Use fallthrough pseudo-keyword	2020-08-23 17:36:59 -05:00
mailbox	iomap: constify ioreadX() iomem argument (as in generic implementation)	2020-08-14 19:56:57 -07:00
mcb
md	dm thin metadata: Fix use-after-free in dm_bm_set_read_only	2020-09-02 13:38:40 -04:00
media	dma-buf: Use struct dma_buf_map in dma_buf_vunmap() interfaces	2020-09-29 12:41:21 +02:00
memory	treewide: Use fallthrough pseudo-keyword	2020-08-23 17:36:59 -05:00
memstick	treewide: Use fallthrough pseudo-keyword	2020-08-23 17:36:59 -05:00
message	treewide: Use fallthrough pseudo-keyword	2020-08-23 17:36:59 -05:00
mfd	- Bug Fixes	2020-08-28 10:15:33 -07:00
misc	dma-buf: Use struct dma_buf_map in dma_buf_vmap() interfaces	2020-09-29 12:40:58 +02:00
mmc	mmc: sdio: Use mmc_pre_req() / mmc_post_req()	2020-09-07 08:57:44 +02:00
most
mtd	This pull request contains changes for JFFS2, UBI and UBIFS	2020-08-10 18:20:04 -07:00
mux	treewide: Use fallthrough pseudo-keyword	2020-08-23 17:36:59 -05:00
net	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2020-09-03 18:50:48 -07:00
nfc	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2020-09-03 18:50:48 -07:00
ntb	treewide: Use fallthrough pseudo-keyword	2020-08-23 17:36:59 -05:00
nubus
nvdimm	libnvdimm: KASAN: global-out-of-bounds Read in internal_create_group	2020-08-17 14:47:38 -06:00
nvme	- Fix a regression in bdev partition locking (Christoph)	2020-09-11 11:55:28 -07:00
nvmem
of	of: address: Work around missing device_type property in pcie nodes	2020-08-19 16:30:57 -06:00
opp	Merge branch 'opp/fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vireshk/pm	2020-09-01 19:44:20 +02:00
oprofile
parisc	Merge branch 'parisc-5.9-2' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux	2020-08-12 12:41:15 -07:00
parport	treewide: Use fallthrough pseudo-keyword	2020-08-23 17:36:59 -05:00
pci	treewide: Use fallthrough pseudo-keyword	2020-08-23 17:36:59 -05:00
pcmcia	treewide: Use fallthrough pseudo-keyword	2020-08-23 17:36:59 -05:00
perf	treewide: Use fallthrough pseudo-keyword	2020-08-23 17:36:59 -05:00
phy	phy: fixes for 5.9	2020-09-04 12:41:55 +02:00
pinctrl	This is the bulk of the pin control changes for the v5.9	2020-08-09 12:52:28 -07:00
platform	treewide: Use fallthrough pseudo-keyword	2020-08-23 17:36:59 -05:00
pnp
power	treewide: Use fallthrough pseudo-keyword	2020-08-23 17:36:59 -05:00
powercap	powercap/intel_rapl: add support for AlderLake	2020-09-10 19:17:29 +02:00
pps
ps3	treewide: Use fallthrough pseudo-keyword	2020-08-23 17:36:59 -05:00
ptp	ptp: ptp_clockmatrix: use i2c_master_send for i2c write	2020-08-19 16:23:22 -07:00
pwm	pwm: Changes for v5.9-rc1	2020-08-14 16:00:09 -07:00
rapidio	rapidio: Replace 'select' DMAENGINES 'with depends on'	2020-09-05 19:52:54 +03:00
ras
regulator	regulator: Fixes for v5.9	2020-09-11 11:25:55 -07:00
remoteproc	treewide: Use fallthrough pseudo-keyword	2020-08-23 17:36:59 -05:00
reset	treewide: Use fallthrough pseudo-keyword	2020-08-23 17:36:59 -05:00
rpmsg	treewide: Use fallthrough pseudo-keyword	2020-08-23 17:36:59 -05:00
rtc	treewide: Use fallthrough pseudo-keyword	2020-08-23 17:36:59 -05:00
s390	treewide: Use fallthrough pseudo-keyword	2020-08-23 17:36:59 -05:00
sbus
scsi	SCSI fixes on 20200908	2020-09-08 11:42:58 -07:00
sfi
sh	iomap: constify ioreadX() iomem argument (as in generic implementation)	2020-08-14 19:56:57 -07:00
siox
slimbus
soc	treewide: Use fallthrough pseudo-keyword	2020-08-23 17:36:59 -05:00
soundwire	soundwire: fix double free of dangling pointer	2020-09-03 14:10:19 +05:30
spi	spi: Fixes for v5.9	2020-09-11 11:35:55 -07:00
spmi
ssb	treewide: Use fallthrough pseudo-keyword	2020-08-23 17:36:59 -05:00
staging	Staging / IIO driver fixes for 5.9-rc5	2020-09-13 09:15:20 -07:00
target	SCSI fixes on 20200908	2020-09-08 11:42:58 -07:00
tc
tee
thermal	- Fix bogus thermal shutdowns for omap4430 where bogus values	2020-09-04 12:49:03 -07:00
thunderbolt	thunderbolt: Fixes for v5.9-rc4	2020-09-01 09:48:28 +02:00
tty	TTY/Serial fixes for 5.9-rc3	2020-08-26 10:58:20 -07:00
uio
usb	USB-serial fixes for 5.9-rc5	2020-09-08 17:50:58 +02:00
vdpa	vdpa/mlx5: Avoid warnings about shifts on 32-bit platforms	2020-08-26 08:13:59 -04:00
vfio	treewide: Use fallthrough pseudo-keyword	2020-08-23 17:36:59 -05:00
vhost	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2020-09-03 18:50:48 -07:00
video	fbdev: sbuslib: remove compat_alloc_user_space usage	2020-09-25 16:34:50 +02:00
virt
virtio	Merge branch 'virtio-shm' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse into drm-misc-next	2020-09-16 13:18:32 +02:00
visorbus
vlynq
vme
w1
watchdog	treewide: Use fallthrough pseudo-keyword	2020-08-23 17:36:59 -05:00
xen	xen: branch for v5.9-rc4	2020-09-06 09:59:27 -07:00
zorro
Kconfig
Makefile