Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp125815pxk; Tue, 1 Sep 2020 18:25:34 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyQSWOmRlnkNRX+kMBAVw2S81YxwAiiy3l97j0v4fhXZm3tlbPRkt5W1nufuU1EsiYv1bTo X-Received: by 2002:a17:906:8695:: with SMTP id g21mr3942905ejx.504.1599009934696; Tue, 01 Sep 2020 18:25:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1599009934; cv=none; d=google.com; s=arc-20160816; b=c3k4kd8+9P8EFpdmp9YYayhW5nQt5cinLyeHrGJgwghrFR+saJWLcKOT5Yn3sUFLi1 8rHuQcqJOl8v0F2VN9upAd0shHUr4oNDjp8yLlYhhWUFCJYj8c8TULAu8ZyXlyQW11Pc M4Tul+LiivAiMX1sRfbnL2qfiKsjZc7IZITI7OZw75klaQJOqmCuvwxeNzxSj+EZAsAe 3zie5q17n7UWSUBaNO1ADG6WdE9yDcrME74T0fR2ekp+XJ5SrbFk+Z6QQ906Vln2yyRc 7utEBtQ0zndO6NofMGlzyPz6lDR7tck8rxo5I3n6AYgRbdA3L0Al+kGpVy1oqCIowll7 3ypg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=mdQX7uWU1ASEdiqC5bC72TFXyT9FIqH9CDs0bfZKABk=; b=jp/C6YEBiRWcksIL9bA3t5kxgnZYES25Y+WqgAHxDlhMzt1hKrM2coKEXmyEG+u21z kDyvoUOhzk3i7Y7zoojAPFSazGklkFxSH9xKnWQ+u6kRCBgpRejvzUbYKiJO2bcYclYY Z150EZQ7MrfJ3+rhm3n4gvZ5Sq6sp3py4jelEX/v2lwAmADIgvh/n1tC4I7Rp8w3O9NH Wttzecl+flav4Y7g/z1UwW4FBwKh3w/ULv1jPSgbiAVhb3EnLNc8I3UWct1p9T8muApd 9qVfmHX3CfFQgpM67pmGXhpROg8vg20UpAMEG2LsxZlkQOzsjiuYITrQaOOB/ftwYjow Z91w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id 40si1593864edr.35.2020.09.01.18.25.11; Tue, 01 Sep 2020 18:25:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726269AbgIBBX4 (ORCPT + 99 others); Tue, 1 Sep 2020 21:23:56 -0400 Received: from zg8tmja5ljk3lje4mi4ymjia.icoremail.net ([209.97.182.222]:37662 "HELO zg8tmja5ljk3lje4mi4ymjia.icoremail.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1726122AbgIBBXz (ORCPT ); Tue, 1 Sep 2020 21:23:55 -0400 Received: from [166.111.139.123] (unknown [166.111.139.123]) by app-1 (Coremail) with SMTP id DwQGZQDnviIb9E5fYIv8AA--.33306S2; Wed, 02 Sep 2020 09:23:39 +0800 (CST) Subject: Re: [PATCH 4.19 016/125] media: pci: ttpci: av7110: fix possible buffer overflow caused by bad DMA value in debiirq() To: Pavel Machek , Greg Kroah-Hartman Cc: Sean Young , linux-kernel@vger.kernel.org, stable@vger.kernel.org, Jia-Ju Bai , Mauro Carvalho Chehab , Sasha Levin References: <20200901150934.576210879@linuxfoundation.org> <20200901150935.368387062@linuxfoundation.org> <20200901162512.GA30837@gofer.mess.org> <20200901163523.GA1458104@kroah.com> <20200901211626.GA17861@duo.ucw.cz> From: Jia-Ju Bai Message-ID: <5c177bce-c7f8-6938-45a9-820d7d32e2e0@tsinghua.edu.cn> Date: Wed, 2 Sep 2020 09:23:41 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.4.1 MIME-Version: 1.0 In-Reply-To: <20200901211626.GA17861@duo.ucw.cz> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-CM-TRANSID: DwQGZQDnviIb9E5fYIv8AA--.33306S2 X-Coremail-Antispam: 1UD129KBjvJXoW7Aw17tFyUXr4xWFWUWrWktFb_yoW8XF48pF W7KayrKFsYqrZFkryktwnYva40y3WYqryxXr1UZ3yUGwn0qFyayr4xGa13ua4qvrs5Ga4Y vF4jqasFg3yDZa7anT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUvv14x267AKxVW8JVW5JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0 rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02 1l84ACjcxK6xIIjxv20xvE14v26w1j6s0DM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26r4U JVWxJr1l84ACjcxK6I8E87Iv67AKxVW0oVCq3wA2z4x0Y4vEx4A2jsIEc7CjxVAFwI0_Gc CE3s1le2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2WlYx0E 2Ix0cI8IcVAFwI0_Jr0_Jr4lYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE7xkEbVWUJV W8JwACjcxG0xvEwIxGrwACjI8F5VA0II8E6IAqYI8I648v4I1lc7I2V7IY0VAS07AlzVAY IcxG8wCY02Avz4vE14v_KwCF04k20xvY0x0EwIxGrwCFx2IqxVCFs4IE7xkEbVWUJVW8Jw C20s026c02F40E14v26r1j6r18MI8I3I0E7480Y4vE14v26r106r1rMI8E67AF67kF1VAF wI0_Jw0_GFylIxkGc2Ij64vIr41lIxAIcVC0I7IYx2IY67AKxVWUJVWUCwCI42IY6xIIjx v20xvEc7CjxVAFwI0_Jr0_Gr1lIxAIcVCF04k26cxKx2IYs7xG6rW3Jr0E3s1lIxAIcVC2 z280aVAFwI0_Jr0_Gr1lIxAIcVC2z280aVCY1x0267AKxVWUJVW8JbIYCTnIWIevJa73Uj IFyTuYvjfUOMKZDUUUU X-CM-SenderInfo: xedlyxhdmxq3pvlqwxlxdovvfxof0/ Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2020/9/2 5:16, Pavel Machek wrote: > On Tue 2020-09-01 18:35:23, Greg Kroah-Hartman wrote: >> On Tue, Sep 01, 2020 at 05:25:12PM +0100, Sean Young wrote: >>> Greg, >>> >>> On Tue, Sep 01, 2020 at 05:09:31PM +0200, Greg Kroah-Hartman wrote: >>>> From: Jia-Ju Bai >>>> >>>> [ Upstream commit 6499a0db9b0f1e903d52f8244eacc1d4be00eea2 ] >>>> >>>> The value av7110->debi_virt is stored in DMA memory, and it is assigned >>>> to data, and thus data[0] can be modified at any time by malicious >>>> hardware. In this case, "if (data[0] < 2)" can be passed, but then >>>> data[0] can be changed into a large number, which may cause buffer >>>> overflow when the code "av7110->ci_slot[data[0]]" is used. >>>> >>>> To fix this possible bug, data[0] is assigned to a local variable, which >>>> replaces the use of data[0]. >>> See the discussion here: >>> >>> https://lkml.org/lkml/2020/8/31/479 >>> >>> It does not seem worthwhile merging to the stable trees. >> It doesn't hurt either :) > Update stable kernel rules. > > If "patch does not match description and is pretty obviously useless" > but "does not hurt" is acceptable for stable tree, people should know. > > You are pushing known junk into stable. Stop that. Sorry for my useless patch... Recently I submitted a new patch wiith READ_ONCE() to fix the problem that Pavel said: https://lkml.org/lkml/2020/8/30/67 If you think this new patch is still useless, reverting the code is fine to me. Best wishes, Jia-Ju Bai