Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp4087650pxk;
        Tue, 8 Sep 2020 10:19:15 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyRi3+qjLRIkfi1U1a/vMA/lXrobHH+lAs5sjgu42894WXv6h49CqPWIOQhOBlHaAHDKaHG
X-Received: by 2002:a17:906:ca4f:: with SMTP id jx15mr26593523ejb.454.1599585554967;
        Tue, 08 Sep 2020 10:19:14 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1599585554; cv=none;
        d=google.com; s=arc-20160816;
        b=WFU6foklAW/QSRAHcMNCGX8/n5w/mbX2CqwH1qXd2NhiWp8IoOQp/VK5YbDDsPHIdt
         23WcyzzUV+zlVWwZbpQ2qRPe2ZCk8/rgTVa+0m2R1B+9FFfsyHeXBgZE3j4rV6pB1d9a
         uuVXoCNKVgDSFmRlIwieCYwlWzTKdQd8/Rw/hsX2bbe9evZXEViQ3W5+vc5OCQ2Yx20l
         dpq9F9B0ZkdcLx7CfY8V9aUu4lDVfEZ+RxawzKyiUevIcbcop8/r03ft16HmhZ0Rh6zR
         V7o518eZBrSSp5x90aVyjhRlm4zjSc0yPCMF0iKxnbu83iairF/PZLGviqBSQs66gWvb
         MDWQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :message-id:in-reply-to:subject:cc:to:from:date;
        bh=j/alVe8gnWOrd7EjP8C/vwqxcjfJLDcbczJf8UcZcN8=;
        b=p+fn5mCRW1C3eVpQke+A/96vuASPHDYNJrK1WaDWNV2aC9s4B53KPz6qgQD4A8/+E8
         kN9aLf68h+2m+ApODaCnL1RrNNkUMvHINWoeQ15Hpau6giB0tNPTpj6PuzOEh7iLCTtX
         8hMIzFHbhdbM69SMHmzJM6WADn5Ww36JZzPSOfS85Rv4rLvwWUCXvCSpFoFT1DCiczuO
         9bKyBuBR5/tIRaQmHpkR6U+WxmGb8WZPfIus/oim1H1dZNW8nVgP+aPWI5IXHnDSlXQk
         6p5CN8FvehFfw3ictmEswul7uICUR9ZJggAlaQplbPbk1+G0G3GqfYDV/NB6pSNacJbt
         T7Eg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id p25si11860030edw.585.2020.09.08.10.18.52;
        Tue, 08 Sep 2020 10:19:14 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1731532AbgIHRQn (ORCPT <rfc822;jaegeuk-test@gmail.com>
        + 99 others); Tue, 8 Sep 2020 13:16:43 -0400
Received: from cmta18.telus.net ([209.171.16.91]:57777 "EHLO cmta18.telus.net"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1731755AbgIHQS1 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 8 Sep 2020 12:18:27 -0400
Received: from montezuma.home ([154.5.226.127])
        by cmsmtp with SMTP
        id FgK3kyYnXiMStFgK4k6xiz; Tue, 08 Sep 2020 10:18:23 -0600
X-Telus-Authed: none
X-Authority-Analysis: v=2.3 cv=X7os11be c=1 sm=1 tr=0
 a=f8b3WT/FcTuUJCJtQO1udw==:117 a=f8b3WT/FcTuUJCJtQO1udw==:17
 a=x7bEGLp0ZPQA:10 a=COSDN44dAAMA:10 a=nlC_4_pT8q9DhB4Ho9EA:9 a=VwQbUJbxAAAA:8
 a=e5mUnYsNAAAA:8 a=IxZk6h1YPK5JTQi1anoA:9 a=wPNLvfGTeEIA:10 a=7snrLRx5KI4A:10
 a=RZbY5qkoyMQA:10 a=AjGcO6oz07-iQ99wixmX:22 a=Vxmtnl_E_bksehYqCbjh:22
Date:   Tue, 8 Sep 2020 09:18:18 -0700 (PDT)
From:   Zwane Mwaikambo <zwanem@gmail.com>
To:     =?ISO-8859-15?Q?Ville_Syrj=E4l=E4?= <ville.syrjala@linux.intel.com>
cc:     Zwane Mwaikambo <zwane@yosper.io>, Lyude Paul <lyude@redhat.com>,
        dri-devel <dri-devel@lists.freedesktop.org>, dkwon@redhat.com,
        Linux Kernel <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH]] drm/dp check aux_dev before use in
 drm_dp_aux_dev_get_by_minor()
In-Reply-To: <20200907110544.GE6112@intel.com>
Message-ID: <alpine.DEB.2.21.2009080917540.42407@montezuma.home>
References: <alpine.DEB.2.21.2008101004110.27032@montezuma.home> <20200811085830.GZ2352366@phenom.ffwll.local> <alpine.DEB.2.21.2008111514210.35094@montezuma.home> <CAKMK7uHxikojLQNbsnnfDfGZ3tFP9CRUTzvr+DsZghzQupaBGg@mail.gmail.com>
 <a1141faf8c6a0a924d87132fb4a297cd6d47e09d.camel@redhat.com> <alpine.DEB.2.21.2008121314020.39850@montezuma.home> <alpine.DEB.2.21.2009031042400.44355@montezuma.home> <20200907110544.GE6112@intel.com>
User-Agent: Alpine 2.21 (DEB 202 2017-01-01)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="-1463810553-1163560905-1599581903=:42407"
X-CMAE-Envelope: MS4wfMrpyB+SXlYAXiosOi47rqGI84BHuRb9iUU84x315XfBY/tL4UqcB2zq+kP5EI5HQdp7i7NJ52VwiE55an8mWz3HUcw1B0dUGN/5YSTdNYGqkpMVxShi
 nmIrvRcJsnC/yv3t2haBfPq0usa4THgURmV74bQC8pERQKR+jg4QPMcDnsJNgvCM3YUZwjwZ+1ln46XFdtZg3UqOjlMf6+oWIwy09pMIzB6sTK2AiSA2dhY4
 E+Ma9IkutlO0ROipxuWKblzkqJnShxQb4Yk4tsmi1ZPRpuWUXHHqZoHIYT5xGjTco1i3EOmzRePvMpelwjz932V8z+w64TfKSMLNTFGckX+/kgCE0KF3COXV
 ArVLupG/
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

---1463810553-1163560905-1599581903=:42407
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8BIT

On Mon, 7 Sep 2020, Ville Syrj?l? wrote:

> On Fri, Sep 04, 2020 at 12:21:26AM -0700, Zwane Mwaikambo wrote:
> > I observed this when unplugging a DP monitor whilst a computer is asleep 
> > and then waking it up. This left DP chardev nodes still being present on 
> > the filesystem and accessing these device nodes caused an oops because 
> > drm_dp_aux_dev_get_by_minor() assumes a device exists if it is opened. 
> > This can also be reproduced by creating a device node with mknod(1) and 
> > issuing an open(2)
> > 
> > [166164.933198] BUG: kernel NULL pointer dereference, address: 0000000000000018
> > [166164.933202] #PF: supervisor read access in kernel mode
> > [166164.933204] #PF: error_code(0x0000) - not-present page
> > [166164.933205] PGD 0 P4D 0 
> > [166164.933208] Oops: 0000 [#1] PREEMPT SMP NOPTI
> > [166164.933211] CPU: 4 PID: 99071 Comm: fwupd Tainted: G        W         
> > 5.8.0-rc6+ #1
> > [166164.933213] Hardware name: LENOVO 20RD002VUS/20RD002VUS, BIOS R16ET25W 
> > (1.11 ) 04/21/2020
> > [166164.933232] RIP: 0010:drm_dp_aux_dev_get_by_minor+0x29/0x70 
> > [drm_kms_helper]
> > [166164.933234] Code: 00 0f 1f 44 00 00 55 48 89 e5 41 54 41 89 fc 48 c7 
> > c7 60 01 a4 c0 e8 26 ab 30 d7 44 89 e6 48 c7 c7 80 01 a4 c0 e8 47 94 d6 d6 
> > <8b> 50 18 49 89 c4 48 8d 78 18 85 d2 74 33 8d 4a 01 89 d0 f0 0f b1
> > [166164.933236] RSP: 0018:ffffb7d7c41cbbf0 EFLAGS: 00010246
> > [166164.933237] RAX: 0000000000000000 RBX: ffff8a90001fe900 RCX: 0000000000000000
> > [166164.933238] RDX: 0000000000000000 RSI: 0000000000000003 RDI: ffffffffc0a40180
> > [166164.933239] RBP: ffffb7d7c41cbbf8 R08: 0000000000000000 R09: ffff8a93e157d6d0
> > [166164.933240] R10: 0000000000000000 R11: ffffffffc0a40188 R12: 0000000000000003
> > [166164.933241] R13: ffff8a9402200e80 R14: ffff8a90001fe900 R15: 0000000000000000
> > [166164.933244] FS:  00007f7fb041eb00(0000) GS:ffff8a9411500000(0000) 
> > knlGS:0000000000000000
> > [166164.933245] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > [166164.933246] CR2: 0000000000000018 CR3: 00000000352c2003 CR4: 00000000003606e0
> > [166164.933247] Call Trace:
> > [166164.933264]  auxdev_open+0x1b/0x40 [drm_kms_helper]
> > [166164.933278]  chrdev_open+0xa7/0x1c0
> > [166164.933282]  ? cdev_put.part.0+0x20/0x20
> > [166164.933287]  do_dentry_open+0x161/0x3c0
> > [166164.933291]  vfs_open+0x2d/0x30
> > [166164.933297]  path_openat+0xb27/0x10e0
> > [166164.933306]  ? atime_needs_update+0x73/0xd0
> > [166164.933309]  do_filp_open+0x91/0x100
> > [166164.933313]  ? __alloc_fd+0xb2/0x150
> > [166164.933316]  do_sys_openat2+0x210/0x2d0
> > [166164.933318]  do_sys_open+0x46/0x80
> > [166164.933320]  __x64_sys_openat+0x20/0x30
> > [166164.933328]  do_syscall_64+0x52/0xc0
> > [166164.933336]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
> > 
> > 
> > (gdb) disassemble drm_dp_aux_dev_get_by_minor+0x29
> > Dump of assembler code for function drm_dp_aux_dev_get_by_minor:
> >    0x0000000000017b10 <+0>:     callq  0x17b15 <drm_dp_aux_dev_get_by_minor+5>
> >    0x0000000000017b15 <+5>:     push   %rbp
> >    0x0000000000017b16 <+6>:     mov    %rsp,%rbp
> >    0x0000000000017b19 <+9>:     push   %r12
> >    0x0000000000017b1b <+11>:    mov    %edi,%r12d
> >    0x0000000000017b1e <+14>:    mov    $0x0,%rdi
> >    0x0000000000017b25 <+21>:    callq  0x17b2a <drm_dp_aux_dev_get_by_minor+26>
> >    0x0000000000017b2a <+26>:    mov    %r12d,%esi
> >    0x0000000000017b2d <+29>:    mov    $0x0,%rdi
> >    0x0000000000017b34 <+36>:    callq  0x17b39 <drm_dp_aux_dev_get_by_minor+41>
> >    0x0000000000017b39 <+41>:    mov    0x18(%rax),%edx <=========
> >    0x0000000000017b3c <+44>:    mov    %rax,%r12
> >    0x0000000000017b3f <+47>:    lea    0x18(%rax),%rdi
> >    0x0000000000017b43 <+51>:    test   %edx,%edx
> >    0x0000000000017b45 <+53>:    je     0x17b7a <drm_dp_aux_dev_get_by_minor+106>
> >    0x0000000000017b47 <+55>:    lea    0x1(%rdx),%ecx
> >    0x0000000000017b4a <+58>:    mov    %edx,%eax
> >    0x0000000000017b4c <+60>:    lock cmpxchg %ecx,(%rdi)
> >    0x0000000000017b50 <+64>:    jne    0x17b76 <drm_dp_aux_dev_get_by_minor+102>
> >    0x0000000000017b52 <+66>:    test   %edx,%edx
> >    0x0000000000017b54 <+68>:    js     0x17b6d <drm_dp_aux_dev_get_by_minor+93>
> >    0x0000000000017b56 <+70>:    test   %ecx,%ecx
> >    0x0000000000017b58 <+72>:    js     0x17b6d <drm_dp_aux_dev_get_by_minor+93>
> >    0x0000000000017b5a <+74>:    mov    $0x0,%rdi
> >    0x0000000000017b61 <+81>:    callq  0x17b66 <drm_dp_aux_dev_get_by_minor+86>
> >    0x0000000000017b66 <+86>:    mov    %r12,%rax
> >    0x0000000000017b69 <+89>:    pop    %r12
> >    0x0000000000017b6b <+91>:    pop    %rbp
> >    0x0000000000017b6c <+92>:    retq   
> >    0x0000000000017b6d <+93>:    xor    %esi,%esi
> >    0x0000000000017b6f <+95>:    callq  0x17b74 <drm_dp_aux_dev_get_by_minor+100>
> >    0x0000000000017b74 <+100>:   jmp    0x17b5a <drm_dp_aux_dev_get_by_minor+74>
> >    0x0000000000017b76 <+102>:   mov    %eax,%edx
> >    0x0000000000017b78 <+104>:   jmp    0x17b43 <drm_dp_aux_dev_get_by_minor+51>
> >    0x0000000000017b7a <+106>:   xor    %r12d,%r12d
> >    0x0000000000017b7d <+109>:   jmp    0x17b5a <drm_dp_aux_dev_get_by_minor+74>
> > End of assembler dump.
> > 
> > (gdb) list *drm_dp_aux_dev_get_by_minor+0x29
> > 0x17b39 is in drm_dp_aux_dev_get_by_minor (drivers/gpu/drm/drm_dp_aux_dev.c:65).
> > 60      static struct drm_dp_aux_dev *drm_dp_aux_dev_get_by_minor(unsigned index)
> > 61      {
> > 62              struct drm_dp_aux_dev *aux_dev = NULL;
> > 63
> > 64              mutex_lock(&aux_idr_mutex);
> > 65              aux_dev = idr_find(&aux_idr, index);
> > 66              if (!kref_get_unless_zero(&aux_dev->refcount))
> > 67                      aux_dev = NULL;
> > 68              mutex_unlock(&aux_idr_mutex);
> > 69
> > (gdb) p/x &((struct drm_dp_aux_dev *)(0x0))->refcount
> > $8 = 0x18
> > 
> > Looking at the caller, checks on the minor are pushed down to 
> > drm_dp_aux_dev_get_by_minor()
> > 
> > static int auxdev_open(struct inode *inode, struct file *file)
> > {
> >     unsigned int minor = iminor(inode);
> >     struct drm_dp_aux_dev *aux_dev;
> > 
> >     aux_dev = drm_dp_aux_dev_get_by_minor(minor); <====
> >     if (!aux_dev)
> >         return -ENODEV;
> > 
> >     file->private_data = aux_dev;
> >     return 0;
> > }
> > 
> > 
> > Fixes: e94cb37b34eb8 ("Add a drm_aux-dev module for reading/writing dpcd registers")
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Zwane Mwaikambo <zwane@yosper.io>
> > ---
> > 
> > diff --git a/drivers/gpu/drm/drm_dp_aux_dev.c b/drivers/gpu/drm/drm_dp_aux_dev.c
> > index 2510717d5a08..e25181bf2c48 100644
> > --- a/drivers/gpu/drm/drm_dp_aux_dev.c
> > +++ b/drivers/gpu/drm/drm_dp_aux_dev.c
> > @@ -63,7 +63,7 @@ static struct drm_dp_aux_dev *drm_dp_aux_dev_get_by_minor(unsigned index)
> >  
> >  	mutex_lock(&aux_idr_mutex);
> >  	aux_dev = idr_find(&aux_idr, index);
> > -	if (!kref_get_unless_zero(&aux_dev->refcount))
> > +	if (aux_dev && !kref_get_unless_zero(&aux_dev->refcount))
> 
> Dejavu
> 
> https://lists.freedesktop.org/archives/dri-devel/2019-May/218855.html
> https://lists.freedesktop.org/archives/dri-devel/2019-July/226168.html
> 
> I guess we just got stuck waiting for confirmation that it reproduces
> with the bogus device node trick.

Indeed, i hope it sticks this time!

	Zwane
---1463810553-1163560905-1599581903=:42407--