Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp1115518pxf;
        Fri, 2 Apr 2021 01:23:32 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzRone971kx9BPPcJnXqbXXUsM3HNQYu6T7YRq9EAhWDIBEMXEOeJap20UZG9JOwz2HOPIG
X-Received: by 2002:a02:aa92:: with SMTP id u18mr11870771jai.119.1617351811844;
        Fri, 02 Apr 2021 01:23:31 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1617351811; cv=none;
        d=google.com; s=arc-20160816;
        b=WVAF3rNY2pVTnLCLxIN4nHD8fcBmOmdDm10vJUK6Q9aIv0vq7UYZZ/7SUsFnvm9Z89
         QBLE43dQh3weVuHuA0jPLW43hqKQ3rVQc9+0WcOXWkZnhtDPQ/X+pqftrMZhEwIqCLDM
         1b4vjrN6mYr4FjKg8V7bWsunnos9iYvOXZuWJsUk1lw9jmALvMHu/18bWacy+p0rpt6I
         g2LgkQLM2SHhSxRMfqHfBcHIBnoaCr47nmwYnUiFLYjYQcD9h1F3e2/WoGmWljzb1Yjw
         NvgD0V136N+Lhu3xjhStRkUCY3LpbmAVweQjvJ6eZNPCmuu4BIMXjqKDmQtgSVpXE8rl
         LRZg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:mime-version:user-agent:references:in-reply-to
         :subject:cc:to:from:message-id:date;
        bh=cdXCjs9EwjtxCsyd9MH9P5S6A5yh3MTrvZW3Xa/ptBI=;
        b=KLcO/gVLmmU/aBjxU4FyAMF0MQT2hpqwpUkzuKMQycNdsmY4CBA2qc0GhvV1pJFmH4
         tBtNrazZxwJQ8MK7G/3JUI2DedvYzJHNvtrzaXzZcfuPW2MrEGSZiVx3awkj2jDESx2/
         dK+xu5Tfjr0GDOjZsQtLLdfEHMJUI6JvRZzHDbp7DuihkgJ4/4jqKXMxDV5yjOqOPwnx
         o4xOhnx3PP2FrGAeZiDDd7VAM/BYPnXTvYJzQbHi/+K9eJY8PXMVURVfQ6XRqLKR9C76
         8uyorcfIAEdW577cTq4dd+mCra+qvKgwjB+IWshsR45y2b95rmF1IfauSdTDGd8jQ4hX
         Zr9A==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id r11si6906975ilb.116.2021.04.02.01.23.16;
        Fri, 02 Apr 2021 01:23:31 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S233827AbhDBIWI (ORCPT <rfc822;mahongyuan1997@gmail.com>
        + 99 others); Fri, 2 Apr 2021 04:22:08 -0400
Received: from mx2.suse.de ([195.135.220.15]:43440 "EHLO mx2.suse.de"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S229599AbhDBIWH (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 2 Apr 2021 04:22:07 -0400
X-Virus-Scanned: by amavisd-new at test-mx.suse.de
Received: from relay2.suse.de (unknown [195.135.221.27])
        by mx2.suse.de (Postfix) with ESMTP id 08AD0ABF6;
        Fri,  2 Apr 2021 08:22:06 +0000 (UTC)
Date:   Fri, 02 Apr 2021 10:22:05 +0200
Message-ID: <s5hpmzdcd02.wl-tiwai@suse.de>
From:   Takashi Iwai <tiwai@suse.de>
To:     Jani Nikula <jani.nikula@linux.intel.com>,
        Joonas Lahtinen <joonas.lahtinen@linux.intel.com>,
        Rodrigo Vivi <rodrigo.vivi@intel.com>
Cc:     intel-gfx@lists.freedesktop.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] drm/i915: Fix invalid access to ACPI _DSM objects
In-Reply-To: <20210402074749.25957-1-tiwai@suse.de>
References: <20210402074749.25957-1-tiwai@suse.de>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI/1.14.6 (Maruoka)
 FLIM/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL/10.8 Emacs/25.3
 (x86_64-suse-linux-gnu) MULE/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset=US-ASCII
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, 02 Apr 2021 09:47:49 +0200,
Takashi Iwai wrote:
> 
> intel_dsm_platform_mux_info() tries to parse the ACPI package data
> from _DSM for the debug information, but it assumes the fixed format
> without checking what values are stored in the elements actually.
> When an unexpected value is returned from BIOS, it may lead to GPF or
> NULL dereference, as reported recently.
> 
> Add the checks of the contents in the returned values and skip the
> values for invalid cases.
> 
> BugLink: http://bugzilla.opensuse.org/show_bug.cgi?id=1184074
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Takashi Iwai <tiwai@suse.de>

Scratch this one.  I sent an older version mistakenly.
Will resubmit the right one.


Takashi


> ---
>  drivers/gpu/drm/i915/display/intel_acpi.c | 12 ++++++++++++
>  1 file changed, 12 insertions(+)
> 
> diff --git a/drivers/gpu/drm/i915/display/intel_acpi.c b/drivers/gpu/drm/i915/display/intel_acpi.c
> index e21fb14d5e07..492ebc0a8257 100644
> --- a/drivers/gpu/drm/i915/display/intel_acpi.c
> +++ b/drivers/gpu/drm/i915/display/intel_acpi.c
> @@ -84,6 +84,11 @@ static void intel_dsm_platform_mux_info(acpi_handle dhandle)
>  		return;
>  	}
>  
> +	if (!pkg->package.count) {
> +		DRM_DEBUG_DRIVER("no connection in _DSM\n");
> +		return;
> +	}
> +
>  	connector_count = &pkg->package.elements[0];
>  	DRM_DEBUG_DRIVER("MUX info connectors: %lld\n",
>  		  (unsigned long long)connector_count->integer.value);
> @@ -91,6 +96,13 @@ static void intel_dsm_platform_mux_info(acpi_handle dhandle)
>  		union acpi_object *obj = &pkg->package.elements[i];
>  		union acpi_object *connector_id = &obj->package.elements[0];
>  		union acpi_object *info = &obj->package.elements[1];
> +
> +		if (obj->type != ACPI_TYPE_PACKAGE || obj->package.count < 2 ||
> +		    info->type != ACPI_TYPE_BUFFER || info->buffer.length < 4) {
> +			DRM_DEBUG_DRIVER("Invalid object for MUX #%d\n", i);
> +			continue;
> +		}
> +
>  		DRM_DEBUG_DRIVER("Connector id: 0x%016llx\n",
>  			  (unsigned long long)connector_id->integer.value);
>  		DRM_DEBUG_DRIVER("  port id: %s\n",
> -- 
> 2.26.2
>