Received: by 2002:a05:6a10:17d3:0:0:0:0 with SMTP id hz19csp2118754pxb; Mon, 12 Apr 2021 15:06:36 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxBxhfwLlalRIYB9Et4yYm0JERsT9lOEfyvAGv6Z+3aOgI9Q3i0JkkAksE7g2a2mQkZkgyk X-Received: by 2002:a17:90b:3507:: with SMTP id ls7mr1340523pjb.172.1618265196807; Mon, 12 Apr 2021 15:06:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618265196; cv=none; d=google.com; s=arc-20160816; b=dviDXTORs8hjRv4ShtWVd2bX6UKlM1xlGiilvarE55oSltY6WD6zHzKIOutQMezjnQ ++lpyh2Twig4uwdQfd9eBAhV4wFXURrNCc61Q8pnr3ZeMyzqorzhtxJ2ctkg/iQu3qvm IiQtQkgoidSPpIDFNvM1aqcED6J/SDbjxqSnUuDOAlIUDDsdkGX+xbJkzjhNkxNAJDhX xIcnMtNf97S2UgV6/jOsjtXe9jA9MeH6vU1ZkJRgvu5i9bpkGeLJTHD8rHHCQ9puPXlS +KHtCMn7qbCVRbhuB7yOTpPBX/BNWtbHbM6PfoWwE0eCK+4tRj02z4P0E7BZvyQZFg/6 COdg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=BxM6vmZKro1ae5PCYKkc9ArBv3fIT942tz/DIzxA+qM=; b=xk7JGwiPpoQyLChW7nmIsjHp6bpojTw0FPZReWISZooyTSGIzkW6XBrfUAJqwJVBnO fCT+6XkEK2rzkahvOxq9l08IrESPRPusMgLpu7aAiRV6g0q56vW54hVwWbvAKwOqao6h DYzi98fMi7dgLBsphSLFFPN3Ct7RQ8UXwV7GVWUHbySTKXRp9zgOCvx6sqnGiTRMM/1g osdnv1emp3d0u/fSU+CzXGdr2zR8SA7IAOaRiB3x49WPfDvzRw+F9IGBveWXDf9j8mgD DlTO3YOWfl+VaI5gkJU6PC5L1urt+1yAAbEiZfYbjK9wdrc9f6SiQtaPOHICcNbOSLgY SjUg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="IA/XCBZj"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j23si730414pji.146.2021.04.12.15.06.21; Mon, 12 Apr 2021 15:06:36 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="IA/XCBZj"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241476AbhDLJ0G (ORCPT + 99 others); Mon, 12 Apr 2021 05:26:06 -0400 Received: from mail.kernel.org ([198.145.29.99]:57182 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238523AbhDLJCR (ORCPT ); Mon, 12 Apr 2021 05:02:17 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 7E44261244; Mon, 12 Apr 2021 09:00:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1618218055; bh=AemVYUQYYDN1IfXCxWkhw0kUVwZhv3Usbs0TOhzwAVE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=IA/XCBZjaUta8joQD4Co0PLtD7RfiapYvsxQoL3uicTddhAHG5R+tS6+JdgJUHQFq rt3cidkQvsXhBefvGk3DoT1rul1CPLmPzQ3JXxmxXVa7NVgSG3xXY3+a5aQYOa42nY Oxd+s7hLIVX34aeYWC4bFuHaWXcz9MSfq+kbVSTA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Takashi Iwai , =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= , Rodrigo Vivi Subject: [PATCH 5.11 019/210] drm/i915: Fix invalid access to ACPI _DSM objects Date: Mon, 12 Apr 2021 10:38:44 +0200 Message-Id: <20210412084016.652273106@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210412084016.009884719@linuxfoundation.org> References: <20210412084016.009884719@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Takashi Iwai commit b6a37a93c9ac3900987c79b726d0bb3699d8db4e upstream. intel_dsm_platform_mux_info() tries to parse the ACPI package data from _DSM for the debug information, but it assumes the fixed format without checking what values are stored in the elements actually. When an unexpected value is returned from BIOS, it may lead to GPF or NULL dereference, as reported recently. Add the checks of the contents in the returned values and skip the values for invalid cases. v1->v2: Check the info contents before dereferencing, too BugLink: http://bugzilla.opensuse.org/show_bug.cgi?id=1184074 Cc: Signed-off-by: Takashi Iwai Signed-off-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20210402082317.871-1-tiwai@suse.de (cherry picked from commit 337d7a1621c7f02af867229990ac67c97da1b53a) Signed-off-by: Rodrigo Vivi Signed-off-by: Greg Kroah-Hartman --- drivers/gpu/drm/i915/display/intel_acpi.c | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) --- a/drivers/gpu/drm/i915/display/intel_acpi.c +++ b/drivers/gpu/drm/i915/display/intel_acpi.c @@ -84,13 +84,31 @@ static void intel_dsm_platform_mux_info( return; } + if (!pkg->package.count) { + DRM_DEBUG_DRIVER("no connection in _DSM\n"); + return; + } + connector_count = &pkg->package.elements[0]; DRM_DEBUG_DRIVER("MUX info connectors: %lld\n", (unsigned long long)connector_count->integer.value); for (i = 1; i < pkg->package.count; i++) { union acpi_object *obj = &pkg->package.elements[i]; - union acpi_object *connector_id = &obj->package.elements[0]; - union acpi_object *info = &obj->package.elements[1]; + union acpi_object *connector_id; + union acpi_object *info; + + if (obj->type != ACPI_TYPE_PACKAGE || obj->package.count < 2) { + DRM_DEBUG_DRIVER("Invalid object for MUX #%d\n", i); + continue; + } + + connector_id = &obj->package.elements[0]; + info = &obj->package.elements[1]; + if (info->type != ACPI_TYPE_BUFFER || info->buffer.length < 4) { + DRM_DEBUG_DRIVER("Invalid info for MUX obj #%d\n", i); + continue; + } + DRM_DEBUG_DRIVER("Connector id: 0x%016llx\n", (unsigned long long)connector_id->integer.value); DRM_DEBUG_DRIVER(" port id: %s\n",