From: Ricardo Ribalda Date: Fri, 25 Apr 2014 16:11:29 +0000 (-0300) Subject: [media] videobuf2-dma-sg: Fix NULL pointer dereference BUG X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=227ae227c9352903d8bc4dc42e128da93aca4c79;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git [media] videobuf2-dma-sg: Fix NULL pointer dereference BUG vb2_get_vma() copy the content of the vma to a new structure but set some of its pointers to NULL. One of this pointer is used by follow_pte() called by follow_pfn() on io memory. This can lead to a NULL pointer derreference. The version of vma that has not been cleared must be used. [ 406.143320] BUG: unable to handle kernel NULL pointer dereference at 0000000000000040 [ 406.143427] IP: [] follow_pfn+0x2c/0x70 [ 406.143491] PGD 6c3f0067 PUD 6c3ef067 PMD 0 [ 406.143546] Oops: 0000 [#1] SMP [ 406.143587] Modules linked in: qtec_mem qt5023_video qtec_testgen qtec_xform videobuf2_core gpio_xilinx videobuf2_vmalloc videobuf2_dma_sg qtec_cmosis videobuf2_memops qtec_pcie qtec_white fglrx(PO) qt5023 spi_xilinx spi_bitbang [ 406.143852] CPU: 0 PID: 299 Comm: tracker Tainted: P O 3.13.0-qtec-standard #10 [ 406.143927] Hardware name: QTechnology QT5022/QT5022, BIOS PM_2.1.0.309 X64 04/04/2013 [ 406.144000] task: ffff880085c82d60 ti: ffff880085abe000 task.ti: ffff880085abe000 [ 406.144067] RIP: 0010:[] [] follow_pfn+0x2c/0x70 [ 406.144145] RSP: 0018:ffff880085abf888 EFLAGS: 00010296 [ 406.144195] RAX: 0000000000000000 RBX: ffff880085abf8e0 RCX: ffff880085abf888 [ 406.144260] RDX: ffff880085abf890 RSI: 00007fc52e173000 RDI: ffff8800863cbe40 [ 406.144325] RBP: ffff880085abf8a8 R08: 0000000000000018 R09: ffff8800863cbf00 [ 406.144388] R10: ffff880086703b80 R11: 00000000000001e0 R12: 0000000000018000 [ 406.144452] R13: 0000000000000000 R14: ffffea0000000000 R15: ffff88015922fea0 [ 406.144517] FS: 00007fc536e7c740(0000) GS:ffff88015ec00000(0000) knlGS:0000000000000000 [ 406.144591] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 406.144644] CR2: 0000000000000040 CR3: 0000000066c9d000 CR4: 00000000000007f0 [ 406.144708] Stack: [ 406.144731] 0000000000018000 00007fc52e18b000 0000000000000000 00007fc52e173000 [ 406.144813] ffff880085abf918 ffffffffa083b2fd ffff880085ab1ba8 0000000000000000 [ 406.144894] 0000000000000000 0000000100000000 ffff880085abf928 ffff880159a20800 [ 406.144976] Call Trace: [ 406.145011] [] vb2_dma_sg_get_userptr+0x14d/0x310 [videobuf2_dma_sg] [ 406.145089] [] __qbuf_userptr+0xbf/0x3e0 [videobuf2_core] [ 406.147229] [] ? mc_heap_lock_memory+0x1f4/0x490 [fglrx] [ 406.149234] [] ? cpumask_next_and+0x23/0x50 [ 406.151223] [] ? enqueue_task_fair+0x658/0xde0 [ 406.153199] [] ? native_smp_send_reschedule+0x48/0x60 [ 406.155184] [] ? get_ctrl+0xa9/0xd0 [ 406.157161] [] ? __kmalloc+0x1a4/0x1b0 [ 406.159135] [] ? __vb2_queue_alloc+0x9c/0x4a0 [videobuf2_core] [ 406.161130] [] __buf_prepare+0x1a8/0x210 [videobuf2_core] [ 406.163171] [] __vb2_qbuf+0x27/0xcc [videobuf2_core] [ 406.165229] [] vb2_queue_or_prepare_buf+0x1ed/0x270 [videobuf2_core] [ 406.167325] [] ? vb2_ioctl_querybuf+0x30/0x30 [videobuf2_core] [ 406.169419] [] vb2_qbuf+0x1c/0x20 [videobuf2_core] [ 406.171508] [] vb2_ioctl_qbuf+0x58/0x70 [videobuf2_core] [ 406.173604] [] v4l_qbuf+0x48/0x60 [ 406.175681] [] __video_do_ioctl+0x2bc/0x340 [ 406.177779] [] ? __kmalloc+0xfc/0x1b0 [ 406.179883] [] ? video_usercopy+0x7e/0x470 [ 406.181961] [] video_usercopy+0x1f1/0x470 [ 406.184021] [] ? v4l_printk_ioctl+0xb0/0xb0 [ 406.186085] [] ? account_system_time+0x8d/0x190 [ 406.188149] [] video_ioctl2+0x15/0x20 [ 406.190216] [] v4l2_ioctl+0x123/0x160 [ 406.192251] [] ? rcu_eqs_enter+0x65/0xa0 [ 406.194256] [] do_vfs_ioctl+0x88/0x560 [ 406.196258] [] ? account_user_time+0x95/0xb0 [ 406.198262] [] ? vtime_account_user+0x44/0x70 [ 406.200215] [] SyS_ioctl+0x91/0xb0 [ 406.202107] [] tracesys+0xd0/0xd5 [ 406.203946] Code: 66 66 66 90 48 f7 47 50 00 44 00 00 b8 ea ff ff ff 74 52 55 48 89 e5 53 48 89 d3 48 8d 4d e0 48 8d 55 e8 48 83 ec 18 48 8b 47 40 <48> 8b 78 40 e8 8b fe ff ff 85 c0 75 27 48 8b 55 e8 48 b9 00 f0 [ 406.208011] RIP [] follow_pfn+0x2c/0x70 [ 406.209908] RSP [ 406.211760] CR2: 0000000000000040 [ 406.213676] ---[ end trace 996d9f64e6739a04 ]--- Signed-off-by: Ricardo Ribalda Delgado Acked-by: Marek Szyprowski Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab --- diff --git a/drivers/media/v4l2-core/videobuf2-dma-sg.c b/drivers/media/v4l2-core/videobuf2-dma-sg.c index c779f210d2c6..adefc31bb853 100644 --- a/drivers/media/v4l2-core/videobuf2-dma-sg.c +++ b/drivers/media/v4l2-core/videobuf2-dma-sg.c @@ -211,7 +211,7 @@ static void *vb2_dma_sg_get_userptr(void *alloc_ctx, unsigned long vaddr, ++num_pages_from_user, vaddr += PAGE_SIZE) { unsigned long pfn; - if (follow_pfn(buf->vma, vaddr, &pfn)) { + if (follow_pfn(vma, vaddr, &pfn)) { dprintk(1, "no page for address %lu\n", vaddr); break; }