Re: [PATCH] media: v4l2-compat-ioctl32: don't oops on overlay
On 29/03/18 15:00, Mauro Carvalho Chehab wrote: > Em Thu, 29 Mar 2018 10:40:23 +0200 > Hans Verkuil escreveu: > >> Hi Mauro, >> >> On 28/03/18 19:59, Mauro Carvalho Chehab wrote: >>> At put_v4l2_window32(), it tries to access kp->clips. However, >>> kp points to an userspace pointer. So, it should be obtained >>> via get_user(), otherwise it can OOPS: >>> >> >> >> >>> >>> cc: sta...@vger.kernel.org >>> Signed-off-by: Mauro Carvalho Chehab >>> --- >>> drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 4 +++- >>> 1 file changed, 3 insertions(+), 1 deletion(-) >>> >>> diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c >>> b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c >>> index 5198c9eeb348..4312935f1dfc 100644 >>> --- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c >>> +++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c >>> @@ -101,7 +101,7 @@ static int get_v4l2_window32(struct v4l2_window __user >>> *kp, >>> static int put_v4l2_window32(struct v4l2_window __user *kp, >>> struct v4l2_window32 __user *up) >>> { >>> - struct v4l2_clip __user *kclips = kp->clips; >>> + struct v4l2_clip __user *kclips; >>> struct v4l2_clip32 __user *uclips; >>> compat_caddr_t p; >>> u32 clipcount; >>> @@ -116,6 +116,8 @@ static int put_v4l2_window32(struct v4l2_window __user >>> *kp, >>> if (!clipcount) >>> return 0; >>> >>> + if (get_user(kclips, &kp->clips)) >>> + return -EFAULT; >>> if (get_user(p, &up->clips)) >>> return -EFAULT; >>> uclips = compat_ptr(p); >>> >> >> Reviewed-by: Hans Verkuil >> >> I have no idea why I didn't find this when I tested this with >> v4l2-compliance, >> but the code was certainly wrong. > > I built 4.16-rc4 with KASAN enabled. Perhaps, it won't OOPS without > it. Yet, I doubt it would work without this fix. I definitely did not have KASAN enabled when I tested this. Regards, Hans > >> >> Thank you for debugging this! > > Anytime. > > Thanks, > Mauro >
Re: [PATCH] media: v4l2-compat-ioctl32: don't oops on overlay
Em Thu, 29 Mar 2018 10:40:23 +0200 Hans Verkuil escreveu: > Hi Mauro, > > On 28/03/18 19:59, Mauro Carvalho Chehab wrote: > > At put_v4l2_window32(), it tries to access kp->clips. However, > > kp points to an userspace pointer. So, it should be obtained > > via get_user(), otherwise it can OOPS: > > > > > > > > > cc: sta...@vger.kernel.org > > Signed-off-by: Mauro Carvalho Chehab > > --- > > drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 4 +++- > > 1 file changed, 3 insertions(+), 1 deletion(-) > > > > diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c > > b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c > > index 5198c9eeb348..4312935f1dfc 100644 > > --- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c > > +++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c > > @@ -101,7 +101,7 @@ static int get_v4l2_window32(struct v4l2_window __user > > *kp, > > static int put_v4l2_window32(struct v4l2_window __user *kp, > > struct v4l2_window32 __user *up) > > { > > - struct v4l2_clip __user *kclips = kp->clips; > > + struct v4l2_clip __user *kclips; > > struct v4l2_clip32 __user *uclips; > > compat_caddr_t p; > > u32 clipcount; > > @@ -116,6 +116,8 @@ static int put_v4l2_window32(struct v4l2_window __user > > *kp, > > if (!clipcount) > > return 0; > > > > + if (get_user(kclips, &kp->clips)) > > + return -EFAULT; > > if (get_user(p, &up->clips)) > > return -EFAULT; > > uclips = compat_ptr(p); > > > > Reviewed-by: Hans Verkuil > > I have no idea why I didn't find this when I tested this with v4l2-compliance, > but the code was certainly wrong. I built 4.16-rc4 with KASAN enabled. Perhaps, it won't OOPS without it. Yet, I doubt it would work without this fix. > > Thank you for debugging this! Anytime. Thanks, Mauro
Re: [PATCH] media: v4l2-compat-ioctl32: don't oops on overlay
Hi Mauro, On 28/03/18 19:59, Mauro Carvalho Chehab wrote: > At put_v4l2_window32(), it tries to access kp->clips. However, > kp points to an userspace pointer. So, it should be obtained > via get_user(), otherwise it can OOPS: > > > cc: sta...@vger.kernel.org > Signed-off-by: Mauro Carvalho Chehab > --- > drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c > b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c > index 5198c9eeb348..4312935f1dfc 100644 > --- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c > +++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c > @@ -101,7 +101,7 @@ static int get_v4l2_window32(struct v4l2_window __user > *kp, > static int put_v4l2_window32(struct v4l2_window __user *kp, >struct v4l2_window32 __user *up) > { > - struct v4l2_clip __user *kclips = kp->clips; > + struct v4l2_clip __user *kclips; > struct v4l2_clip32 __user *uclips; > compat_caddr_t p; > u32 clipcount; > @@ -116,6 +116,8 @@ static int put_v4l2_window32(struct v4l2_window __user > *kp, > if (!clipcount) > return 0; > > + if (get_user(kclips, &kp->clips)) > + return -EFAULT; > if (get_user(p, &up->clips)) > return -EFAULT; > uclips = compat_ptr(p); > Reviewed-by: Hans Verkuil I have no idea why I didn't find this when I tested this with v4l2-compliance, but the code was certainly wrong. Thank you for debugging this! Regards, Hans
Re: [PATCH] media: v4l2-compat-ioctl32: don't oops on overlay
Hi Sakari, On Thursday, 29 March 2018 10:35:49 EEST Sakari Ailus wrote: > On Thu, Mar 29, 2018 at 09:19:43AM +0300, Laurent Pinchart wrote: > > On Wednesday, 28 March 2018 23:16:08 EEST Sakari Ailus wrote: > > > On Wed, Mar 28, 2018 at 02:59:22PM -0300, Mauro Carvalho Chehab wrote: > > > > At put_v4l2_window32(), it tries to access kp->clips. However, > > > > kp points to an userspace pointer. So, it should be obtained > > > > > > > > via get_user(), otherwise it can OOPS: > > > > vivid-000: == END STATUS == > > > > BUG: unable to handle kernel paging request at fffb18e0 > > > > IP: [] __put_v4l2_format32+0x169/0x220 [videodev] > > > > PGD 3f5776067 PUD 3f576f067 PMD 3f5769067 PTE 80042548f067 > > > > Oops: 0001 [#1] SMP > > > > Modules linked in: vivid videobuf2_vmalloc videobuf2_memops > > > > v4l2_dv_timings videobuf2_core v4l2_common videodev media xt_CHECKSUM > > > > iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat > > > > nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack > > > > nf_conntrack tun bridge stp llc ebtable_filter ebtables > > > > ip6table_filter > > > > ip6_tables bluetooth rfkill binfmt_misc snd_hda_codec_hdmi i915 > > > > snd_hda_intel snd_hda_controller snd_hda_codec intel_rapl > > > > x86_pkg_temp_thermal snd_hwdep intel_powerclamp snd_pcm coretemp > > > > snd_seq_midi kvm_intel kvm snd_seq_midi_event snd_rawmidi > > > > i2c_algo_bit > > > > drm_kms_helper snd_seq drm crct10dif_pclmul e1000e snd_seq_device > > > > crc32_pclmul snd_timer ghash_clmulni_intel snd mei_me mei ptp > > > > pps_core > > > > soundcore lpc_ich video crc32c_intel [last unloaded: media] CPU: 2 > > > > PID: > > > > > > > > 28332 Comm: v4l2-compliance Not tainted 3.18.102+ #107 Hardware name: > > > >/NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 > > > > > > > > 05/11/2017 task: 8804293f8000 ti: 8803f564 task.ti: > > > > 8803f564 RIP: 0010:[] [] > > > > __put_v4l2_format32+0x169/0x220 [videodev] RSP: 0018:8803f5643e28 > > > > EFLAGS: 00010246 > > > > RAX: RBX: RCX: fffb1ab4 > > > > RDX: fffb1a68 RSI: fffb18d8 RDI: fffb1aa8 > > > > RBP: 8803f5643e48 R08: 0001 R09: 8803f54b0378 > > > > R10: R11: 0168 R12: fffb18c0 > > > > R13: fffb1a94 R14: fffb18c8 R15: > > > > FS: () GS:880456d0(0063) > > > > knlGS:f7100980 CS: 0010 DS: 002b ES: 002b CR0: > > > > 80050033 > > > > CR2: fffb18e0 CR3: 0003f552b000 CR4: 003407e0 > > > > > > > > Stack: > > > > fffb1a94 c0cc5640 0056 8804274f3600 > > > > 8803f5643ed0 c0547e16 0003 8803f5643eb0 > > > > 81301460 88009db44b01 880441942520 8800c0d05640 > > > > > > > > Call Trace: > > > > [] v4l2_compat_ioctl32+0x12d6/0x1b1d [videodev] > > > > [] ? file_has_perm+0x70/0xc0 > > > > [] compat_SyS_ioctl+0xec/0x1200 > > > > [] sysenter_dispatch+0x7/0x21 > > > > > > > > Code: 00 00 48 8b 80 48 c0 ff ff 48 83 e8 38 49 39 c6 0f 87 2b ff ff > > > > ff > > > > 49 8d 45 1c e8 a3 ce e3 c0 85 c0 0f 85 1a ff ff ff 41 8d 40 ff <4d> > > > > 8b > > > > 64 24 20 41 89 d5 48 8d 44 40 03 4d 8d 34 c4 eb 15 0f 1f RIP > > > > [] __put_v4l2_format32+0x169/0x220 [videodev] RSP > > > > > > > > CR2: fffb18e0 > > > > > > > > Tested with vivid driver on Kernel v3.18.102. > > > > > > > > Same bug happens upstream too: > > > > BUG: KASAN: user-memory-access in __put_v4l2_format32+0x98/0x4d0 > > > > [videodev] > > > > Read of size 8 at addr ffe48400 by task v4l2-compliance/8713 > > > > > > > > CPU: 0 PID: 8713 Comm: v4l2-compliance Not tainted 4.16.0-rc4+ #108 > > > > Hardware name: /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 > > > > 05/11/2017> > > > > > > > > Call Trace: > > > > dump_stack+0x5c/0x7c > > > > kasan_report+0x164/0x380 > > > > ? __put_v4l2_format32+0x98/0x4d0 [videodev] > > > > __put_v4l2_format32+0x98/0x4d0 [videodev] > > > > v4l2_compat_ioctl32+0x1aec/0x27a0 [videodev] > > > > ? __fsnotify_inode_delete+0x20/0x20 > > > > ? __put_v4l2_format32+0x4d0/0x4d0 [videodev] > > > > compat_SyS_ioctl+0x646/0x14d0 > > > > ? do_ioctl+0x30/0x30 > > > > do_fast_syscall_32+0x191/0x3f4 > > > > entry_SYSENTER_compat+0x6b/0x7a > > > > > > > > == > > > > Disabling lock debugging due to kernel taint > > > > BUG: unable to handle kernel paging request at ffe48400 > > > > IP: __put_v4l2_format32+0x98/0x4d0 [videodev] > > > > PGD 3a22fb067 P4D 3a22fb067 PUD 39b6f0067 PMD 39b6f1067 PTE > > > > 8003256af067 Oops: 0001 [#1] SMP KASAN > > > > Modules linked in: vivid videobuf2_vmalloc videobuf2_dma_contig > > >
Re: [PATCH] media: v4l2-compat-ioctl32: don't oops on overlay
On Thu, Mar 29, 2018 at 09:19:43AM +0300, Laurent Pinchart wrote: > Hello, > > On Wednesday, 28 March 2018 23:16:08 EEST Sakari Ailus wrote: > > On Wed, Mar 28, 2018 at 02:59:22PM -0300, Mauro Carvalho Chehab wrote: > > > At put_v4l2_window32(), it tries to access kp->clips. However, > > > kp points to an userspace pointer. So, it should be obtained > > > > > > via get_user(), otherwise it can OOPS: > > > vivid-000: == END STATUS == > > > BUG: unable to handle kernel paging request at fffb18e0 > > > IP: [] __put_v4l2_format32+0x169/0x220 [videodev] > > > PGD 3f5776067 PUD 3f576f067 PMD 3f5769067 PTE 80042548f067 > > > Oops: 0001 [#1] SMP > > > Modules linked in: vivid videobuf2_vmalloc videobuf2_memops > > > v4l2_dv_timings videobuf2_core v4l2_common videodev media xt_CHECKSUM > > > iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat > > > nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack > > > nf_conntrack tun bridge stp llc ebtable_filter ebtables ip6table_filter > > > ip6_tables bluetooth rfkill binfmt_misc snd_hda_codec_hdmi i915 > > > snd_hda_intel snd_hda_controller snd_hda_codec intel_rapl > > > x86_pkg_temp_thermal snd_hwdep intel_powerclamp snd_pcm coretemp > > > snd_seq_midi kvm_intel kvm snd_seq_midi_event snd_rawmidi i2c_algo_bit > > > drm_kms_helper snd_seq drm crct10dif_pclmul e1000e snd_seq_device > > > crc32_pclmul snd_timer ghash_clmulni_intel snd mei_me mei ptp pps_core > > > soundcore lpc_ich video crc32c_intel [last unloaded: media] CPU: 2 PID: > > > 28332 Comm: v4l2-compliance Not tainted 3.18.102+ #107 Hardware name: > > >/NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 > > > 05/11/2017 task: 8804293f8000 ti: 8803f564 task.ti: > > > 8803f564 RIP: 0010:[] [] > > > __put_v4l2_format32+0x169/0x220 [videodev] RSP: 0018:8803f5643e28 > > > EFLAGS: 00010246 > > > RAX: RBX: RCX: fffb1ab4 > > > RDX: fffb1a68 RSI: fffb18d8 RDI: fffb1aa8 > > > RBP: 8803f5643e48 R08: 0001 R09: 8803f54b0378 > > > R10: R11: 0168 R12: fffb18c0 > > > R13: fffb1a94 R14: fffb18c8 R15: > > > FS: () GS:880456d0(0063) > > > knlGS:f7100980 CS: 0010 DS: 002b ES: 002b CR0: 80050033 > > > CR2: fffb18e0 CR3: 0003f552b000 CR4: 003407e0 > > > > > > Stack: > > > fffb1a94 c0cc5640 0056 8804274f3600 > > > 8803f5643ed0 c0547e16 0003 8803f5643eb0 > > > 81301460 88009db44b01 880441942520 8800c0d05640 > > > > > > Call Trace: > > > [] v4l2_compat_ioctl32+0x12d6/0x1b1d [videodev] > > > [] ? file_has_perm+0x70/0xc0 > > > [] compat_SyS_ioctl+0xec/0x1200 > > > [] sysenter_dispatch+0x7/0x21 > > > > > > Code: 00 00 48 8b 80 48 c0 ff ff 48 83 e8 38 49 39 c6 0f 87 2b ff ff ff > > > 49 8d 45 1c e8 a3 ce e3 c0 85 c0 0f 85 1a ff ff ff 41 8d 40 ff <4d> 8b > > > 64 24 20 41 89 d5 48 8d 44 40 03 4d 8d 34 c4 eb 15 0f 1f RIP > > > [] __put_v4l2_format32+0x169/0x220 [videodev] RSP > > > > > > CR2: fffb18e0 > > > > > > Tested with vivid driver on Kernel v3.18.102. > > > > > > Same bug happens upstream too: > > > BUG: KASAN: user-memory-access in __put_v4l2_format32+0x98/0x4d0 > > > [videodev] > > > Read of size 8 at addr ffe48400 by task v4l2-compliance/8713 > > > > > > CPU: 0 PID: 8713 Comm: v4l2-compliance Not tainted 4.16.0-rc4+ #108 > > > Hardware name: /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 > > > 05/11/2017> > > > Call Trace: > > > dump_stack+0x5c/0x7c > > > kasan_report+0x164/0x380 > > > ? __put_v4l2_format32+0x98/0x4d0 [videodev] > > > __put_v4l2_format32+0x98/0x4d0 [videodev] > > > v4l2_compat_ioctl32+0x1aec/0x27a0 [videodev] > > > ? __fsnotify_inode_delete+0x20/0x20 > > > ? __put_v4l2_format32+0x4d0/0x4d0 [videodev] > > > compat_SyS_ioctl+0x646/0x14d0 > > > ? do_ioctl+0x30/0x30 > > > do_fast_syscall_32+0x191/0x3f4 > > > entry_SYSENTER_compat+0x6b/0x7a > > > > > > == > > > Disabling lock debugging due to kernel taint > > > BUG: unable to handle kernel paging request at ffe48400 > > > IP: __put_v4l2_format32+0x98/0x4d0 [videodev] > > > PGD 3a22fb067 P4D 3a22fb067 PUD 39b6f0067 PMD 39b6f1067 PTE > > > 8003256af067 Oops: 0001 [#1] SMP KASAN > > > Modules linked in: vivid videobuf2_vmalloc videobuf2_dma_contig > > > videobuf2_memops v4l2_tpg v4l2_dv_timings videobuf2_v4l2 > > > videobuf2_common v4l2_common videodev xt_CHECKSUM iptable_mangle > > > ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat > > > nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack libcrc32c tun > > > bridge stp llc ebtable_filt
Re: [PATCH] media: v4l2-compat-ioctl32: don't oops on overlay
Hello, On Wednesday, 28 March 2018 23:16:08 EEST Sakari Ailus wrote: > On Wed, Mar 28, 2018 at 02:59:22PM -0300, Mauro Carvalho Chehab wrote: > > At put_v4l2_window32(), it tries to access kp->clips. However, > > kp points to an userspace pointer. So, it should be obtained > > > > via get_user(), otherwise it can OOPS: > > vivid-000: == END STATUS == > > BUG: unable to handle kernel paging request at fffb18e0 > > IP: [] __put_v4l2_format32+0x169/0x220 [videodev] > > PGD 3f5776067 PUD 3f576f067 PMD 3f5769067 PTE 80042548f067 > > Oops: 0001 [#1] SMP > > Modules linked in: vivid videobuf2_vmalloc videobuf2_memops > > v4l2_dv_timings videobuf2_core v4l2_common videodev media xt_CHECKSUM > > iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat > > nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack > > nf_conntrack tun bridge stp llc ebtable_filter ebtables ip6table_filter > > ip6_tables bluetooth rfkill binfmt_misc snd_hda_codec_hdmi i915 > > snd_hda_intel snd_hda_controller snd_hda_codec intel_rapl > > x86_pkg_temp_thermal snd_hwdep intel_powerclamp snd_pcm coretemp > > snd_seq_midi kvm_intel kvm snd_seq_midi_event snd_rawmidi i2c_algo_bit > > drm_kms_helper snd_seq drm crct10dif_pclmul e1000e snd_seq_device > > crc32_pclmul snd_timer ghash_clmulni_intel snd mei_me mei ptp pps_core > > soundcore lpc_ich video crc32c_intel [last unloaded: media] CPU: 2 PID: > > 28332 Comm: v4l2-compliance Not tainted 3.18.102+ #107 Hardware name: > >/NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 > > 05/11/2017 task: 8804293f8000 ti: 8803f564 task.ti: > > 8803f564 RIP: 0010:[] [] > > __put_v4l2_format32+0x169/0x220 [videodev] RSP: 0018:8803f5643e28 > > EFLAGS: 00010246 > > RAX: RBX: RCX: fffb1ab4 > > RDX: fffb1a68 RSI: fffb18d8 RDI: fffb1aa8 > > RBP: 8803f5643e48 R08: 0001 R09: 8803f54b0378 > > R10: R11: 0168 R12: fffb18c0 > > R13: fffb1a94 R14: fffb18c8 R15: > > FS: () GS:880456d0(0063) > > knlGS:f7100980 CS: 0010 DS: 002b ES: 002b CR0: 80050033 > > CR2: fffb18e0 CR3: 0003f552b000 CR4: 003407e0 > > > > Stack: > > fffb1a94 c0cc5640 0056 8804274f3600 > > 8803f5643ed0 c0547e16 0003 8803f5643eb0 > > 81301460 88009db44b01 880441942520 8800c0d05640 > > > > Call Trace: > > [] v4l2_compat_ioctl32+0x12d6/0x1b1d [videodev] > > [] ? file_has_perm+0x70/0xc0 > > [] compat_SyS_ioctl+0xec/0x1200 > > [] sysenter_dispatch+0x7/0x21 > > > > Code: 00 00 48 8b 80 48 c0 ff ff 48 83 e8 38 49 39 c6 0f 87 2b ff ff ff > > 49 8d 45 1c e8 a3 ce e3 c0 85 c0 0f 85 1a ff ff ff 41 8d 40 ff <4d> 8b > > 64 24 20 41 89 d5 48 8d 44 40 03 4d 8d 34 c4 eb 15 0f 1f RIP > > [] __put_v4l2_format32+0x169/0x220 [videodev] RSP > > > > CR2: fffb18e0 > > > > Tested with vivid driver on Kernel v3.18.102. > > > > Same bug happens upstream too: > > BUG: KASAN: user-memory-access in __put_v4l2_format32+0x98/0x4d0 > > [videodev] > > Read of size 8 at addr ffe48400 by task v4l2-compliance/8713 > > > > CPU: 0 PID: 8713 Comm: v4l2-compliance Not tainted 4.16.0-rc4+ #108 > > Hardware name: /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 > > 05/11/2017> > > Call Trace: > > dump_stack+0x5c/0x7c > > kasan_report+0x164/0x380 > > ? __put_v4l2_format32+0x98/0x4d0 [videodev] > > __put_v4l2_format32+0x98/0x4d0 [videodev] > > v4l2_compat_ioctl32+0x1aec/0x27a0 [videodev] > > ? __fsnotify_inode_delete+0x20/0x20 > > ? __put_v4l2_format32+0x4d0/0x4d0 [videodev] > > compat_SyS_ioctl+0x646/0x14d0 > > ? do_ioctl+0x30/0x30 > > do_fast_syscall_32+0x191/0x3f4 > > entry_SYSENTER_compat+0x6b/0x7a > > > > == > > Disabling lock debugging due to kernel taint > > BUG: unable to handle kernel paging request at ffe48400 > > IP: __put_v4l2_format32+0x98/0x4d0 [videodev] > > PGD 3a22fb067 P4D 3a22fb067 PUD 39b6f0067 PMD 39b6f1067 PTE > > 8003256af067 Oops: 0001 [#1] SMP KASAN > > Modules linked in: vivid videobuf2_vmalloc videobuf2_dma_contig > > videobuf2_memops v4l2_tpg v4l2_dv_timings videobuf2_v4l2 > > videobuf2_common v4l2_common videodev xt_CHECKSUM iptable_mangle > > ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat > > nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack libcrc32c tun > > bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables > > bluetooth rfkill ecdh_generic binfmt_misc snd_hda_codec_hdmi intel_rapl > > x86_pkg_temp_thermal intel_powerclamp i915 coretemp snd_hda_intel > > snd_hda_codec kvm_intel snd_hwdep snd_hda_core kvm snd_pcm i
Re: [PATCH] media: v4l2-compat-ioctl32: don't oops on overlay
Hi Mauro, On Wed, Mar 28, 2018 at 02:59:22PM -0300, Mauro Carvalho Chehab wrote: > At put_v4l2_window32(), it tries to access kp->clips. However, > kp points to an userspace pointer. So, it should be obtained > via get_user(), otherwise it can OOPS: > > vivid-000: == END STATUS == > BUG: unable to handle kernel paging request at fffb18e0 > IP: [] __put_v4l2_format32+0x169/0x220 [videodev] > PGD 3f5776067 PUD 3f576f067 PMD 3f5769067 PTE 80042548f067 > Oops: 0001 [#1] SMP > Modules linked in: vivid videobuf2_vmalloc videobuf2_memops v4l2_dv_timings > videobuf2_core v4l2_common videodev media xt_CHECKSUM iptable_mangle > ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat > nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack tun bridge stp llc > ebtable_filter ebtables ip6table_filter ip6_tables bluetooth rfkill > binfmt_misc snd_hda_codec_hdmi i915 snd_hda_intel snd_hda_controller > snd_hda_codec intel_rapl x86_pkg_temp_thermal snd_hwdep intel_powerclamp > snd_pcm coretemp snd_seq_midi kvm_intel kvm snd_seq_midi_event snd_rawmidi > i2c_algo_bit drm_kms_helper snd_seq drm crct10dif_pclmul e1000e > snd_seq_device crc32_pclmul snd_timer ghash_clmulni_intel snd mei_me mei ptp > pps_core soundcore lpc_ich video crc32c_intel [last unloaded: media] > CPU: 2 PID: 28332 Comm: v4l2-compliance Not tainted 3.18.102+ #107 > Hardware name: /NUC5i7RYB, BIOS > RYBDWi35.86A.0364.2017.0511.0949 05/11/2017 > task: 8804293f8000 ti: 8803f564 task.ti: 8803f564 > RIP: 0010:[] [] > __put_v4l2_format32+0x169/0x220 [videodev] > RSP: 0018:8803f5643e28 EFLAGS: 00010246 > RAX: RBX: RCX: fffb1ab4 > RDX: fffb1a68 RSI: fffb18d8 RDI: fffb1aa8 > RBP: 8803f5643e48 R08: 0001 R09: 8803f54b0378 > R10: R11: 0168 R12: fffb18c0 > R13: fffb1a94 R14: fffb18c8 R15: > FS: () GS:880456d0(0063) knlGS:f7100980 > CS: 0010 DS: 002b ES: 002b CR0: 80050033 > CR2: fffb18e0 CR3: 0003f552b000 CR4: 003407e0 > Stack: > fffb1a94 c0cc5640 0056 8804274f3600 > 8803f5643ed0 c0547e16 0003 8803f5643eb0 > 81301460 88009db44b01 880441942520 8800c0d05640 > Call Trace: > [] v4l2_compat_ioctl32+0x12d6/0x1b1d [videodev] > [] ? file_has_perm+0x70/0xc0 > [] compat_SyS_ioctl+0xec/0x1200 > [] sysenter_dispatch+0x7/0x21 > Code: 00 00 48 8b 80 48 c0 ff ff 48 83 e8 38 49 39 c6 0f 87 2b ff ff ff 49 > 8d 45 1c e8 a3 ce e3 c0 85 c0 0f 85 1a ff ff ff 41 8d 40 ff <4d> 8b 64 24 20 > 41 89 d5 48 8d 44 40 03 4d 8d 34 c4 eb 15 0f 1f > RIP [] __put_v4l2_format32+0x169/0x220 [videodev] > RSP > CR2: fffb18e0 > > Tested with vivid driver on Kernel v3.18.102. > > Same bug happens upstream too: > > BUG: KASAN: user-memory-access in __put_v4l2_format32+0x98/0x4d0 [videodev] > Read of size 8 at addr ffe48400 by task v4l2-compliance/8713 > > CPU: 0 PID: 8713 Comm: v4l2-compliance Not tainted 4.16.0-rc4+ #108 > Hardware name: /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 05/11/2017 > Call Trace: > dump_stack+0x5c/0x7c > kasan_report+0x164/0x380 > ? __put_v4l2_format32+0x98/0x4d0 [videodev] > __put_v4l2_format32+0x98/0x4d0 [videodev] > v4l2_compat_ioctl32+0x1aec/0x27a0 [videodev] > ? __fsnotify_inode_delete+0x20/0x20 > ? __put_v4l2_format32+0x4d0/0x4d0 [videodev] > compat_SyS_ioctl+0x646/0x14d0 > ? do_ioctl+0x30/0x30 > do_fast_syscall_32+0x191/0x3f4 > entry_SYSENTER_compat+0x6b/0x7a > == > Disabling lock debugging due to kernel taint > BUG: unable to handle kernel paging request at ffe48400 > IP: __put_v4l2_format32+0x98/0x4d0 [videodev] > PGD 3a22fb067 P4D 3a22fb067 PUD 39b6f0067 PMD 39b6f1067 PTE 8003256af067 > Oops: 0001 [#1] SMP KASAN > Modules linked in: vivid videobuf2_vmalloc videobuf2_dma_contig > videobuf2_memops v4l2_tpg v4l2_dv_timings videobuf2_v4l2 videobuf2_common > v4l2_common videodev xt_CHECKSUM iptable_mangle ipt_MASQUERADE > nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 > nf_defrag_ipv4 xt_conntrack nf_conntrack libcrc32c tun bridge stp llc > ebtable_filter ebtables ip6table_filter ip6_tables bluetooth rfkill > ecdh_generic binfmt_misc snd_hda_codec_hdmi intel_rapl x86_pkg_temp_thermal > intel_powerclamp i915 coretemp snd_hda_intel snd_hda_codec kvm_intel > snd_hwdep snd_hda_core kvm snd_pcm irqbypass crct10dif_pclmul crc32_pclmul > snd_seq_midi ghash_clmulni_intel snd_seq_midi_event i2c_algo_bit intel_cstate > snd_rawmidi intel_uncore snd_seq drm_kms_helper e1000e snd_seq_device > snd_timer intel_rapl_perf > drm ptp snd mei_me mei lpc_ich pps_core so
[PATCH] media: v4l2-compat-ioctl32: don't oops on overlay
At put_v4l2_window32(), it tries to access kp->clips. However, kp points to an userspace pointer. So, it should be obtained via get_user(), otherwise it can OOPS: vivid-000: == END STATUS == BUG: unable to handle kernel paging request at fffb18e0 IP: [] __put_v4l2_format32+0x169/0x220 [videodev] PGD 3f5776067 PUD 3f576f067 PMD 3f5769067 PTE 80042548f067 Oops: 0001 [#1] SMP Modules linked in: vivid videobuf2_vmalloc videobuf2_memops v4l2_dv_timings videobuf2_core v4l2_common videodev media xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables bluetooth rfkill binfmt_misc snd_hda_codec_hdmi i915 snd_hda_intel snd_hda_controller snd_hda_codec intel_rapl x86_pkg_temp_thermal snd_hwdep intel_powerclamp snd_pcm coretemp snd_seq_midi kvm_intel kvm snd_seq_midi_event snd_rawmidi i2c_algo_bit drm_kms_helper snd_seq drm crct10dif_pclmul e1000e snd_seq_device crc32_pclmul snd_timer ghash_clmulni_intel snd mei_me mei ptp pps_core soundcore lpc_ich video crc32c_intel [last unloaded: media] CPU: 2 PID: 28332 Comm: v4l2-compliance Not tainted 3.18.102+ #107 Hardware name: /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 05/11/2017 task: 8804293f8000 ti: 8803f564 task.ti: 8803f564 RIP: 0010:[] [] __put_v4l2_format32+0x169/0x220 [videodev] RSP: 0018:8803f5643e28 EFLAGS: 00010246 RAX: RBX: RCX: fffb1ab4 RDX: fffb1a68 RSI: fffb18d8 RDI: fffb1aa8 RBP: 8803f5643e48 R08: 0001 R09: 8803f54b0378 R10: R11: 0168 R12: fffb18c0 R13: fffb1a94 R14: fffb18c8 R15: FS: () GS:880456d0(0063) knlGS:f7100980 CS: 0010 DS: 002b ES: 002b CR0: 80050033 CR2: fffb18e0 CR3: 0003f552b000 CR4: 003407e0 Stack: fffb1a94 c0cc5640 0056 8804274f3600 8803f5643ed0 c0547e16 0003 8803f5643eb0 81301460 88009db44b01 880441942520 8800c0d05640 Call Trace: [] v4l2_compat_ioctl32+0x12d6/0x1b1d [videodev] [] ? file_has_perm+0x70/0xc0 [] compat_SyS_ioctl+0xec/0x1200 [] sysenter_dispatch+0x7/0x21 Code: 00 00 48 8b 80 48 c0 ff ff 48 83 e8 38 49 39 c6 0f 87 2b ff ff ff 49 8d 45 1c e8 a3 ce e3 c0 85 c0 0f 85 1a ff ff ff 41 8d 40 ff <4d> 8b 64 24 20 41 89 d5 48 8d 44 40 03 4d 8d 34 c4 eb 15 0f 1f RIP [] __put_v4l2_format32+0x169/0x220 [videodev] RSP CR2: fffb18e0 Tested with vivid driver on Kernel v3.18.102. Same bug happens upstream too: BUG: KASAN: user-memory-access in __put_v4l2_format32+0x98/0x4d0 [videodev] Read of size 8 at addr ffe48400 by task v4l2-compliance/8713 CPU: 0 PID: 8713 Comm: v4l2-compliance Not tainted 4.16.0-rc4+ #108 Hardware name: /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 05/11/2017 Call Trace: dump_stack+0x5c/0x7c kasan_report+0x164/0x380 ? __put_v4l2_format32+0x98/0x4d0 [videodev] __put_v4l2_format32+0x98/0x4d0 [videodev] v4l2_compat_ioctl32+0x1aec/0x27a0 [videodev] ? __fsnotify_inode_delete+0x20/0x20 ? __put_v4l2_format32+0x4d0/0x4d0 [videodev] compat_SyS_ioctl+0x646/0x14d0 ? do_ioctl+0x30/0x30 do_fast_syscall_32+0x191/0x3f4 entry_SYSENTER_compat+0x6b/0x7a == Disabling lock debugging due to kernel taint BUG: unable to handle kernel paging request at ffe48400 IP: __put_v4l2_format32+0x98/0x4d0 [videodev] PGD 3a22fb067 P4D 3a22fb067 PUD 39b6f0067 PMD 39b6f1067 PTE 8003256af067 Oops: 0001 [#1] SMP KASAN Modules linked in: vivid videobuf2_vmalloc videobuf2_dma_contig videobuf2_memops v4l2_tpg v4l2_dv_timings videobuf2_v4l2 videobuf2_common v4l2_common videodev xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack libcrc32c tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables bluetooth rfkill ecdh_generic binfmt_misc snd_hda_codec_hdmi intel_rapl x86_pkg_temp_thermal intel_powerclamp i915 coretemp snd_hda_intel snd_hda_codec kvm_intel snd_hwdep snd_hda_core kvm snd_pcm irqbypass crct10dif_pclmul crc32_pclmul snd_seq_midi ghash_clmulni_intel snd_seq_midi_event i2c_algo_bit intel_cstate snd_rawmidi intel_uncore snd_seq drm_kms_helper e1000e snd_seq_device snd_timer intel_rapl_perf drm ptp snd mei_me mei lpc_ich pps_core soundcore video crc32c_intel CPU: 0 PID: 8713 Comm: v4l2-compliance Tainted: GB4.16.0-rc4+ #108 Hardware name: /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 05/11/2017 RIP: 0010:__put_v4l2_format32+0x98/0x4d0 [videodev] RSP: 0018:8803b9