Re: [PATCH] media: v4l2-compat-ioctl32: don't oops on overlay
On 29/03/18 15:00, Mauro Carvalho Chehab wrote:
> Em Thu, 29 Mar 2018 10:40:23 +0200
> Hans Verkuil escreveu:
>
>> Hi Mauro,
>>
>> On 28/03/18 19:59, Mauro Carvalho Chehab wrote:
>>> At put_v4l2_window32(), it tries to access kp->clips. However,
>>> kp points to an userspace pointer. So, it should be obtained
>>> via get_user(), otherwise it can OOPS:
>>>
>>
>>
>>
>>>
>>> cc: sta...@vger.kernel.org
>>> Signed-off-by: Mauro Carvalho Chehab
>>> ---
>>> drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 4 +++-
>>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
>>> b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
>>> index 5198c9eeb348..4312935f1dfc 100644
>>> --- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
>>> +++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
>>> @@ -101,7 +101,7 @@ static int get_v4l2_window32(struct v4l2_window __user
>>> *kp,
>>> static int put_v4l2_window32(struct v4l2_window __user *kp,
>>> struct v4l2_window32 __user *up)
>>> {
>>> - struct v4l2_clip __user *kclips = kp->clips;
>>> + struct v4l2_clip __user *kclips;
>>> struct v4l2_clip32 __user *uclips;
>>> compat_caddr_t p;
>>> u32 clipcount;
>>> @@ -116,6 +116,8 @@ static int put_v4l2_window32(struct v4l2_window __user
>>> *kp,
>>> if (!clipcount)
>>> return 0;
>>>
>>> + if (get_user(kclips, &kp->clips))
>>> + return -EFAULT;
>>> if (get_user(p, &up->clips))
>>> return -EFAULT;
>>> uclips = compat_ptr(p);
>>>
>>
>> Reviewed-by: Hans Verkuil
>>
>> I have no idea why I didn't find this when I tested this with
>> v4l2-compliance,
>> but the code was certainly wrong.
>
> I built 4.16-rc4 with KASAN enabled. Perhaps, it won't OOPS without
> it. Yet, I doubt it would work without this fix.
I definitely did not have KASAN enabled when I tested this.
Regards,
Hans
>
>>
>> Thank you for debugging this!
>
> Anytime.
>
> Thanks,
> Mauro
>
Re: [PATCH] media: v4l2-compat-ioctl32: don't oops on overlay
Em Thu, 29 Mar 2018 10:40:23 +0200
Hans Verkuil escreveu:
> Hi Mauro,
>
> On 28/03/18 19:59, Mauro Carvalho Chehab wrote:
> > At put_v4l2_window32(), it tries to access kp->clips. However,
> > kp points to an userspace pointer. So, it should be obtained
> > via get_user(), otherwise it can OOPS:
> >
>
>
>
> >
> > cc: sta...@vger.kernel.org
> > Signed-off-by: Mauro Carvalho Chehab
> > ---
> > drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 4 +++-
> > 1 file changed, 3 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
> > b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
> > index 5198c9eeb348..4312935f1dfc 100644
> > --- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
> > +++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
> > @@ -101,7 +101,7 @@ static int get_v4l2_window32(struct v4l2_window __user
> > *kp,
> > static int put_v4l2_window32(struct v4l2_window __user *kp,
> > struct v4l2_window32 __user *up)
> > {
> > - struct v4l2_clip __user *kclips = kp->clips;
> > + struct v4l2_clip __user *kclips;
> > struct v4l2_clip32 __user *uclips;
> > compat_caddr_t p;
> > u32 clipcount;
> > @@ -116,6 +116,8 @@ static int put_v4l2_window32(struct v4l2_window __user
> > *kp,
> > if (!clipcount)
> > return 0;
> >
> > + if (get_user(kclips, &kp->clips))
> > + return -EFAULT;
> > if (get_user(p, &up->clips))
> > return -EFAULT;
> > uclips = compat_ptr(p);
> >
>
> Reviewed-by: Hans Verkuil
>
> I have no idea why I didn't find this when I tested this with v4l2-compliance,
> but the code was certainly wrong.
I built 4.16-rc4 with KASAN enabled. Perhaps, it won't OOPS without
it. Yet, I doubt it would work without this fix.
>
> Thank you for debugging this!
Anytime.
Thanks,
Mauro
Re: [PATCH] media: v4l2-compat-ioctl32: don't oops on overlay
Hi Mauro,
On 28/03/18 19:59, Mauro Carvalho Chehab wrote:
> At put_v4l2_window32(), it tries to access kp->clips. However,
> kp points to an userspace pointer. So, it should be obtained
> via get_user(), otherwise it can OOPS:
>
>
> cc: sta...@vger.kernel.org
> Signed-off-by: Mauro Carvalho Chehab
> ---
> drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
> b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
> index 5198c9eeb348..4312935f1dfc 100644
> --- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
> +++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
> @@ -101,7 +101,7 @@ static int get_v4l2_window32(struct v4l2_window __user
> *kp,
> static int put_v4l2_window32(struct v4l2_window __user *kp,
>struct v4l2_window32 __user *up)
> {
> - struct v4l2_clip __user *kclips = kp->clips;
> + struct v4l2_clip __user *kclips;
> struct v4l2_clip32 __user *uclips;
> compat_caddr_t p;
> u32 clipcount;
> @@ -116,6 +116,8 @@ static int put_v4l2_window32(struct v4l2_window __user
> *kp,
> if (!clipcount)
> return 0;
>
> + if (get_user(kclips, &kp->clips))
> + return -EFAULT;
> if (get_user(p, &up->clips))
> return -EFAULT;
> uclips = compat_ptr(p);
>
Reviewed-by: Hans Verkuil
I have no idea why I didn't find this when I tested this with v4l2-compliance,
but the code was certainly wrong.
Thank you for debugging this!
Regards,
Hans
Re: [PATCH] media: v4l2-compat-ioctl32: don't oops on overlay
Hi Sakari, On Thursday, 29 March 2018 10:35:49 EEST Sakari Ailus wrote: > On Thu, Mar 29, 2018 at 09:19:43AM +0300, Laurent Pinchart wrote: > > On Wednesday, 28 March 2018 23:16:08 EEST Sakari Ailus wrote: > > > On Wed, Mar 28, 2018 at 02:59:22PM -0300, Mauro Carvalho Chehab wrote: > > > > At put_v4l2_window32(), it tries to access kp->clips. However, > > > > kp points to an userspace pointer. So, it should be obtained > > > > > > > > via get_user(), otherwise it can OOPS: > > > > vivid-000: == END STATUS == > > > > BUG: unable to handle kernel paging request at fffb18e0 > > > > IP: [] __put_v4l2_format32+0x169/0x220 [videodev] > > > > PGD 3f5776067 PUD 3f576f067 PMD 3f5769067 PTE 80042548f067 > > > > Oops: 0001 [#1] SMP > > > > Modules linked in: vivid videobuf2_vmalloc videobuf2_memops > > > > v4l2_dv_timings videobuf2_core v4l2_common videodev media xt_CHECKSUM > > > > iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat > > > > nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack > > > > nf_conntrack tun bridge stp llc ebtable_filter ebtables > > > > ip6table_filter > > > > ip6_tables bluetooth rfkill binfmt_misc snd_hda_codec_hdmi i915 > > > > snd_hda_intel snd_hda_controller snd_hda_codec intel_rapl > > > > x86_pkg_temp_thermal snd_hwdep intel_powerclamp snd_pcm coretemp > > > > snd_seq_midi kvm_intel kvm snd_seq_midi_event snd_rawmidi > > > > i2c_algo_bit > > > > drm_kms_helper snd_seq drm crct10dif_pclmul e1000e snd_seq_device > > > > crc32_pclmul snd_timer ghash_clmulni_intel snd mei_me mei ptp > > > > pps_core > > > > soundcore lpc_ich video crc32c_intel [last unloaded: media] CPU: 2 > > > > PID: > > > > > > > > 28332 Comm: v4l2-compliance Not tainted 3.18.102+ #107 Hardware name: > > > >/NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 > > > > > > > > 05/11/2017 task: 8804293f8000 ti: 8803f564 task.ti: > > > > 8803f564 RIP: 0010:[] [] > > > > __put_v4l2_format32+0x169/0x220 [videodev] RSP: 0018:8803f5643e28 > > > > EFLAGS: 00010246 > > > > RAX: RBX: RCX: fffb1ab4 > > > > RDX: fffb1a68 RSI: fffb18d8 RDI: fffb1aa8 > > > > RBP: 8803f5643e48 R08: 0001 R09: 8803f54b0378 > > > > R10: R11: 0168 R12: fffb18c0 > > > > R13: fffb1a94 R14: fffb18c8 R15: > > > > FS: () GS:880456d0(0063) > > > > knlGS:f7100980 CS: 0010 DS: 002b ES: 002b CR0: > > > > 80050033 > > > > CR2: fffb18e0 CR3: 0003f552b000 CR4: 003407e0 > > > > > > > > Stack: > > > > fffb1a94 c0cc5640 0056 8804274f3600 > > > > 8803f5643ed0 c0547e16 0003 8803f5643eb0 > > > > 81301460 88009db44b01 880441942520 8800c0d05640 > > > > > > > > Call Trace: > > > > [] v4l2_compat_ioctl32+0x12d6/0x1b1d [videodev] > > > > [] ? file_has_perm+0x70/0xc0 > > > > [] compat_SyS_ioctl+0xec/0x1200 > > > > [] sysenter_dispatch+0x7/0x21 > > > > > > > > Code: 00 00 48 8b 80 48 c0 ff ff 48 83 e8 38 49 39 c6 0f 87 2b ff ff > > > > ff > > > > 49 8d 45 1c e8 a3 ce e3 c0 85 c0 0f 85 1a ff ff ff 41 8d 40 ff <4d> > > > > 8b > > > > 64 24 20 41 89 d5 48 8d 44 40 03 4d 8d 34 c4 eb 15 0f 1f RIP > > > > [] __put_v4l2_format32+0x169/0x220 [videodev] RSP > > > > > > > > CR2: fffb18e0 > > > > > > > > Tested with vivid driver on Kernel v3.18.102. > > > > > > > > Same bug happens upstream too: > > > > BUG: KASAN: user-memory-access in __put_v4l2_format32+0x98/0x4d0 > > > > [videodev] > > > > Read of size 8 at addr ffe48400 by task v4l2-compliance/8713 > > > > > > > > CPU: 0 PID: 8713 Comm: v4l2-compliance Not tainted 4.16.0-rc4+ #108 > > > > Hardware name: /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 > > > > 05/11/2017> > > > > > > > > Call Trace: > > > > dump_stack+0x5c/0x7c > > > > kasan_report+0x164/0x380 > > > > ? __put_v4l2_format32+0x98/0x4d0 [videodev] > > > > __put_v4l2_format32+0x98/0x4d0 [videodev] > > > > v4l2_compat_ioctl32+0x1aec/0x27a0 [videodev] > > > > ? __fsnotify_inode_delete+0x20/0x20 > > > > ? __put_v4l2_format32+0x4d0/0x4d0 [videodev] > > > > compat_SyS_ioctl+0x646/0x14d0 > > > > ? do_ioctl+0x30/0x30 > > > > do_fast_syscall_32+0x191/0x3f4 > > > > entry_SYSENTER_compat+0x6b/0x7a > > > > > > > > == > > > > Disabling lock debugging due to kernel taint > > > > BUG: unable to handle kernel paging request at ffe48400 > > > > IP: __put_v4l2_format32+0x98/0x4d0 [videodev] > > > > PGD 3a22fb067 P4D 3a22fb067 PUD 39b6f0067 PMD 39b6f1067 PTE > > > > 8003256af067 Oops: 0001 [#1] SMP KASAN > > > > Modules linked in: vivid videobuf2_vmalloc videobuf2_dma_contig > > >
Re: [PATCH] media: v4l2-compat-ioctl32: don't oops on overlay
On Thu, Mar 29, 2018 at 09:19:43AM +0300, Laurent Pinchart wrote: > Hello, > > On Wednesday, 28 March 2018 23:16:08 EEST Sakari Ailus wrote: > > On Wed, Mar 28, 2018 at 02:59:22PM -0300, Mauro Carvalho Chehab wrote: > > > At put_v4l2_window32(), it tries to access kp->clips. However, > > > kp points to an userspace pointer. So, it should be obtained > > > > > > via get_user(), otherwise it can OOPS: > > > vivid-000: == END STATUS == > > > BUG: unable to handle kernel paging request at fffb18e0 > > > IP: [] __put_v4l2_format32+0x169/0x220 [videodev] > > > PGD 3f5776067 PUD 3f576f067 PMD 3f5769067 PTE 80042548f067 > > > Oops: 0001 [#1] SMP > > > Modules linked in: vivid videobuf2_vmalloc videobuf2_memops > > > v4l2_dv_timings videobuf2_core v4l2_common videodev media xt_CHECKSUM > > > iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat > > > nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack > > > nf_conntrack tun bridge stp llc ebtable_filter ebtables ip6table_filter > > > ip6_tables bluetooth rfkill binfmt_misc snd_hda_codec_hdmi i915 > > > snd_hda_intel snd_hda_controller snd_hda_codec intel_rapl > > > x86_pkg_temp_thermal snd_hwdep intel_powerclamp snd_pcm coretemp > > > snd_seq_midi kvm_intel kvm snd_seq_midi_event snd_rawmidi i2c_algo_bit > > > drm_kms_helper snd_seq drm crct10dif_pclmul e1000e snd_seq_device > > > crc32_pclmul snd_timer ghash_clmulni_intel snd mei_me mei ptp pps_core > > > soundcore lpc_ich video crc32c_intel [last unloaded: media] CPU: 2 PID: > > > 28332 Comm: v4l2-compliance Not tainted 3.18.102+ #107 Hardware name: > > >/NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 > > > 05/11/2017 task: 8804293f8000 ti: 8803f564 task.ti: > > > 8803f564 RIP: 0010:[] [] > > > __put_v4l2_format32+0x169/0x220 [videodev] RSP: 0018:8803f5643e28 > > > EFLAGS: 00010246 > > > RAX: RBX: RCX: fffb1ab4 > > > RDX: fffb1a68 RSI: fffb18d8 RDI: fffb1aa8 > > > RBP: 8803f5643e48 R08: 0001 R09: 8803f54b0378 > > > R10: R11: 0168 R12: fffb18c0 > > > R13: fffb1a94 R14: fffb18c8 R15: > > > FS: () GS:880456d0(0063) > > > knlGS:f7100980 CS: 0010 DS: 002b ES: 002b CR0: 80050033 > > > CR2: fffb18e0 CR3: 0003f552b000 CR4: 003407e0 > > > > > > Stack: > > > fffb1a94 c0cc5640 0056 8804274f3600 > > > 8803f5643ed0 c0547e16 0003 8803f5643eb0 > > > 81301460 88009db44b01 880441942520 8800c0d05640 > > > > > > Call Trace: > > > [] v4l2_compat_ioctl32+0x12d6/0x1b1d [videodev] > > > [] ? file_has_perm+0x70/0xc0 > > > [] compat_SyS_ioctl+0xec/0x1200 > > > [] sysenter_dispatch+0x7/0x21 > > > > > > Code: 00 00 48 8b 80 48 c0 ff ff 48 83 e8 38 49 39 c6 0f 87 2b ff ff ff > > > 49 8d 45 1c e8 a3 ce e3 c0 85 c0 0f 85 1a ff ff ff 41 8d 40 ff <4d> 8b > > > 64 24 20 41 89 d5 48 8d 44 40 03 4d 8d 34 c4 eb 15 0f 1f RIP > > > [] __put_v4l2_format32+0x169/0x220 [videodev] RSP > > > > > > CR2: fffb18e0 > > > > > > Tested with vivid driver on Kernel v3.18.102. > > > > > > Same bug happens upstream too: > > > BUG: KASAN: user-memory-access in __put_v4l2_format32+0x98/0x4d0 > > > [videodev] > > > Read of size 8 at addr ffe48400 by task v4l2-compliance/8713 > > > > > > CPU: 0 PID: 8713 Comm: v4l2-compliance Not tainted 4.16.0-rc4+ #108 > > > Hardware name: /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 > > > 05/11/2017> > > > Call Trace: > > > dump_stack+0x5c/0x7c > > > kasan_report+0x164/0x380 > > > ? __put_v4l2_format32+0x98/0x4d0 [videodev] > > > __put_v4l2_format32+0x98/0x4d0 [videodev] > > > v4l2_compat_ioctl32+0x1aec/0x27a0 [videodev] > > > ? __fsnotify_inode_delete+0x20/0x20 > > > ? __put_v4l2_format32+0x4d0/0x4d0 [videodev] > > > compat_SyS_ioctl+0x646/0x14d0 > > > ? do_ioctl+0x30/0x30 > > > do_fast_syscall_32+0x191/0x3f4 > > > entry_SYSENTER_compat+0x6b/0x7a > > > > > > == > > > Disabling lock debugging due to kernel taint > > > BUG: unable to handle kernel paging request at ffe48400 > > > IP: __put_v4l2_format32+0x98/0x4d0 [videodev] > > > PGD 3a22fb067 P4D 3a22fb067 PUD 39b6f0067 PMD 39b6f1067 PTE > > > 8003256af067 Oops: 0001 [#1] SMP KASAN > > > Modules linked in: vivid videobuf2_vmalloc videobuf2_dma_contig > > > videobuf2_memops v4l2_tpg v4l2_dv_timings videobuf2_v4l2 > > > videobuf2_common v4l2_common videodev xt_CHECKSUM iptable_mangle > > > ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat > > > nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack libcrc32c tun > > > bridge stp llc ebtable_filt
Re: [PATCH] media: v4l2-compat-ioctl32: don't oops on overlay
Hello, On Wednesday, 28 March 2018 23:16:08 EEST Sakari Ailus wrote: > On Wed, Mar 28, 2018 at 02:59:22PM -0300, Mauro Carvalho Chehab wrote: > > At put_v4l2_window32(), it tries to access kp->clips. However, > > kp points to an userspace pointer. So, it should be obtained > > > > via get_user(), otherwise it can OOPS: > > vivid-000: == END STATUS == > > BUG: unable to handle kernel paging request at fffb18e0 > > IP: [] __put_v4l2_format32+0x169/0x220 [videodev] > > PGD 3f5776067 PUD 3f576f067 PMD 3f5769067 PTE 80042548f067 > > Oops: 0001 [#1] SMP > > Modules linked in: vivid videobuf2_vmalloc videobuf2_memops > > v4l2_dv_timings videobuf2_core v4l2_common videodev media xt_CHECKSUM > > iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat > > nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack > > nf_conntrack tun bridge stp llc ebtable_filter ebtables ip6table_filter > > ip6_tables bluetooth rfkill binfmt_misc snd_hda_codec_hdmi i915 > > snd_hda_intel snd_hda_controller snd_hda_codec intel_rapl > > x86_pkg_temp_thermal snd_hwdep intel_powerclamp snd_pcm coretemp > > snd_seq_midi kvm_intel kvm snd_seq_midi_event snd_rawmidi i2c_algo_bit > > drm_kms_helper snd_seq drm crct10dif_pclmul e1000e snd_seq_device > > crc32_pclmul snd_timer ghash_clmulni_intel snd mei_me mei ptp pps_core > > soundcore lpc_ich video crc32c_intel [last unloaded: media] CPU: 2 PID: > > 28332 Comm: v4l2-compliance Not tainted 3.18.102+ #107 Hardware name: > >/NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 > > 05/11/2017 task: 8804293f8000 ti: 8803f564 task.ti: > > 8803f564 RIP: 0010:[] [] > > __put_v4l2_format32+0x169/0x220 [videodev] RSP: 0018:8803f5643e28 > > EFLAGS: 00010246 > > RAX: RBX: RCX: fffb1ab4 > > RDX: fffb1a68 RSI: fffb18d8 RDI: fffb1aa8 > > RBP: 8803f5643e48 R08: 0001 R09: 8803f54b0378 > > R10: R11: 0168 R12: fffb18c0 > > R13: fffb1a94 R14: fffb18c8 R15: > > FS: () GS:880456d0(0063) > > knlGS:f7100980 CS: 0010 DS: 002b ES: 002b CR0: 80050033 > > CR2: fffb18e0 CR3: 0003f552b000 CR4: 003407e0 > > > > Stack: > > fffb1a94 c0cc5640 0056 8804274f3600 > > 8803f5643ed0 c0547e16 0003 8803f5643eb0 > > 81301460 88009db44b01 880441942520 8800c0d05640 > > > > Call Trace: > > [] v4l2_compat_ioctl32+0x12d6/0x1b1d [videodev] > > [] ? file_has_perm+0x70/0xc0 > > [] compat_SyS_ioctl+0xec/0x1200 > > [] sysenter_dispatch+0x7/0x21 > > > > Code: 00 00 48 8b 80 48 c0 ff ff 48 83 e8 38 49 39 c6 0f 87 2b ff ff ff > > 49 8d 45 1c e8 a3 ce e3 c0 85 c0 0f 85 1a ff ff ff 41 8d 40 ff <4d> 8b > > 64 24 20 41 89 d5 48 8d 44 40 03 4d 8d 34 c4 eb 15 0f 1f RIP > > [] __put_v4l2_format32+0x169/0x220 [videodev] RSP > > > > CR2: fffb18e0 > > > > Tested with vivid driver on Kernel v3.18.102. > > > > Same bug happens upstream too: > > BUG: KASAN: user-memory-access in __put_v4l2_format32+0x98/0x4d0 > > [videodev] > > Read of size 8 at addr ffe48400 by task v4l2-compliance/8713 > > > > CPU: 0 PID: 8713 Comm: v4l2-compliance Not tainted 4.16.0-rc4+ #108 > > Hardware name: /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 > > 05/11/2017> > > Call Trace: > > dump_stack+0x5c/0x7c > > kasan_report+0x164/0x380 > > ? __put_v4l2_format32+0x98/0x4d0 [videodev] > > __put_v4l2_format32+0x98/0x4d0 [videodev] > > v4l2_compat_ioctl32+0x1aec/0x27a0 [videodev] > > ? __fsnotify_inode_delete+0x20/0x20 > > ? __put_v4l2_format32+0x4d0/0x4d0 [videodev] > > compat_SyS_ioctl+0x646/0x14d0 > > ? do_ioctl+0x30/0x30 > > do_fast_syscall_32+0x191/0x3f4 > > entry_SYSENTER_compat+0x6b/0x7a > > > > == > > Disabling lock debugging due to kernel taint > > BUG: unable to handle kernel paging request at ffe48400 > > IP: __put_v4l2_format32+0x98/0x4d0 [videodev] > > PGD 3a22fb067 P4D 3a22fb067 PUD 39b6f0067 PMD 39b6f1067 PTE > > 8003256af067 Oops: 0001 [#1] SMP KASAN > > Modules linked in: vivid videobuf2_vmalloc videobuf2_dma_contig > > videobuf2_memops v4l2_tpg v4l2_dv_timings videobuf2_v4l2 > > videobuf2_common v4l2_common videodev xt_CHECKSUM iptable_mangle > > ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat > > nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack libcrc32c tun > > bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables > > bluetooth rfkill ecdh_generic binfmt_misc snd_hda_codec_hdmi intel_rapl > > x86_pkg_temp_thermal intel_powerclamp i915 coretemp snd_hda_intel > > snd_hda_codec kvm_intel snd_hwdep snd_hda_core kvm snd_pcm i
Re: [PATCH] media: v4l2-compat-ioctl32: don't oops on overlay
Hi Mauro, On Wed, Mar 28, 2018 at 02:59:22PM -0300, Mauro Carvalho Chehab wrote: > At put_v4l2_window32(), it tries to access kp->clips. However, > kp points to an userspace pointer. So, it should be obtained > via get_user(), otherwise it can OOPS: > > vivid-000: == END STATUS == > BUG: unable to handle kernel paging request at fffb18e0 > IP: [] __put_v4l2_format32+0x169/0x220 [videodev] > PGD 3f5776067 PUD 3f576f067 PMD 3f5769067 PTE 80042548f067 > Oops: 0001 [#1] SMP > Modules linked in: vivid videobuf2_vmalloc videobuf2_memops v4l2_dv_timings > videobuf2_core v4l2_common videodev media xt_CHECKSUM iptable_mangle > ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat > nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack tun bridge stp llc > ebtable_filter ebtables ip6table_filter ip6_tables bluetooth rfkill > binfmt_misc snd_hda_codec_hdmi i915 snd_hda_intel snd_hda_controller > snd_hda_codec intel_rapl x86_pkg_temp_thermal snd_hwdep intel_powerclamp > snd_pcm coretemp snd_seq_midi kvm_intel kvm snd_seq_midi_event snd_rawmidi > i2c_algo_bit drm_kms_helper snd_seq drm crct10dif_pclmul e1000e > snd_seq_device crc32_pclmul snd_timer ghash_clmulni_intel snd mei_me mei ptp > pps_core soundcore lpc_ich video crc32c_intel [last unloaded: media] > CPU: 2 PID: 28332 Comm: v4l2-compliance Not tainted 3.18.102+ #107 > Hardware name: /NUC5i7RYB, BIOS > RYBDWi35.86A.0364.2017.0511.0949 05/11/2017 > task: 8804293f8000 ti: 8803f564 task.ti: 8803f564 > RIP: 0010:[] [] > __put_v4l2_format32+0x169/0x220 [videodev] > RSP: 0018:8803f5643e28 EFLAGS: 00010246 > RAX: RBX: RCX: fffb1ab4 > RDX: fffb1a68 RSI: fffb18d8 RDI: fffb1aa8 > RBP: 8803f5643e48 R08: 0001 R09: 8803f54b0378 > R10: R11: 0168 R12: fffb18c0 > R13: fffb1a94 R14: fffb18c8 R15: > FS: () GS:880456d0(0063) knlGS:f7100980 > CS: 0010 DS: 002b ES: 002b CR0: 80050033 > CR2: fffb18e0 CR3: 0003f552b000 CR4: 003407e0 > Stack: > fffb1a94 c0cc5640 0056 8804274f3600 > 8803f5643ed0 c0547e16 0003 8803f5643eb0 > 81301460 88009db44b01 880441942520 8800c0d05640 > Call Trace: > [] v4l2_compat_ioctl32+0x12d6/0x1b1d [videodev] > [] ? file_has_perm+0x70/0xc0 > [] compat_SyS_ioctl+0xec/0x1200 > [] sysenter_dispatch+0x7/0x21 > Code: 00 00 48 8b 80 48 c0 ff ff 48 83 e8 38 49 39 c6 0f 87 2b ff ff ff 49 > 8d 45 1c e8 a3 ce e3 c0 85 c0 0f 85 1a ff ff ff 41 8d 40 ff <4d> 8b 64 24 20 > 41 89 d5 48 8d 44 40 03 4d 8d 34 c4 eb 15 0f 1f > RIP [] __put_v4l2_format32+0x169/0x220 [videodev] > RSP > CR2: fffb18e0 > > Tested with vivid driver on Kernel v3.18.102. > > Same bug happens upstream too: > > BUG: KASAN: user-memory-access in __put_v4l2_format32+0x98/0x4d0 [videodev] > Read of size 8 at addr ffe48400 by task v4l2-compliance/8713 > > CPU: 0 PID: 8713 Comm: v4l2-compliance Not tainted 4.16.0-rc4+ #108 > Hardware name: /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 05/11/2017 > Call Trace: > dump_stack+0x5c/0x7c > kasan_report+0x164/0x380 > ? __put_v4l2_format32+0x98/0x4d0 [videodev] > __put_v4l2_format32+0x98/0x4d0 [videodev] > v4l2_compat_ioctl32+0x1aec/0x27a0 [videodev] > ? __fsnotify_inode_delete+0x20/0x20 > ? __put_v4l2_format32+0x4d0/0x4d0 [videodev] > compat_SyS_ioctl+0x646/0x14d0 > ? do_ioctl+0x30/0x30 > do_fast_syscall_32+0x191/0x3f4 > entry_SYSENTER_compat+0x6b/0x7a > == > Disabling lock debugging due to kernel taint > BUG: unable to handle kernel paging request at ffe48400 > IP: __put_v4l2_format32+0x98/0x4d0 [videodev] > PGD 3a22fb067 P4D 3a22fb067 PUD 39b6f0067 PMD 39b6f1067 PTE 8003256af067 > Oops: 0001 [#1] SMP KASAN > Modules linked in: vivid videobuf2_vmalloc videobuf2_dma_contig > videobuf2_memops v4l2_tpg v4l2_dv_timings videobuf2_v4l2 videobuf2_common > v4l2_common videodev xt_CHECKSUM iptable_mangle ipt_MASQUERADE > nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 > nf_defrag_ipv4 xt_conntrack nf_conntrack libcrc32c tun bridge stp llc > ebtable_filter ebtables ip6table_filter ip6_tables bluetooth rfkill > ecdh_generic binfmt_misc snd_hda_codec_hdmi intel_rapl x86_pkg_temp_thermal > intel_powerclamp i915 coretemp snd_hda_intel snd_hda_codec kvm_intel > snd_hwdep snd_hda_core kvm snd_pcm irqbypass crct10dif_pclmul crc32_pclmul > snd_seq_midi ghash_clmulni_intel snd_seq_midi_event i2c_algo_bit intel_cstate > snd_rawmidi intel_uncore snd_seq drm_kms_helper e1000e snd_seq_device > snd_timer intel_rapl_perf > drm ptp snd mei_me mei lpc_ich pps_core so
[PATCH] media: v4l2-compat-ioctl32: don't oops on overlay
At put_v4l2_window32(), it tries to access kp->clips. However, kp points to an userspace pointer. So, it should be obtained via get_user(), otherwise it can OOPS: vivid-000: == END STATUS == BUG: unable to handle kernel paging request at fffb18e0 IP: [] __put_v4l2_format32+0x169/0x220 [videodev] PGD 3f5776067 PUD 3f576f067 PMD 3f5769067 PTE 80042548f067 Oops: 0001 [#1] SMP Modules linked in: vivid videobuf2_vmalloc videobuf2_memops v4l2_dv_timings videobuf2_core v4l2_common videodev media xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables bluetooth rfkill binfmt_misc snd_hda_codec_hdmi i915 snd_hda_intel snd_hda_controller snd_hda_codec intel_rapl x86_pkg_temp_thermal snd_hwdep intel_powerclamp snd_pcm coretemp snd_seq_midi kvm_intel kvm snd_seq_midi_event snd_rawmidi i2c_algo_bit drm_kms_helper snd_seq drm crct10dif_pclmul e1000e snd_seq_device crc32_pclmul snd_timer ghash_clmulni_intel snd mei_me mei ptp pps_core soundcore lpc_ich video crc32c_intel [last unloaded: media] CPU: 2 PID: 28332 Comm: v4l2-compliance Not tainted 3.18.102+ #107 Hardware name: /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 05/11/2017 task: 8804293f8000 ti: 8803f564 task.ti: 8803f564 RIP: 0010:[] [] __put_v4l2_format32+0x169/0x220 [videodev] RSP: 0018:8803f5643e28 EFLAGS: 00010246 RAX: RBX: RCX: fffb1ab4 RDX: fffb1a68 RSI: fffb18d8 RDI: fffb1aa8 RBP: 8803f5643e48 R08: 0001 R09: 8803f54b0378 R10: R11: 0168 R12: fffb18c0 R13: fffb1a94 R14: fffb18c8 R15: FS: () GS:880456d0(0063) knlGS:f7100980 CS: 0010 DS: 002b ES: 002b CR0: 80050033 CR2: fffb18e0 CR3: 0003f552b000 CR4: 003407e0 Stack: fffb1a94 c0cc5640 0056 8804274f3600 8803f5643ed0 c0547e16 0003 8803f5643eb0 81301460 88009db44b01 880441942520 8800c0d05640 Call Trace: [] v4l2_compat_ioctl32+0x12d6/0x1b1d [videodev] [] ? file_has_perm+0x70/0xc0 [] compat_SyS_ioctl+0xec/0x1200 [] sysenter_dispatch+0x7/0x21 Code: 00 00 48 8b 80 48 c0 ff ff 48 83 e8 38 49 39 c6 0f 87 2b ff ff ff 49 8d 45 1c e8 a3 ce e3 c0 85 c0 0f 85 1a ff ff ff 41 8d 40 ff <4d> 8b 64 24 20 41 89 d5 48 8d 44 40 03 4d 8d 34 c4 eb 15 0f 1f RIP [] __put_v4l2_format32+0x169/0x220 [videodev] RSP CR2: fffb18e0 Tested with vivid driver on Kernel v3.18.102. Same bug happens upstream too: BUG: KASAN: user-memory-access in __put_v4l2_format32+0x98/0x4d0 [videodev] Read of size 8 at addr ffe48400 by task v4l2-compliance/8713 CPU: 0 PID: 8713 Comm: v4l2-compliance Not tainted 4.16.0-rc4+ #108 Hardware name: /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 05/11/2017 Call Trace: dump_stack+0x5c/0x7c kasan_report+0x164/0x380 ? __put_v4l2_format32+0x98/0x4d0 [videodev] __put_v4l2_format32+0x98/0x4d0 [videodev] v4l2_compat_ioctl32+0x1aec/0x27a0 [videodev] ? __fsnotify_inode_delete+0x20/0x20 ? __put_v4l2_format32+0x4d0/0x4d0 [videodev] compat_SyS_ioctl+0x646/0x14d0 ? do_ioctl+0x30/0x30 do_fast_syscall_32+0x191/0x3f4 entry_SYSENTER_compat+0x6b/0x7a == Disabling lock debugging due to kernel taint BUG: unable to handle kernel paging request at ffe48400 IP: __put_v4l2_format32+0x98/0x4d0 [videodev] PGD 3a22fb067 P4D 3a22fb067 PUD 39b6f0067 PMD 39b6f1067 PTE 8003256af067 Oops: 0001 [#1] SMP KASAN Modules linked in: vivid videobuf2_vmalloc videobuf2_dma_contig videobuf2_memops v4l2_tpg v4l2_dv_timings videobuf2_v4l2 videobuf2_common v4l2_common videodev xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack libcrc32c tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables bluetooth rfkill ecdh_generic binfmt_misc snd_hda_codec_hdmi intel_rapl x86_pkg_temp_thermal intel_powerclamp i915 coretemp snd_hda_intel snd_hda_codec kvm_intel snd_hwdep snd_hda_core kvm snd_pcm irqbypass crct10dif_pclmul crc32_pclmul snd_seq_midi ghash_clmulni_intel snd_seq_midi_event i2c_algo_bit intel_cstate snd_rawmidi intel_uncore snd_seq drm_kms_helper e1000e snd_seq_device snd_timer intel_rapl_perf drm ptp snd mei_me mei lpc_ich pps_core soundcore video crc32c_intel CPU: 0 PID: 8713 Comm: v4l2-compliance Tainted: GB4.16.0-rc4+ #108 Hardware name: /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 05/11/2017 RIP: 0010:__put_v4l2_format32+0x98/0x4d0 [videodev] RSP: 0018:8803b9
