diff mbox

media: v4l2-core: fix size of devnode_nums[] bitarray

Message ID 396f34f80c0e34480910319d56c8d64ff8c1589e.1522922624.git.mchehab@s-opensource.com (mailing list archive)
State New, archived
Headers show

Commit Message

Mauro Carvalho Chehab April 5, 2018, 10:03 a.m. UTC
The size of devnode_nums[] bit array is too short to store information
for VFL_TYPE_TOUCH. That causes it to override other memory regions.

Thankfully, on recent reports, it is overriding video_device[] array,
trigging a WARN_ON(). Yet, it just warns about the problem, but let
the code excecuting, with generates an OOPS:

[   43.177394] WARNING: CPU: 1 PID: 711 at drivers/media/v4l2-core/v4l2-dev.c:945 __video_register_device+0xc99/0x1090 [videodev]
[   43.177396] Modules linked in: hid_sensor_custom hid_sensor_als hid_sensor_incl_3d hid_sensor_rotation hid_sensor_magn_3d hid_sensor_accel_3d hid_sensor_gyro_3d hid_sensor_trigger industrialio_triggered_buffer kfifo_buf joydev hid_sensor_iio_common hid_rmi(+) rmi_core industrialio videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common videodev hid_multitouch media hid_sensor_hub binfmt_misc nls_iso8859_1 snd_hda_codec_hdmi arc4 snd_soc_skl snd_soc_skl_ipc snd_hda_ext_core snd_soc_sst_dsp snd_soc_sst_ipc snd_hda_codec_realtek snd_soc_acpi snd_hda_codec_generic snd_soc_core snd_compress ac97_bus snd_pcm_dmaengine snd_hda_intel snd_hda_codec intel_rapl snd_hda_core x86_pkg_temp_thermal snd_hwdep intel_powerclamp coretemp snd_pcm kvm_intel snd_seq_midi snd_seq_midi_event snd_rawmidi crct10dif_pclmul
[   43.177426]  crc32_pclmul ghash_clmulni_intel iwlmvm pcbc mac80211 snd_seq aesni_intel iwlwifi aes_x86_64 snd_seq_device crypto_simd glue_helper cryptd snd_timer intel_cstate intel_rapl_perf input_leds serio_raw intel_wmi_thunderbolt snd wmi_bmof cfg80211 soundcore ideapad_laptop sparse_keymap idma64 virt_dma tpm_crb acpi_pad int3400_thermal acpi_thermal_rel intel_pch_thermal processor_thermal_device mac_hid int340x_thermal_zone mei_me intel_soc_dts_iosf mei intel_lpss_pci shpchp intel_lpss sch_fq_codel vfio_pci nfsd vfio_virqfd parport_pc ppdev auth_rpcgss nfs_acl lockd grace lp parport sunrpc ip_tables x_tables autofs4 hid_logitech_hidpp hid_logitech_dj hid_generic usbhid kvmgt vfio_mdev mdev vfio_iommu_type1 vfio kvm irqbypass i915 i2c_algo_bit drm_kms_helper syscopyarea sdhci_pci sysfillrect
[   43.177466]  sysimgblt cqhci fb_sys_fops sdhci drm i2c_hid wmi hid video pinctrl_sunrisepoint pinctrl_intel
[   43.177474] CPU: 1 PID: 711 Comm: systemd-udevd Not tainted 4.16.0 #1
[   43.177475] Hardware name: LENOVO 80UE/VIUU4, BIOS 2UCN10T 10/14/2016
[   43.177481] RIP: 0010:__video_register_device+0xc99/0x1090 [videodev]
[   43.177482] RSP: 0000:ffffa5c5c231b420 EFLAGS: 00010202
[   43.177484] RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000000000
[   43.177485] RDX: ffffffffc0c44cc0 RSI: ffffffffffffffff RDI: ffffffffc0c44cc0
[   43.177486] RBP: ffffa5c5c231b478 R08: ffffffffc0c96900 R09: ffff8eda1a51f018
[   43.177487] R10: 0000000000000600 R11: 00000000000003b6 R12: 0000000000000000
[   43.177488] R13: 0000000000000005 R14: ffffffffc0c96900 R15: ffff8eda1d6d91c0
[   43.177489] FS:  00007fd2d8ef2480(0000) GS:ffff8eda33480000(0000) knlGS:0000000000000000
[   43.177490] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   43.177491] CR2: 00007ffe0a6ad01c CR3: 0000000456ae2004 CR4: 00000000003606e0
[   43.177492] Call Trace:
[   43.177498]  ? devres_add+0x5f/0x70
[   43.177502]  rmi_f54_probe+0x437/0x470 [rmi_core]
[   43.177505]  rmi_function_probe+0x25/0x30 [rmi_core]
[   43.177507]  driver_probe_device+0x310/0x480
[   43.177509]  __device_attach_driver+0x86/0x100
[   43.177511]  ? __driver_attach+0xf0/0xf0
[   43.177512]  bus_for_each_drv+0x6b/0xb0
[   43.177514]  __device_attach+0xdd/0x160
[   43.177516]  device_initial_probe+0x13/0x20
[   43.177518]  bus_probe_device+0x95/0xa0
[   43.177519]  device_add+0x44b/0x680
[   43.177522]  rmi_register_function+0x62/0xd0 [rmi_core]
[   43.177525]  rmi_create_function+0x112/0x1a0 [rmi_core]
[   43.177527]  ? rmi_driver_clear_irq_bits+0xc0/0xc0 [rmi_core]
[   43.177530]  rmi_scan_pdt+0xca/0x1a0 [rmi_core]
[   43.177535]  rmi_init_functions+0x5b/0x120 [rmi_core]
[   43.177537]  rmi_driver_probe+0x152/0x3c0 [rmi_core]
[   43.177547]  ? sysfs_create_link+0x25/0x40
[   43.177549]  driver_probe_device+0x310/0x480
[   43.177551]  __device_attach_driver+0x86/0x100
[   43.177553]  ? __driver_attach+0xf0/0xf0
[   43.177554]  bus_for_each_drv+0x6b/0xb0
[   43.177556]  __device_attach+0xdd/0x160
[   43.177558]  device_initial_probe+0x13/0x20
[   43.177560]  bus_probe_device+0x95/0xa0
[   43.177561]  device_add+0x44b/0x680
[   43.177564]  rmi_register_transport_device+0x84/0x100 [rmi_core]
[   43.177568]  rmi_input_configured+0xbf/0x1a0 [hid_rmi]
[   43.177571]  ? input_allocate_device+0xdf/0xf0
[   43.177574]  hidinput_connect+0x4a9/0x37a0 [hid]
[   43.177578]  hid_connect+0x326/0x3d0 [hid]
[   43.177581]  hid_hw_start+0x42/0x70 [hid]
[   43.177583]  rmi_probe+0x115/0x510 [hid_rmi]
[   43.177586]  hid_device_probe+0xd3/0x150 [hid]
[   43.177588]  ? sysfs_create_link+0x25/0x40
[   43.177590]  driver_probe_device+0x310/0x480
[   43.177592]  __driver_attach+0xbf/0xf0
[   43.177593]  ? driver_probe_device+0x480/0x480
[   43.177595]  bus_for_each_dev+0x74/0xb0
[   43.177597]  ? kmem_cache_alloc_trace+0x1a6/0x1c0
[   43.177599]  driver_attach+0x1e/0x20
[   43.177600]  bus_add_driver+0x167/0x260
[   43.177602]  ? 0xffffffffc0cbc000
[   43.177604]  driver_register+0x60/0xe0
[   43.177605]  ? 0xffffffffc0cbc000
[   43.177607]  __hid_register_driver+0x63/0x70 [hid]
[   43.177610]  rmi_driver_init+0x23/0x1000 [hid_rmi]
[   43.177612]  do_one_initcall+0x52/0x191
[   43.177615]  ? _cond_resched+0x19/0x40
[   43.177617]  ? kmem_cache_alloc_trace+0xa2/0x1c0
[   43.177619]  ? do_init_module+0x27/0x209
[   43.177621]  do_init_module+0x5f/0x209
[   43.177623]  load_module+0x1987/0x1f10
[   43.177626]  ? ima_post_read_file+0x96/0xa0
[   43.177629]  SYSC_finit_module+0xfc/0x120
[   43.177630]  ? SYSC_finit_module+0xfc/0x120
[   43.177632]  SyS_finit_module+0xe/0x10
[   43.177634]  do_syscall_64+0x73/0x130
[   43.177637]  entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[   43.177638] RIP: 0033:0x7fd2d880b839
[   43.177639] RSP: 002b:00007ffe0a6b2368 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[   43.177641] RAX: ffffffffffffffda RBX: 000055cdd86542e0 RCX: 00007fd2d880b839
[   43.177641] RDX: 0000000000000000 RSI: 00007fd2d84ea0e5 RDI: 0000000000000016
[   43.177642] RBP: 00007fd2d84ea0e5 R08: 0000000000000000 R09: 00007ffe0a6b2480
[   43.177643] R10: 0000000000000016 R11: 0000000000000246 R12: 0000000000000000
[   43.177644] R13: 000055cdd8688930 R14: 0000000000020000 R15: 000055cdd86542e0
[   43.177645] Code: 48 c7 c7 54 b4 c3 c0 e8 96 9d ec dd e9 d4 fb ff ff 0f 0b 41 be ea ff ff ff e9 c7 fb ff ff 0f 0b 41 be ea ff ff ff e9 ba fb ff ff <0f> 0b e9 d8 f4 ff ff 83 fa 01 0f 84 c4 02 00 00 48 83 78 68 00
[   43.177675] ---[ end trace d44d9bc41477c2dd ]---
[   43.177679] BUG: unable to handle kernel NULL pointer dereference at 0000000000000499
[   43.177723] IP: __video_register_device+0x1cc/0x1090 [videodev]
[   43.177749] PGD 0 P4D 0
[   43.177764] Oops: 0000 [#1] SMP PTI
[   43.177780] Modules linked in: hid_sensor_custom hid_sensor_als hid_sensor_incl_3d hid_sensor_rotation hid_sensor_magn_3d hid_sensor_accel_3d hid_sensor_gyro_3d hid_sensor_trigger industrialio_triggered_buffer kfifo_buf joydev hid_sensor_iio_common hid_rmi(+) rmi_core industrialio videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common videodev hid_multitouch media hid_sensor_hub binfmt_misc nls_iso8859_1 snd_hda_codec_hdmi arc4 snd_soc_skl snd_soc_skl_ipc snd_hda_ext_core snd_soc_sst_dsp snd_soc_sst_ipc snd_hda_codec_realtek snd_soc_acpi snd_hda_codec_generic snd_soc_core snd_compress ac97_bus snd_pcm_dmaengine snd_hda_intel snd_hda_codec intel_rapl snd_hda_core x86_pkg_temp_thermal snd_hwdep intel_powerclamp coretemp snd_pcm kvm_intel snd_seq_midi snd_seq_midi_event snd_rawmidi crct10dif_pclmul
[   43.178055]  crc32_pclmul ghash_clmulni_intel iwlmvm pcbc mac80211 snd_seq aesni_intel iwlwifi aes_x86_64 snd_seq_device crypto_simd glue_helper cryptd snd_timer intel_cstate intel_rapl_perf input_leds serio_raw intel_wmi_thunderbolt snd wmi_bmof cfg80211 soundcore ideapad_laptop sparse_keymap idma64 virt_dma tpm_crb acpi_pad int3400_thermal acpi_thermal_rel intel_pch_thermal processor_thermal_device mac_hid int340x_thermal_zone mei_me intel_soc_dts_iosf mei intel_lpss_pci shpchp intel_lpss sch_fq_codel vfio_pci nfsd vfio_virqfd parport_pc ppdev auth_rpcgss nfs_acl lockd grace lp parport sunrpc ip_tables x_tables autofs4 hid_logitech_hidpp hid_logitech_dj hid_generic usbhid kvmgt vfio_mdev mdev vfio_iommu_type1 vfio kvm irqbypass i915 i2c_algo_bit drm_kms_helper syscopyarea sdhci_pci sysfillrect
[   43.178337]  sysimgblt cqhci fb_sys_fops sdhci drm i2c_hid wmi hid video pinctrl_sunrisepoint pinctrl_intel
[   43.178380] CPU: 1 PID: 711 Comm: systemd-udevd Tainted: G        W        4.16.0 #1
[   43.178411] Hardware name: LENOVO 80UE/VIUU4, BIOS 2UCN10T 10/14/2016
[   43.178441] RIP: 0010:__video_register_device+0x1cc/0x1090 [videodev]
[   43.178467] RSP: 0000:ffffa5c5c231b420 EFLAGS: 00010202
[   43.178490] RAX: ffffffffc0c44cc0 RBX: 0000000000000005 RCX: ffffffffc0c454c0
[   43.178519] RDX: 0000000000000001 RSI: ffff8eda1d6d9118 RDI: ffffffffc0c44cc0
[   43.178549] RBP: ffffa5c5c231b478 R08: ffffffffc0c96900 R09: ffff8eda1a51f018
[   43.178579] R10: 0000000000000600 R11: 00000000000003b6 R12: 0000000000000000
[   43.178608] R13: 0000000000000005 R14: ffffffffc0c96900 R15: ffff8eda1d6d91c0
[   43.178636] FS:  00007fd2d8ef2480(0000) GS:ffff8eda33480000(0000) knlGS:0000000000000000
[   43.178669] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   43.178693] CR2: 0000000000000499 CR3: 0000000456ae2004 CR4: 00000000003606e0
[   43.178721] Call Trace:
[   43.178736]  ? devres_add+0x5f/0x70
[   43.178755]  rmi_f54_probe+0x437/0x470 [rmi_core]
[   43.178779]  rmi_function_probe+0x25/0x30 [rmi_core]
[   43.178805]  driver_probe_device+0x310/0x480
[   43.178828]  __device_attach_driver+0x86/0x100
[   43.178851]  ? __driver_attach+0xf0/0xf0
[   43.178884]  bus_for_each_drv+0x6b/0xb0
[   43.178904]  __device_attach+0xdd/0x160
[   43.178925]  device_initial_probe+0x13/0x20
[   43.178948]  bus_probe_device+0x95/0xa0
[   43.178968]  device_add+0x44b/0x680
[   43.178987]  rmi_register_function+0x62/0xd0 [rmi_core]
[   43.181747]  rmi_create_function+0x112/0x1a0 [rmi_core]
[   43.184677]  ? rmi_driver_clear_irq_bits+0xc0/0xc0 [rmi_core]
[   43.187505]  rmi_scan_pdt+0xca/0x1a0 [rmi_core]
[   43.190171]  rmi_init_functions+0x5b/0x120 [rmi_core]
[   43.192809]  rmi_driver_probe+0x152/0x3c0 [rmi_core]
[   43.195403]  ? sysfs_create_link+0x25/0x40
[   43.198253]  driver_probe_device+0x310/0x480
[   43.201083]  __device_attach_driver+0x86/0x100
[   43.203800]  ? __driver_attach+0xf0/0xf0
[   43.206503]  bus_for_each_drv+0x6b/0xb0
[   43.209291]  __device_attach+0xdd/0x160
[   43.212207]  device_initial_probe+0x13/0x20
[   43.215146]  bus_probe_device+0x95/0xa0
[   43.217885]  device_add+0x44b/0x680
[   43.220597]  rmi_register_transport_device+0x84/0x100 [rmi_core]
[   43.223321]  rmi_input_configured+0xbf/0x1a0 [hid_rmi]
[   43.226051]  ? input_allocate_device+0xdf/0xf0
[   43.228814]  hidinput_connect+0x4a9/0x37a0 [hid]
[   43.231701]  hid_connect+0x326/0x3d0 [hid]
[   43.234548]  hid_hw_start+0x42/0x70 [hid]
[   43.237302]  rmi_probe+0x115/0x510 [hid_rmi]
[   43.239862]  hid_device_probe+0xd3/0x150 [hid]
[   43.242558]  ? sysfs_create_link+0x25/0x40
[   43.242828] audit: type=1400 audit(1522795151.600:4): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/snap/core/4206/usr/lib/snapd/snap-confine" pid=1151 comm="apparmor_parser"
[   43.244859]  driver_probe_device+0x310/0x480
[   43.244862]  __driver_attach+0xbf/0xf0
[   43.246982] audit: type=1400 audit(1522795151.600:5): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/snap/core/4206/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=1151 comm="apparmor_parser"
[   43.249403]  ? driver_probe_device+0x480/0x480
[   43.249405]  bus_for_each_dev+0x74/0xb0
[   43.253200] audit: type=1400 audit(1522795151.600:6): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/snap/core/4206/usr/lib/snapd/snap-confine//snap_update_ns" pid=1151 comm="apparmor_parser"
[   43.254055]  ? kmem_cache_alloc_trace+0x1a6/0x1c0
[   43.256282] audit: type=1400 audit(1522795151.604:7): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/sbin/dhclient" pid=1152 comm="apparmor_parser"
[   43.258436]  driver_attach+0x1e/0x20
[   43.260875] audit: type=1400 audit(1522795151.604:8): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=1152 comm="apparmor_parser"
[   43.263118]  bus_add_driver+0x167/0x260
[   43.267676] audit: type=1400 audit(1522795151.604:9): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-helper" pid=1152 comm="apparmor_parser"
[   43.268807]  ? 0xffffffffc0cbc000
[   43.268812]  driver_register+0x60/0xe0
[   43.271184] audit: type=1400 audit(1522795151.604:10): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/connman/scripts/dhclient-script" pid=1152 comm="apparmor_parser"
[   43.274081]  ? 0xffffffffc0cbc000
[   43.274086]  __hid_register_driver+0x63/0x70 [hid]
[   43.288367]  rmi_driver_init+0x23/0x1000 [hid_rmi]
[   43.291501]  do_one_initcall+0x52/0x191
[   43.292348] audit: type=1400 audit(1522795151.652:11): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/man" pid=1242 comm="apparmor_parser"
[   43.294212]  ? _cond_resched+0x19/0x40
[   43.300028]  ? kmem_cache_alloc_trace+0xa2/0x1c0
[   43.303475]  ? do_init_module+0x27/0x209
[   43.306842]  do_init_module+0x5f/0x209
[   43.310269]  load_module+0x1987/0x1f10
[   43.313704]  ? ima_post_read_file+0x96/0xa0
[   43.317174]  SYSC_finit_module+0xfc/0x120
[   43.320754]  ? SYSC_finit_module+0xfc/0x120
[   43.324065]  SyS_finit_module+0xe/0x10
[   43.327387]  do_syscall_64+0x73/0x130
[   43.330909]  entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[   43.334305] RIP: 0033:0x7fd2d880b839
[   43.337810] RSP: 002b:00007ffe0a6b2368 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[   43.341259] RAX: ffffffffffffffda RBX: 000055cdd86542e0 RCX: 00007fd2d880b839
[   43.344613] RDX: 0000000000000000 RSI: 00007fd2d84ea0e5 RDI: 0000000000000016
[   43.347962] RBP: 00007fd2d84ea0e5 R08: 0000000000000000 R09: 00007ffe0a6b2480
[   43.351456] R10: 0000000000000016 R11: 0000000000000246 R12: 0000000000000000
[   43.354845] R13: 000055cdd8688930 R14: 0000000000020000 R15: 000055cdd86542e0
[   43.358224] Code: c7 05 ad 12 02 00 00 00 00 00 48 8d 88 00 08 00 00 eb 09 48 83 c0 08 48 39 c1 74 31 48 8b 10 48 85 d2 74 ef 49 8b b7 98 04 00 00 <48> 39 b2 98 04 00 00 75 df 48 63 92 f8 04 00 00 f0 48 0f ab 15
[   43.361764] RIP: __video_register_device+0x1cc/0x1090 [videodev] RSP: ffffa5c5c231b420
[   43.365281] CR2: 0000000000000499

This patch fixes the array size and changes the WARN_ON() to return an error,
instead of letting the Kernel to proceed with registering.

Cc: stable@vger.kernel.org
Reported-by: Peter Geis <pgwipeout@gmail.com>
Reported-by: Jaak Ristioja <jaak@ristioja.ee>
Reported-by: MichaƂ Siemek <mihau69@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
---
 drivers/media/v4l2-core/v4l2-dev.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)
diff mbox

Patch

diff --git a/drivers/media/v4l2-core/v4l2-dev.c b/drivers/media/v4l2-core/v4l2-dev.c
index 0301fe426a43..cc95d6023d57 100644
--- a/drivers/media/v4l2-core/v4l2-dev.c
+++ b/drivers/media/v4l2-core/v4l2-dev.c
@@ -93,7 +93,7 @@  ATTRIBUTE_GROUPS(video_device);
  */
 static struct video_device *video_device[VIDEO_NUM_DEVICES];
 static DEFINE_MUTEX(videodev_lock);
-static DECLARE_BITMAP(devnode_nums[VFL_TYPE_MAX], VIDEO_NUM_DEVICES);
+static DECLARE_BITMAP(devnode_nums[VFL_TYPE_MAX + 1], VIDEO_NUM_DEVICES);
 
 /* Device node utility functions */
 
@@ -942,7 +942,11 @@  int __video_register_device(struct video_device *vdev,
 	devnode_set(vdev);
 
 	/* Should not happen since we thought this minor was free */
-	WARN_ON(video_device[vdev->minor] != NULL);
+	if (WARN_ON(video_device[vdev->minor])) {
+		mutex_unlock(&videodev_lock);
+		printk(KERN_ERR "video_device not empty!\n");
+		return -ENFILE;
+	}
 	vdev->index = get_index(vdev);
 	video_device[vdev->minor] = vdev;
 	mutex_unlock(&videodev_lock);