Received: by 2002:a25:683:0:0:0:0:0 with SMTP id 125csp115038ybg; Mon, 8 Jun 2020 18:02:05 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxJULG8aKhHV9CcFgeGyLtrYiZqdIOAbu6avusAWMOW5roZGIbc49w0uzM+9079yCqmHB7f X-Received: by 2002:a50:9556:: with SMTP id v22mr23808492eda.291.1591664525288; Mon, 08 Jun 2020 18:02:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1591664525; cv=none; d=google.com; s=arc-20160816; b=OYvxJe5q9mIVbJlxI3IbvBzorvZSksgQ9HbZ8a3VUyGF1q3XheAtxn9SGTrLkCJc4V 9Rn1aJiTozRZIihswzvnEZ/rza4VVky/2NSF73E95E7jfXytzygFnGYb/mwArGt2uRoG k2fs9p1ikP/iFYMWA4xXl0QUkj08sdZKY5lHF/E++MirHlgyVj4L98N9Q8eBM99R2xpN lLMLgTib9YXyDl2zSiGuzIT3Y7sFXn/rYKwIxOWGULG6O+MdNqH+EoDt0EZ4heJJyUKa nuoaxUACGWxOaOtpyxxrnj2afWqnN1TdQtsbvuMV7orvjkX9IDIDRljLzSLB/GaEf5ye +alg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=T9VEW/zZCw1eo3BVmVMv3h2N4noLqs+VSKJydT7E3eQ=; b=vTXdYAOOj6XPOFUluWN+F0XjshFTh93AaMHpph+UplBq8AlG1Lgds7KPl/vDdPr+f9 wcMzP7Z+1oVgm1OYimEAIOtJMXqNSI8C/JWPcnOZKlEn4yz8jiF+glFD3Wcm8R3w5dpx M6J3JBVD7rDT7Hm36RKGWmD2F9nQ3cSP3+j2MjzY4JH9zcteofxGdCah3fc+XhK5kQxy 6LmJNmnbHtQB2B3+A5ht4l78bkZWtESkdttxPkTaE9HXiFkSh1zq4MdcR6knGfaGtvuP cI2xZOhA2w4uQQWGtTqZlfFv3t0+0QPN1GYy1otH4ehCjTy1bYgq4Y3glydz5vsTPzPs Y+HQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=AIf79oh4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w16si9704102ejv.608.2020.06.08.18.01.39; Mon, 08 Jun 2020 18:02:05 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=AIf79oh4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728483AbgFIA7x (ORCPT + 99 others); Mon, 8 Jun 2020 20:59:53 -0400 Received: from mail.kernel.org ([198.145.29.99]:53664 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726848AbgFHXI2 (ORCPT ); Mon, 8 Jun 2020 19:08:28 -0400 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 6D76120842; Mon, 8 Jun 2020 23:08:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591657707; bh=MG/3TpAGaOZF6VTeqb+xQuY8+HXVC7ADyGDWqkiUHqY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=AIf79oh4PyWlhw0Yl8NRaa0ka65DDTKJdJtYArXyOIO6ZeUyfum2BSPVafeKDw7ip mvnHkdl3cHWEXu1QXriWoXyVk7/1aNpR6PR9tXLHVN3gwJ++JDE1oe9dCEOsZTdM4p DcCdQ84JL6gtm6iSYP9BpIg1TpbOco2zvr6TBlak= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Thomas Zimmermann , Daniel Vetter , Gerd Hoffmann , Dave Airlie , Alex Deucher , =?UTF-8?q?Noralf=20Tr=C3=B8nnes?= , Sam Ravnborg , Laurent Pinchart , Sasha Levin , dri-devel@lists.freedesktop.org Subject: [PATCH AUTOSEL 5.7 104/274] drm/ast: Allocate initial CRTC state of the correct size Date: Mon, 8 Jun 2020 19:03:17 -0400 Message-Id: <20200608230607.3361041-104-sashal@kernel.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200608230607.3361041-1-sashal@kernel.org> References: <20200608230607.3361041-1-sashal@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Thomas Zimmermann [ Upstream commit f0adbc382b8bb46a2467c4e5e1027763a197c8e1 ] The ast driver inherits from DRM's CRTC state, but still uses the atomic helper for struct drm_crtc_funcs.reset, drm_atomic_helper_crtc_reset(). The helper only allocates enough memory for the core CRTC state. That results in an out-ouf-bounds access when duplicating the initial CRTC state. Simplified backtrace shown below: [ 21.469321] ================================================================== [ 21.469434] BUG: KASAN: slab-out-of-bounds in ast_crtc_atomic_duplicate_state+0x84/0x100 [ast] [ 21.469445] Read of size 8 at addr ffff888036c1c5f8 by task systemd-udevd/382 [ 21.469451] [ 21.469464] CPU: 2 PID: 382 Comm: systemd-udevd Tainted: G E 5.5.0-rc6-1-default+ #214 [ 21.469473] Hardware name: Sun Microsystems SUN FIRE X2270 M2/SUN FIRE X2270 M2, BIOS 2.05 07/01/2010 [ 21.469480] Call Trace: [ 21.469501] dump_stack+0xb8/0x110 [ 21.469528] print_address_description.constprop.0+0x1b/0x1e0 [ 21.469557] ? ast_crtc_atomic_duplicate_state+0x84/0x100 [ast] [ 21.469581] ? ast_crtc_atomic_duplicate_state+0x84/0x100 [ast] [ 21.469597] __kasan_report.cold+0x1a/0x35 [ 21.469640] ? ast_crtc_atomic_duplicate_state+0x84/0x100 [ast] [ 21.469665] kasan_report+0xe/0x20 [ 21.469693] ast_crtc_atomic_duplicate_state+0x84/0x100 [ast] [ 21.469733] drm_atomic_get_crtc_state+0xbf/0x1c0 [ 21.469768] __drm_atomic_helper_set_config+0x81/0x5a0 [ 21.469803] ? drm_atomic_plane_check+0x690/0x690 [ 21.469843] ? drm_client_rotation+0xae/0x240 [ 21.469876] drm_client_modeset_commit_atomic+0x230/0x390 [ 21.469888] ? __mutex_lock+0x8f0/0xbe0 [ 21.469929] ? drm_client_firmware_config.isra.0+0xa60/0xa60 [ 21.469948] ? drm_client_modeset_commit_force+0x28/0x230 [ 21.470031] ? memset+0x20/0x40 [ 21.470078] drm_client_modeset_commit_force+0x90/0x230 [ 21.470110] drm_fb_helper_restore_fbdev_mode_unlocked+0x5f/0xc0 [ 21.470132] drm_fb_helper_set_par+0x59/0x70 [ 21.470155] fbcon_init+0x61d/0xad0 [ 21.470185] ? drm_fb_helper_restore_fbdev_mode_unlocked+0xc0/0xc0 [ 21.470232] visual_init+0x187/0x240 [ 21.470266] do_bind_con_driver+0x2e3/0x460 [ 21.470321] do_take_over_console+0x20a/0x290 [ 21.470371] do_fbcon_takeover+0x85/0x100 [ 21.470402] register_framebuffer+0x2fd/0x490 [ 21.470425] ? kzalloc.constprop.0+0x10/0x10 [ 21.470503] __drm_fb_helper_initial_config_and_unlock+0xf2/0x140 [ 21.470533] drm_fbdev_client_hotplug+0x162/0x250 [ 21.470563] drm_fbdev_generic_setup+0xd2/0x155 [ 21.470602] ast_driver_load+0x688/0x850 [ast] <...> [ 21.472625] ================================================================== Allocating enough memory for struct ast_crtc_state in a custom ast CRTC reset handler fixes the problem. v2: * implement according to drm_atomic_helper_crtc_reset() * update state with __drm_atomic_helper_crtc_reset() Signed-off-by: Thomas Zimmermann Fixes: 83be6a3ceb11 ("drm/ast: Introduce struct ast_crtc_state") Reviewed-by: Daniel Vetter Cc: Gerd Hoffmann Cc: Dave Airlie Cc: Daniel Vetter Cc: Alex Deucher Cc: "Noralf Trønnes" Cc: Sam Ravnborg Cc: Laurent Pinchart Link: https://patchwork.freedesktop.org/patch/msgid/20200130094012.32140-1-tzimmermann@suse.de Signed-off-by: Sasha Levin --- drivers/gpu/drm/ast/ast_mode.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/ast/ast_mode.c b/drivers/gpu/drm/ast/ast_mode.c index cdd6c46d6557..7a9f20a2fd30 100644 --- a/drivers/gpu/drm/ast/ast_mode.c +++ b/drivers/gpu/drm/ast/ast_mode.c @@ -881,6 +881,17 @@ static const struct drm_crtc_helper_funcs ast_crtc_helper_funcs = { .atomic_disable = ast_crtc_helper_atomic_disable, }; +static void ast_crtc_reset(struct drm_crtc *crtc) +{ + struct ast_crtc_state *ast_state = + kzalloc(sizeof(*ast_state), GFP_KERNEL); + + if (crtc->state) + crtc->funcs->atomic_destroy_state(crtc, crtc->state); + + __drm_atomic_helper_crtc_reset(crtc, &ast_state->base); +} + static void ast_crtc_destroy(struct drm_crtc *crtc) { drm_crtc_cleanup(crtc); @@ -919,7 +930,7 @@ static void ast_crtc_atomic_destroy_state(struct drm_crtc *crtc, } static const struct drm_crtc_funcs ast_crtc_funcs = { - .reset = drm_atomic_helper_crtc_reset, + .reset = ast_crtc_reset, .set_config = drm_crtc_helper_set_config, .gamma_set = drm_atomic_helper_legacy_gamma_set, .destroy = ast_crtc_destroy, -- 2.25.1