Received: by 2002:a25:e74b:0:0:0:0:0 with SMTP id e72csp1641987ybh; Tue, 14 Jul 2020 03:28:34 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwhDF0ugqH02F4493gGdhc21RyNRxK0t5FZG5UJEOIT6MXGqnJbzgC/wZBtuKPXYP51UTej X-Received: by 2002:aa7:dd10:: with SMTP id i16mr3849822edv.227.1594722513944; Tue, 14 Jul 2020 03:28:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1594722513; cv=none; d=google.com; s=arc-20160816; b=gkIxmluUPYmdhbYde+3Sm2F+U1FfNywTZtKcfCgcyBdp4MjX87A8h2ncnTC6h36j/g pejwTtMMcK2j929SvQ8mtaqlikvYeNfMYT9PFcsBDfZBK1Iv34FIVis/9ENwuWQOZg6E uYMrCcTwEp3YLpB5S0VN7SP96FQj6kTxpknnPQEydr698qsg5aqO0GvIENo5TYWBWAqU gF3iVfRG/pMgQYgS06EOwzTHYrFzLlmQFeH0kDBAnPS+t+bv55X5APkQavQpyxlFWjui iAZ2tr//9kPNrOSvISafuJDECLbw/h2R514t6Y3T5/hKTvZaxtJ8S290EbXrlLaA+Vsc gsjw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=5bf3wV2zj/JfhnJj0om2QoUx3PMe2OtQxHSkQJX9q4w=; b=Y0nYeT0Z0rSKtMjU2+q1kcrRNt6SA6qn8PkMEIsHR3hOhhV4fgVyTaFZe7PxeRAH/U EnegEU0L3KovK5xVFbK70DGDwyxbosf5IH6inFFaD/Z/+Fs7T26ATI8MCh/06ALllB6+ EYA4iCnsL4azpLRZWvbonaQRil8xoeEIQgC3SRLA44fzO4OrgXR0Oz4qH7iwgGSGQ6WP Vjur6A3c0cORgakfE831gDQeAz3sxKSS6joNUvK7ds5eW4BcQX8aQkBXgG9AxBm20/jV /vmDzsG47UM+BBBP5LuFrBujxQSbb9xqSV9uX1fnJ/wWBiIoCZ/zN5vNaITaZ/FYXcxd YJvQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id dm6si10859650edb.169.2020.07.14.03.28.10; Tue, 14 Jul 2020 03:28:33 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726370AbgGNK1u (ORCPT + 99 others); Tue, 14 Jul 2020 06:27:50 -0400 Received: from www262.sakura.ne.jp ([202.181.97.72]:65421 "EHLO www262.sakura.ne.jp" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725841AbgGNK1t (ORCPT ); Tue, 14 Jul 2020 06:27:49 -0400 Received: from fsav403.sakura.ne.jp (fsav403.sakura.ne.jp [133.242.250.102]) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id 06EARkFL000526; Tue, 14 Jul 2020 19:27:46 +0900 (JST) (envelope-from penguin-kernel@i-love.sakura.ne.jp) Received: from www262.sakura.ne.jp (202.181.97.72) by fsav403.sakura.ne.jp (F-Secure/fsigk_smtp/550/fsav403.sakura.ne.jp); Tue, 14 Jul 2020 19:27:46 +0900 (JST) X-Virus-Status: clean(F-Secure/fsigk_smtp/550/fsav403.sakura.ne.jp) Received: from [192.168.1.9] (M106072142033.v4.enabler.ne.jp [106.72.142.33]) (authenticated bits=0) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id 06EARkMn000520 (version=TLSv1.2 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 14 Jul 2020 19:27:46 +0900 (JST) (envelope-from penguin-kernel@i-love.sakura.ne.jp) Subject: Re: [PATCH] fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins. To: Bartlomiej Zolnierkiewicz Cc: Greg Kroah-Hartman , Jiri Slaby , linux-fbdev@vger.kernel.org, dri-devel@lists.freedesktop.org, Dmitry Vyukov , linux-kernel@vger.kernel.org, George Kennedy , Dan Carpenter References: <189fc902-db7c-9886-cc31-c0348435303a@i-love.sakura.ne.jp> <20200712111013.11881-1-penguin-kernel@I-love.SAKURA.ne.jp> <20200712111013.11881-2-penguin-kernel@I-love.SAKURA.ne.jp> From: Tetsuo Handa Message-ID: Date: Tue, 14 Jul 2020 19:27:46 +0900 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2020/07/14 16:22, Bartlomiej Zolnierkiewicz wrote: > How does this patch relate to: > > https://marc.info/?l=linux-fbdev&m=159415024816722&w=2 > > ? > > It seems to address the same issue, I've added George and Dan to Cc:. George Kennedy's patch does not help for my case. You can try a.out built from ---------- #include #include #include #include #include int main(int argc, char *argv[]) { const int fd = open("/dev/fb0", O_ACCMODE); struct fb_var_screeninfo var = { }; ioctl(fd, FBIOGET_VSCREENINFO, &var); var.xres = var.yres = 16; ioctl(fd, FBIOPUT_VSCREENINFO, &var); return 0; } ---------- with a fault injection patch ---------- --- a/drivers/tty/vt/vt.c +++ b/drivers/tty/vt/vt.c @@ -1214,6 +1214,10 @@ static int vc_do_resize(struct tty_struct *tty, struct vc_data *vc, if (new_screen_size > KMALLOC_MAX_SIZE) return -EINVAL; + if (!strcmp(current->comm, "a.out")) { + printk(KERN_INFO "Forcing memory allocation failure.\n"); + return -ENOMEM; + } newscreen = kzalloc(new_screen_size, GFP_USER); if (!newscreen) return -ENOMEM; ---------- . What my patch workarounds is cases when vc_do_resize() did not update vc->vc_{cols,rows} . Unless vc->vc_{cols,rows} are updated by vc_do_resize() in a way that avoids integer underflow at unsigned int rw = info->var.xres - (vc->vc_cols*cw); unsigned int bh = info->var.yres - (vc->vc_rows*ch); , this crash won't go away. [ 39.995757][ T2788] Forcing memory allocation failure. [ 39.996527][ T2788] BUG: unable to handle page fault for address: ffffa9d180d7b000 [ 39.996529][ T2788] #PF: supervisor write access in kernel mode [ 39.996530][ T2788] #PF: error_code(0x0002) - not-present page [ 39.996531][ T2788] PGD 13a48c067 P4D 13a48c067 PUD 13a48d067 PMD 1324e4067 PTE 0 [ 39.996547][ T2788] Oops: 0002 [#1] SMP [ 39.996550][ T2788] CPU: 2 PID: 2788 Comm: a.out Not tainted 5.8.0-rc5+ #757 [ 39.996551][ T2788] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 02/27/2020 [ 39.996555][ T2788] RIP: 0010:bitfill_aligned+0x87/0x120 [cfbfillrect]