Received: by 2002:a05:6358:53a8:b0:117:f937:c515 with SMTP id z40csp2603180rwe; Sun, 16 Apr 2023 01:10:34 -0700 (PDT) X-Google-Smtp-Source: AKy350aCWYTSXYNzw1BGiVyPcB99ZDmyKJeWZ883aiwvPWkR4I7IJf1v0RtpIHLLD5VJ32fdc5dn X-Received: by 2002:a05:6a20:9390:b0:ef:1a7e:8757 with SMTP id x16-20020a056a20939000b000ef1a7e8757mr3606103pzh.46.1681632633938; Sun, 16 Apr 2023 01:10:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1681632633; cv=none; d=google.com; s=arc-20160816; b=kF6TQ7UYX7IZw9rCyK/ozTRs2wCyukxog7S5LtNadyxpbDjVo6hRF6JfgExjgGyKKn YVwgjCiKo9+EierdjCI0O68P+y22DSrWGo/24gvviMBdnzeBGjZeDDhT2qSFXI8Ly3Od ROUXFb6S5Mz83V8F+dsQJckvazF5NAbww2yIwZmMr6s7EPal3pGYUIKHHsLsuEyKn/dK uruIPXwmREYIObaHJFRbDPSZsQuPV09aB/dM18VwzQwur8fB9X/uGYS0iu5NvJLQPq7E kQjICYsLYpj10FGzg8tI4LlJ3NVaeyjleJmAjYZ3T5txeyUTwLz+oD6GLFNSX2kUzsRy 3ngQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:mail-followup-to :message-id:subject:cc:to:from:date:dkim-signature; bh=gtJHYf34q5XHBLZrbkb45GctzVWx9rTGSzHrSby/QgY=; b=y3+deQ4XqM5df3mMWktggigX5pDicvoTJBfKUK6bVkuhLPWLflbKQAuP1T0c0662fr 8tQV8H5CqkmeDNV9jhU/f9ZT6sCKXkKXv56c11u0NKZsgM4rDX9Tb6qwnPzjCR9AvCSw /hs9CYD44MmjR1RmXcOlSZ2L28zJ8bad8v5iDpC+cYsQekcC7Fr30m/JZRpXx2CB466W ZfmL1RrJj5SHJEu3rOUmW794joQE9BmrUe2WcbzXlgywHSusKQhpoRILdig98pKvEn/1 mvhiKjJ7r6IMmW53Pah2GihzuxrDJtvw+3YBQJjzzm8wwUT3T1LfGtcy5oDkjBH8t6hh 0d+A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ffwll.ch header.s=google header.b="Ti9/MRxS"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id 202-20020a6305d3000000b0051322a67375si9788071pgf.24.2023.04.16.01.10.21; Sun, 16 Apr 2023 01:10:33 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@ffwll.ch header.s=google header.b="Ti9/MRxS"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229593AbjDPH53 (ORCPT + 99 others); Sun, 16 Apr 2023 03:57:29 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45708 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230029AbjDPH52 (ORCPT ); Sun, 16 Apr 2023 03:57:28 -0400 Received: from mail-ed1-x52e.google.com (mail-ed1-x52e.google.com [IPv6:2a00:1450:4864:20::52e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 77D2A171C for ; Sun, 16 Apr 2023 00:57:26 -0700 (PDT) Received: by mail-ed1-x52e.google.com with SMTP id 4fb4d7f45d1cf-504d149839bso616386a12.1 for ; Sun, 16 Apr 2023 00:57:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ffwll.ch; s=google; t=1681631845; x=1684223845; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:mail-followup-to:message-id:subject:cc:to :from:date:from:to:cc:subject:date:message-id:reply-to; bh=gtJHYf34q5XHBLZrbkb45GctzVWx9rTGSzHrSby/QgY=; b=Ti9/MRxSRdzPWqW0RYwRLTtNr74qABkqHXVTl+On0YMEBP+42siv/ZnKkkrENKGSwr vzhbWHZYnWESgrIJLj6xjfyOiIuCYIy+zqBjQrJ2lckebH3UCf3YXhfDjpW1rVsbivBB t2dqKZCasMmqKxv9Z+LnZY1IwZ8Dur3VBSu2M= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681631845; x=1684223845; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:mail-followup-to:message-id:subject:cc:to :from:date:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=gtJHYf34q5XHBLZrbkb45GctzVWx9rTGSzHrSby/QgY=; b=lm1ZJQeqPK+n66QINQKpSNNtrZ6BSXGkMnv52ZQ3PMfu9G/YzrZ4ks7b90jr8muqxm ggoemnpZKy0CgdX/xHJm24yzb/ANaMspftVGUd9ubHdfKxtV9FGaaiKus37VxTIisrAE lRJlTxcivQpowbCaBtPOogKwwuMwuOxh9d6YrbdmfTiJrqg3G69yMZr3ICB2yl0jFVya qKLrwsbuurhER6PRFE92TtfqjBXdiQtJyqm3ructEAhTqnbxRS5wtx7Tr/VI8vvudGmZ qpvZQohxUMHIoXwrmP6iyTrGqBA+szrX92DyeSKvAa3BSDUobj5idEVEZSFMVWxAIsFY ZJaA== X-Gm-Message-State: AAQBX9dlMzNR/MukmrFdIEPTqAqUmas5ykuvFgHjdEH+skPIPVM/XTcn 2Z41jWuSHbW2MPnOWk3BtfJpCg== X-Received: by 2002:a17:906:7a4e:b0:94e:d5d7:67eb with SMTP id i14-20020a1709067a4e00b0094ed5d767ebmr5972142ejo.5.1681631844811; Sun, 16 Apr 2023 00:57:24 -0700 (PDT) Received: from phenom.ffwll.local (212-51-149-33.fiber7.init7.net. [212.51.149.33]) by smtp.gmail.com with ESMTPSA id k18-20020a17090632d200b0094f05fee9d3sm2298246ejk.211.2023.04.16.00.57.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 16 Apr 2023 00:57:24 -0700 (PDT) Date: Sun, 16 Apr 2023 09:57:22 +0200 From: Daniel Vetter To: Sui Jingfeng <15330273260@189.cn> Cc: Thomas Zimmermann , Maxime Ripard , David Airlie , Daniel Vetter , Sui Jingfeng , Li Yi , Javier Martinez Canillas , Helge Deller , Lucas De Marchi , linux-kernel@vger.kernel.org, linux-fbdev@vger.kernel.org, dri-devel@lists.freedesktop.org, loongson-kernel@lists.loongnix.cn Subject: Re: [PATCH v2] drm/fbdev-generic: prohibit potential out-of-bounds access Message-ID: Mail-Followup-To: Sui Jingfeng <15330273260@189.cn>, Thomas Zimmermann , Maxime Ripard , David Airlie , Sui Jingfeng , Li Yi , Javier Martinez Canillas , Helge Deller , Lucas De Marchi , linux-kernel@vger.kernel.org, linux-fbdev@vger.kernel.org, dri-devel@lists.freedesktop.org, loongson-kernel@lists.loongnix.cn References: <20230413180622.1014016-1-15330273260@189.cn> <32a1510e-d38a-ffb6-8e8d-026f8b3aa17a@189.cn> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <32a1510e-d38a-ffb6-8e8d-026f8b3aa17a@189.cn> X-Operating-System: Linux phenom 6.1.0-7-amd64 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Apr 14, 2023 at 06:58:53PM +0800, Sui Jingfeng wrote: > Hi, > > On 2023/4/14 03:16, Thomas Zimmermann wrote: > > Hi, > > > > thanks for the patch. This is effectively a revert of commit > > 8fbc9af55de0 ("drm/fbdev-generic: Set screen size to size of GEM > > buffer"). Please add a Fixes tag. > > > > Am 13.04.23 um 20:06 schrieb Sui Jingfeng: > > > From: Sui Jingfeng > > > > > > The crazy fbdev test of IGT may write after EOF, which lead to > > > out-of-bound > > > > Please drop 'crazy'. :) > > This is OK. > > By using the world 'crazy', > > I meant that the test is very good and maybe it is written by professional? > peoples > > with the guidance by? experienced? engineer. So that even the corner get > tested. 'thoroughly' would be better word to describe that I think. I think for the other discussions I've covered it all already in the other thread. -Daniel > > > > > > > access for the drm drivers using fbdev-generic. For example, run > > > fbdev test > > > on a x86-64+ast2400 platform with 1680x1050 resolution will cause > > > the linux > > > kernel hang with following call trace: > > > > > > ?? Oops: 0000 [#1] PREEMPT SMP PTI > > > ?? [IGT] fbdev: starting subtest eof > > > ?? Workqueue: events drm_fb_helper_damage_work [drm_kms_helper] > > > ?? [IGT] fbdev: starting subtest nullptr > > > > > > ?? RIP: 0010:memcpy_erms+0xa/0x20 > > > ?? RSP: 0018:ffffa17d40167d98 EFLAGS: 00010246 > > > ?? RAX: ffffa17d4eb7fa80 RBX: ffffa17d40e0aa80 RCX: 00000000000014c0 > > > ?? RDX: 0000000000001a40 RSI: ffffa17d40e0b000 RDI: ffffa17d4eb80000 > > > ?? RBP: ffffa17d40167e20 R08: 0000000000000000 R09: ffff89522ecff8c0 > > > ?? R10: ffffa17d4e4c5000 R11: 0000000000000000 R12: ffffa17d4eb7fa80 > > > ?? R13: 0000000000001a40 R14: 000000000000041a R15: ffffa17d40167e30 > > > ?? FS:? 0000000000000000(0000) GS:ffff895257380000(0000) > > > knlGS:0000000000000000 > > > ?? CS:? 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > > > ?? CR2: ffffa17d40e0b000 CR3: 00000001eaeca006 CR4: 00000000001706e0 > > > ?? Call Trace: > > > ??? > > > ??? ? drm_fbdev_generic_helper_fb_dirty+0x207/0x330 [drm_kms_helper] > > > ??? drm_fb_helper_damage_work+0x8f/0x170 [drm_kms_helper] > > > ??? process_one_work+0x21f/0x430 > > > ??? worker_thread+0x4e/0x3c0 > > > ??? ? __pfx_worker_thread+0x10/0x10 > > > ??? kthread+0xf4/0x120 > > > ??? ? __pfx_kthread+0x10/0x10 > > > ??? ret_from_fork+0x2c/0x50 > > > ??? > > > ?? CR2: ffffa17d40e0b000 > > > ?? ---[ end trace 0000000000000000 ]--- > > > > > > The indirect reason is drm_fb_helper_memory_range_to_clip() generate > > > damage > > > rectangles which partially or completely go out of the active > > > display area. > > > The second of argument 'off' is passing from the user-space, this > > > will lead > > > to the out-of-bound if it is large than (fb_height + 1) * > > > fb_pitches; while > > > DIV_ROUND_UP() may also controbute to error by 1. > > > > > > This patch will add code to restrict the damage rect computed go > > > beyond of > > > the last line of the framebuffer. > > > > > > Signed-off-by: Sui Jingfeng > > > --- > > > ? drivers/gpu/drm/drm_fb_helper.c???? | 16 ++++++++++++---- > > > ? drivers/gpu/drm/drm_fbdev_generic.c |? 2 +- > > > ? 2 files changed, 13 insertions(+), 5 deletions(-) > > > > > > diff --git a/drivers/gpu/drm/drm_fb_helper.c > > > b/drivers/gpu/drm/drm_fb_helper.c > > > index 64458982be40..6bb1b8b27d7a 100644 > > > --- a/drivers/gpu/drm/drm_fb_helper.c > > > +++ b/drivers/gpu/drm/drm_fb_helper.c > > > @@ -641,19 +641,27 @@ static void drm_fb_helper_damage(struct > > > drm_fb_helper *helper, u32 x, u32 y, > > > ? static void drm_fb_helper_memory_range_to_clip(struct fb_info > > > *info, off_t off, size_t len, > > > ???????????????????????????? struct drm_rect *clip) > > > ? { > > > +??? u32 line_length = info->fix.line_length; > > > +??? u32 fb_height = info->var.yres; > > > ????? off_t end = off + len; > > > ????? u32 x1 = 0; > > > -??? u32 y1 = off / info->fix.line_length; > > > +??? u32 y1 = off / line_length; > > > ????? u32 x2 = info->var.xres; > > > -??? u32 y2 = DIV_ROUND_UP(end, info->fix.line_length); > > > +??? u32 y2 = DIV_ROUND_UP(end, line_length); > > > + > > > +??? /* Don't allow any of them beyond the bottom bound of display > > > area */ > > > +??? if (y1 > fb_height) > > > +??????? y1 = fb_height; > > > +??? if (y2 > fb_height) > > > +??????? y2 = fb_height; > > > ? ????? if ((y2 - y1) == 1) { > > > ????????? /* > > > ?????????? * We've only written to a single scanline. Try to reduce > > > ?????????? * the number of horizontal pixels that need an update. > > > ?????????? */ > > > -??????? off_t bit_off = (off % info->fix.line_length) * 8; > > > -??????? off_t bit_end = (end % info->fix.line_length) * 8; > > > +??????? off_t bit_off = (off % line_length) * 8; > > > +??????? off_t bit_end = (end % line_length) * 8; > > > > Please scratch all these changes. The current code should work as > > intended. Only the generic fbdev emulation uses this code and it should > > really be moved there at some point. > > > Are you meant? that we should remove all these changes in > drivers/gpu/drm/drm_fb_helper.c ? > > > But this changes are helps to prevent the damage box computed go out of > bound, > > the bound of the displayable shadow buffer on multiple display case. > > It is the minimum width x height which could be fit in for all > display/minotor. > > > For example, one is 1920x1080 monitor, another is 1280x800 monitor. > > connected to the motherboard simultaneously. > > > Then, 1920x1080x4 (suppose we are using the XRGB) scanout buffer will be > > allocate by the? GEM backend. But the the actual display area is 1280x800. > > This is true at least for my driver on my platform, In this case, > > ``` > > ?? info->var.xres ==1280; > > ?? info->var.yres == 800; > > ``` > > If don't restrict this, the damage box computed out of the bound of? (0, 0) > ~ (1280, 800) rectangle. > > a 1920x1080 damage box will came out. > > > When running fbdev test of IGT, the smaller screen display will be OK. > > but the larger screen, the area outsize of 1280x800 will also be written. > > The background color became completely white from completely black before > carry out the test, > > luckily, linux kernel do not hung, this time. > > > On multi-screen case, we still need to restrict the damage box computed, > > Do not go out of 1280x800,? right? > > > > > > > ? ????????? x1 = bit_off / info->var.bits_per_pixel; > > > ????????? x2 = DIV_ROUND_UP(bit_end, info->var.bits_per_pixel); > > > diff --git a/drivers/gpu/drm/drm_fbdev_generic.c > > > b/drivers/gpu/drm/drm_fbdev_generic.c > > > index 8e5148bf40bb..b057cfbba938 100644 > > > --- a/drivers/gpu/drm/drm_fbdev_generic.c > > > +++ b/drivers/gpu/drm/drm_fbdev_generic.c > > > @@ -94,7 +94,7 @@ static int > > > drm_fbdev_generic_helper_fb_probe(struct drm_fb_helper *fb_helper, > > > ????? fb_helper->buffer = buffer; > > > ????? fb_helper->fb = buffer->fb; > > > ? -??? screen_size = buffer->gem->size; > > > +??? screen_size = sizes->surface_height * buffer->fb->pitches[0]; > > > > I guess we simply go back to this line. I'd R-b a patch that does > > exactly this. > > > > But some explanation is in order. Maybe you can add this as a comment to > > the computation, as it's not obvious: > > > > The value of screen_size should actually be the size of the gem buffer. > > In a physical framebuffer (i.e., video memory), the size would be a > > multiple of the page size, but not necessarily a multiple of the screen > > resolution. There are also pan fbdev's operations, and we could possibly > > use DRM buffers that are not multiples of the screen width. But the > > update code requires the use of drm_framebuffer_funcs.dirty, which takes > > a clipping rectangle and therefore doesn't work well with these odd > > values for screen_size. > > > > Best regards > > Thomas > > > > > ????? screen_buffer = vzalloc(screen_size); > > > ????? if (!screen_buffer) { > > > ????????? ret = -ENOMEM; > > -- Daniel Vetter Software Engineer, Intel Corporation http://blog.ffwll.ch