Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp712106rwr; Wed, 19 Apr 2023 11:57:34 -0700 (PDT) X-Google-Smtp-Source: AKy350YQjDHJDmx8/Z2PuG+BhZICRVfi8iZ7SvvMUtR0+lciZFK6xKkRu4W7gTB7CHy0OTjOaLa5 X-Received: by 2002:a05:6a00:2e0d:b0:63b:86a0:6a37 with SMTP id fc13-20020a056a002e0d00b0063b86a06a37mr5453962pfb.34.1681930654710; Wed, 19 Apr 2023 11:57:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1681930654; cv=none; d=google.com; s=arc-20160816; b=G4FGfm0MkybUuiwnBT9UR/EBDZtczL45I9yBAgqaU3xNL3qG6ADIei3WQPnvI57eSo 9CCgDagQqQcxIcIM0yeUIHk3LiRKmLchg497dzHqf24mSloyM+h9V56ZSdtkWtTXbha4 czSey5gahgaFwhjusmUwkM3ORj09OMAQFlqZKQw/gHEvy/mE4AATbUAOqTKxBrx4EIXP xVsLcEfOSsqKFCoLBabJoEMKMDAdmGQuHQyODn81O/uOMce44XxX9JIdwd+2qb+zbZsM ogVkSjpfnKR139eGQWuN1F2UWnseI+ExiGQb/OAYO8maLl2L1Jy23TMc86d23CtdACSo aylQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:sender:hmm_source_type:hmm_attache_num :hmm_source_ip; bh=Ja6KZAwkv3W4zrLlWE2Bj47x8h3YhAeQH1vqtDuhYnI=; b=k1kpcJzYrqXxSnamEVVs97hqhmISIRXffd74LqPsUBJxrdXlsJL9lWb9U+34L8iJXo PGhNjtEHfGAsJ1xJcPVPU02L6VJb6uMaEIrx62RRXwk0YzL2wWDFkrPDkWr2qlLji76M zdKmNLmcaaonCk2fbOn91n1lw/8kMRwJPtISOzjyAZPKeuPhAYP/Qy8NRpjOtAVSprbz 8JYaRAo4C2JzxcqTGpl9lb/BN7x1psXdxTQgNqraeh5WcvAokPSYP7crYXp/Rt1VO5qb MdlF3GvKdcztGiknxlod02Atj9RyCHitC8C7uKwULmRjfluD2euthFETKvn5Ii2lsvgy Oe0w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id a26-20020aa795ba000000b0063732344e2fsi10006573pfk.190.2023.04.19.11.57.20; Wed, 19 Apr 2023 11:57:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230373AbjDSSrd (ORCPT + 99 others); Wed, 19 Apr 2023 14:47:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52070 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229458AbjDSSrb (ORCPT ); Wed, 19 Apr 2023 14:47:31 -0400 Received: from 189.cn (ptr.189.cn [183.61.185.104]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id CCDAE30DB; Wed, 19 Apr 2023 11:47:28 -0700 (PDT) HMM_SOURCE_IP: 10.64.8.43:37384.762674106 HMM_ATTACHE_NUM: 0000 HMM_SOURCE_TYPE: SMTP Received: from clientip-114.242.206.180 (unknown [10.64.8.43]) by 189.cn (HERMES) with SMTP id 139B7100295; Thu, 20 Apr 2023 02:47:25 +0800 (CST) Received: from ([114.242.206.180]) by gateway-151646-dep-7b48884fd-tj646 with ESMTP id 0c3658d8c1b14043811ce1ce3dd1f3fa for tzimmermann@suse.de; Thu, 20 Apr 2023 02:47:28 CST X-Transaction-ID: 0c3658d8c1b14043811ce1ce3dd1f3fa X-Real-From: 15330273260@189.cn X-Receive-IP: 114.242.206.180 X-MEDUSA-Status: 0 Sender: 15330273260@189.cn Message-ID: <95ef7589-9775-5ad4-f09c-43bcd696823a@189.cn> Date: Thu, 20 Apr 2023 02:47:24 +0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.10.0 Subject: Re: [PATCH v2] drm/fbdev-generic: prohibit potential out-of-bounds access Content-Language: en-US To: Thomas Zimmermann , Maxime Ripard , David Airlie , Daniel Vetter , Sui Jingfeng , Li Yi , Javier Martinez Canillas , Helge Deller , Lucas De Marchi Cc: linux-kernel@vger.kernel.org, linux-fbdev@vger.kernel.org, dri-devel@lists.freedesktop.org, loongson-kernel@lists.loongnix.cn References: <20230413180622.1014016-1-15330273260@189.cn> <32a1510e-d38a-ffb6-8e8d-026f8b3aa17a@189.cn> From: Sui Jingfeng <15330273260@189.cn> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-4.3 required=5.0 tests=BAYES_00, FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,FROM_LOCAL_DIGITS, FROM_LOCAL_HEX,NICE_REPLY_A,SPF_HELO_PASS,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, On 2023/4/17 15:29, Thomas Zimmermann wrote: > Hi > > Am 14.04.23 um 12:58 schrieb Sui Jingfeng: >> Hi, >> >> On 2023/4/14 03:16, Thomas Zimmermann wrote: >>> Hi, >>> >>> thanks for the patch. This is effectively a revert of commit >>> 8fbc9af55de0 ("drm/fbdev-generic: Set screen size to size of GEM >>> buffer"). Please add a Fixes tag. >>> >>> Am 13.04.23 um 20:06 schrieb Sui Jingfeng: >>>> From: Sui Jingfeng >>>> >>>> The crazy fbdev test of IGT may write after EOF, which lead to >>>> out-of-bound >>> >>> Please drop 'crazy'. :) >> >> This is OK. >> >> By using the world 'crazy', >> >> I meant that the test is very good and maybe it is written by >> professional  peoples >> >> with the guidance by  experienced  engineer. So that even the corner >> get tested. >> >> >>> >>>> access for the drm drivers using fbdev-generic. For example, run >>>> fbdev test >>>> on a x86-64+ast2400 platform with 1680x1050 resolution will cause >>>> the linux >>>> kernel hang with following call trace: >>>> >>>>    Oops: 0000 [#1] PREEMPT SMP PTI >>>>    [IGT] fbdev: starting subtest eof >>>>    Workqueue: events drm_fb_helper_damage_work [drm_kms_helper] >>>>    [IGT] fbdev: starting subtest nullptr >>>> >>>>    RIP: 0010:memcpy_erms+0xa/0x20 >>>>    RSP: 0018:ffffa17d40167d98 EFLAGS: 00010246 >>>>    RAX: ffffa17d4eb7fa80 RBX: ffffa17d40e0aa80 RCX: 00000000000014c0 >>>>    RDX: 0000000000001a40 RSI: ffffa17d40e0b000 RDI: ffffa17d4eb80000 >>>>    RBP: ffffa17d40167e20 R08: 0000000000000000 R09: ffff89522ecff8c0 >>>>    R10: ffffa17d4e4c5000 R11: 0000000000000000 R12: ffffa17d4eb7fa80 >>>>    R13: 0000000000001a40 R14: 000000000000041a R15: ffffa17d40167e30 >>>>    FS:  0000000000000000(0000) GS:ffff895257380000(0000) >>>> knlGS:0000000000000000 >>>>    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 >>>>    CR2: ffffa17d40e0b000 CR3: 00000001eaeca006 CR4: 00000000001706e0 >>>>    Call Trace: >>>>     >>>>     ? drm_fbdev_generic_helper_fb_dirty+0x207/0x330 [drm_kms_helper] >>>>     drm_fb_helper_damage_work+0x8f/0x170 [drm_kms_helper] >>>>     process_one_work+0x21f/0x430 >>>>     worker_thread+0x4e/0x3c0 >>>>     ? __pfx_worker_thread+0x10/0x10 >>>>     kthread+0xf4/0x120 >>>>     ? __pfx_kthread+0x10/0x10 >>>>     ret_from_fork+0x2c/0x50 >>>>     >>>>    CR2: ffffa17d40e0b000 >>>>    ---[ end trace 0000000000000000 ]--- >>>> >>>> The indirect reason is drm_fb_helper_memory_range_to_clip() >>>> generate damage >>>> rectangles which partially or completely go out of the active >>>> display area. >>>> The second of argument 'off' is passing from the user-space, this >>>> will lead >>>> to the out-of-bound if it is large than (fb_height + 1) * >>>> fb_pitches; while >>>> DIV_ROUND_UP() may also controbute to error by 1. >>>> >>>> This patch will add code to restrict the damage rect computed go >>>> beyond of >>>> the last line of the framebuffer. >>>> >>>> Signed-off-by: Sui Jingfeng >>>> --- >>>>   drivers/gpu/drm/drm_fb_helper.c     | 16 ++++++++++++---- >>>>   drivers/gpu/drm/drm_fbdev_generic.c |  2 +- >>>>   2 files changed, 13 insertions(+), 5 deletions(-) >>>> >>>> diff --git a/drivers/gpu/drm/drm_fb_helper.c >>>> b/drivers/gpu/drm/drm_fb_helper.c >>>> index 64458982be40..6bb1b8b27d7a 100644 >>>> --- a/drivers/gpu/drm/drm_fb_helper.c >>>> +++ b/drivers/gpu/drm/drm_fb_helper.c >>>> @@ -641,19 +641,27 @@ static void drm_fb_helper_damage(struct >>>> drm_fb_helper *helper, u32 x, u32 y, >>>>   static void drm_fb_helper_memory_range_to_clip(struct fb_info >>>> *info, off_t off, size_t len, >>>>                              struct drm_rect *clip) >>>>   { >>>> +    u32 line_length = info->fix.line_length; >>>> +    u32 fb_height = info->var.yres; >>>>       off_t end = off + len; >>>>       u32 x1 = 0; >>>> -    u32 y1 = off / info->fix.line_length; >>>> +    u32 y1 = off / line_length; >>>>       u32 x2 = info->var.xres; >>>> -    u32 y2 = DIV_ROUND_UP(end, info->fix.line_length); >>>> +    u32 y2 = DIV_ROUND_UP(end, line_length); >>>> + >>>> +    /* Don't allow any of them beyond the bottom bound of display >>>> area */ >>>> +    if (y1 > fb_height) >>>> +        y1 = fb_height; >>>> +    if (y2 > fb_height) >>>> +        y2 = fb_height; >>>>         if ((y2 - y1) == 1) { >>>>           /* >>>>            * We've only written to a single scanline. Try to reduce >>>>            * the number of horizontal pixels that need an update. >>>>            */ >>>> -        off_t bit_off = (off % info->fix.line_length) * 8; >>>> -        off_t bit_end = (end % info->fix.line_length) * 8; >>>> +        off_t bit_off = (off % line_length) * 8; >>>> +        off_t bit_end = (end % line_length) * 8; >>> >>> Please scratch all these changes. The current code should work as >>> intended. Only the generic fbdev emulation uses this code and it >>> should really be moved there at some point. >> >> >> Are you meant  that we should remove all these changes in >> drivers/gpu/drm/drm_fb_helper.c ? > > As Daniel mentioned, there's the discussion in the other thread. I > don't want to reopen it here. Just to summarize: I'm not convinced > that this should be DRM code because it can be shared with other fbdev > drivers. > > [...] > >>>> diff --git a/drivers/gpu/drm/drm_fbdev_generic.c >>>> b/drivers/gpu/drm/drm_fbdev_generic.c >>>> index 8e5148bf40bb..b057cfbba938 100644 >>>> --- a/drivers/gpu/drm/drm_fbdev_generic.c >>>> +++ b/drivers/gpu/drm/drm_fbdev_generic.c >>>> @@ -94,7 +94,7 @@ static int >>>> drm_fbdev_generic_helper_fb_probe(struct drm_fb_helper *fb_helper, >>>>       fb_helper->buffer = buffer; >>>>       fb_helper->fb = buffer->fb; >>>>   -    screen_size = buffer->gem->size; >>>> +    screen_size = sizes->surface_height * buffer->fb->pitches[0]; > > This has been bothering me over the weekend. And I think it's because > what we want the screen_size to be heigth * pitch,  but the mmap'ed > memory is still at page granularity. Therefore... > > [...] >>> >>>>       screen_buffer = vzalloc(screen_size); > > ... this line should explicitly allocate multiples of pages. Something > like > >     /* allocate page-size multiples for mmap */ >     vzalloc(PAGE_ALIGN(screen_size)) > I just thought about your instruction at here, thanks! But it is already page size aligned if we don't tough it. It is guaranteed by the GEM memory manger, so a previous patch tested by me, is turn out to be a extremely correct? We exposed a  page size aligned buffer(even though it is larger than needed) is actually for mmap ? > It has not been a bug so far because vzalloc() always returns full > pages IIRC. It's still worth fixing. > > Best regards > Thomas > > >>>>       if (!screen_buffer) { >>>>           ret = -ENOMEM; >>> >