Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp1769083rwr;
        Fri, 28 Apr 2023 01:19:38 -0700 (PDT)
X-Google-Smtp-Source: ACHHUZ6Zt8gmVlgws+kKMvjgpncNdOdARtZYrawiPx6gAqtMPnaRcZwjmPd4Iw22iISHzBJLpEZB
X-Received: by 2002:a05:6a20:8e10:b0:f0:718f:8ee7 with SMTP id y16-20020a056a208e1000b000f0718f8ee7mr5413114pzj.53.1682669978376;
        Fri, 28 Apr 2023 01:19:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1682669978; cv=none;
        d=google.com; s=arc-20160816;
        b=BzNpCbnKrFYr2Y/7uU93ncRAsmuz/hnzIsNtxWFbt1UL7EObXKG8kGF5CcDHtAZWWP
         cmmKpfxnGJEAk5vQbxEkKwHMy2DYQtZezpNGhx8olKZAWwhFUDfeyXeszVooyNEYg8F7
         3MUAiWiBATmOgwU3+0U3e+CvJbxb8Ss0tXDmEUU8o7Y8VWmkgaHl1T0TRan5o5kWwGyv
         sxaFzc2gIZ+wAHQW4mtFypwJVpNCgnDx8FT9j8H5PGrP96j5cZGOVEtUaBbWKavbDUyE
         27TQ8AAtCDzZr2/utz9RB3iQLIUU4oYRZmcJq/ehbZwLrAEKZQwTnuitbOLNZxDfY090
         877A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:in-reply-to:from
         :content-language:references:to:subject:user-agent:mime-version:date
         :message-id:sender:hmm_source_type:hmm_attache_num:hmm_source_ip;
        bh=Sd1OAjRQSE6hv5ItIUh7BqtUcuYoN8XXeEBdqvh6rII=;
        b=v3iKC7bc9dP1/Q98GytCjBZFZuCcm1vNawbvjxU0ROClAmJceA1f9TwUTSh86MkKrl
         udTtFmiFjmWl3t039ggDKdOyzth2p6gc2XlMfiY3HroYJEx6RHQAYbZOoRcYXKiHNNlv
         0emsIEoIlKn3HQOu+f0HZlhnQiVcCofo2d9Pml7jkoX9WSyC1n8KnAJsdxOWSqKYF22D
         dM+L6AxVuGi+lvTkIdhh4NQTiHVLJKHU75sU4HOiEGxlVtV89h1jMcf78RR7gxDcLawB
         C9mjsPfULZbSRjrXdlY+Z+Wpoq1TbpflT+1ocxHXKX28apSwmNsdW0NO4PB2yFSw1yOj
         JBvw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id e2-20020a636902000000b00524b27d3e52si16787363pgc.826.2023.04.28.01.19.24;
        Fri, 28 Apr 2023 01:19:38 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1345473AbjD1IJG (ORCPT <rfc822;backzacc@gmail.com> + 99 others);
        Fri, 28 Apr 2023 04:09:06 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43686 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229993AbjD1IJD (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 28 Apr 2023 04:09:03 -0400
Received: from 189.cn (ptr.189.cn [183.61.185.103])
        by lindbergh.monkeyblade.net (Postfix) with ESMTP id 4952D1BF3;
        Fri, 28 Apr 2023 01:09:00 -0700 (PDT)
HMM_SOURCE_IP: 10.64.8.31:56220.1166601949
HMM_ATTACHE_NUM: 0000
HMM_SOURCE_TYPE: SMTP
Received: from clientip-114.242.206.180 (unknown [10.64.8.31])
        by 189.cn (HERMES) with SMTP id D2D49100237;
        Fri, 28 Apr 2023 16:08:56 +0800 (CST)
Received: from  ([114.242.206.180])
        by gateway-151646-dep-85667d6c59-lhcrq with ESMTP id b7a89ae67736480d9bfae214343db7a0 for 15330273260@189.cn;
        Fri, 28 Apr 2023 16:08:58 CST
X-Transaction-ID: b7a89ae67736480d9bfae214343db7a0
X-Real-From: 15330273260@189.cn
X-Receive-IP: 114.242.206.180
X-MEDUSA-Status: 0
Sender: 15330273260@189.cn
Message-ID: <d788894c-0afa-d5cf-a2f8-cbf201200db6@189.cn>
Date:   Fri, 28 Apr 2023 16:08:54 +0800
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.10.0
Subject: Re: [PATCH v2] drm/fbdev-generic: prohibit potential out-of-bounds
 access
To:     Sui Jingfeng <15330273260@189.cn>,
        Thomas Zimmermann <tzimmermann@suse.de>,
        Maxime Ripard <mripard@kernel.org>,
        David Airlie <airlied@gmail.com>, Li Yi <liyi@loongson.cn>,
        Javier Martinez Canillas <javierm@redhat.com>,
        Helge Deller <deller@gmx.de>,
        Lucas De Marchi <lucas.demarchi@intel.com>,
        linux-kernel@vger.kernel.org, linux-fbdev@vger.kernel.org,
        dri-devel@lists.freedesktop.org, loongson-kernel@lists.loongnix.cn
References: <20230413180622.1014016-1-15330273260@189.cn>
 <fccc494f-0e52-5fdf-0e40-acc29177c73c@suse.de>
 <32a1510e-d38a-ffb6-8e8d-026f8b3aa17a@189.cn>
 <fab85750-dcb7-0eeb-cabc-8fcfcc84b11c@suse.de>
 <95ef7589-9775-5ad4-f09c-43bcd696823a@189.cn>
 <ZEpBmkf8CWMwZ/gr@phenom.ffwll.local>
Content-Language: en-US
From:   Sui Jingfeng <15330273260@189.cn>
In-Reply-To: <ZEpBmkf8CWMwZ/gr@phenom.ffwll.local>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-3.1 required=5.0 tests=BAYES_00,
        FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,FROM_LOCAL_DIGITS,
        FROM_LOCAL_HEX,NICE_REPLY_A,SPF_HELO_PASS,SPF_PASS,
        T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi,

On 2023/4/27 17:34, Daniel Vetter wrote:
> On Thu, Apr 20, 2023 at 02:47:24AM +0800, Sui Jingfeng wrote:
>> Hi,
>>
>> On 2023/4/17 15:29, Thomas Zimmermann wrote:
>>> Hi
>>>
>>> Am 14.04.23 um 12:58 schrieb Sui Jingfeng:
>>>> Hi,
>>>>
>>>> On 2023/4/14 03:16, Thomas Zimmermann wrote:
>>>>> Hi,
>>>>>
>>>>> thanks for the patch. This is effectively a revert of commit
>>>>> 8fbc9af55de0 ("drm/fbdev-generic: Set screen size to size of GEM
>>>>> buffer"). Please add a Fixes tag.
>>>>>
>>>>> Am 13.04.23 um 20:06 schrieb Sui Jingfeng:
>>>>>> From: Sui Jingfeng <suijingfeng@loongson.cn>
>>>>>>
>>>>>> The crazy fbdev test of IGT may write after EOF, which lead
>>>>>> to out-of-bound
>>>>> Please drop 'crazy'. :)
>>>> This is OK.
>>>>
>>>> By using the world 'crazy',
>>>>
>>>> I meant that the test is very good and maybe it is written by
>>>> professional  peoples
>>>>
>>>> with the guidance by  experienced  engineer. So that even the corner
>>>> get tested.
>>>>
>>>>
>>>>>> access for the drm drivers using fbdev-generic. For example,
>>>>>> run fbdev test
>>>>>> on a x86-64+ast2400 platform with 1680x1050 resolution will
>>>>>> cause the linux
>>>>>> kernel hang with following call trace:
>>>>>>
>>>>>>     Oops: 0000 [#1] PREEMPT SMP PTI
>>>>>>     [IGT] fbdev: starting subtest eof
>>>>>>     Workqueue: events drm_fb_helper_damage_work [drm_kms_helper]
>>>>>>     [IGT] fbdev: starting subtest nullptr
>>>>>>
>>>>>>     RIP: 0010:memcpy_erms+0xa/0x20
>>>>>>     RSP: 0018:ffffa17d40167d98 EFLAGS: 00010246
>>>>>>     RAX: ffffa17d4eb7fa80 RBX: ffffa17d40e0aa80 RCX: 00000000000014c0
>>>>>>     RDX: 0000000000001a40 RSI: ffffa17d40e0b000 RDI: ffffa17d4eb80000
>>>>>>     RBP: ffffa17d40167e20 R08: 0000000000000000 R09: ffff89522ecff8c0
>>>>>>     R10: ffffa17d4e4c5000 R11: 0000000000000000 R12: ffffa17d4eb7fa80
>>>>>>     R13: 0000000000001a40 R14: 000000000000041a R15: ffffa17d40167e30
>>>>>>     FS:  0000000000000000(0000) GS:ffff895257380000(0000)
>>>>>> knlGS:0000000000000000
>>>>>>     CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>>>>>>     CR2: ffffa17d40e0b000 CR3: 00000001eaeca006 CR4: 00000000001706e0
>>>>>>     Call Trace:
>>>>>>      <TASK>
>>>>>>      ? drm_fbdev_generic_helper_fb_dirty+0x207/0x330 [drm_kms_helper]
>>>>>>      drm_fb_helper_damage_work+0x8f/0x170 [drm_kms_helper]
>>>>>>      process_one_work+0x21f/0x430
>>>>>>      worker_thread+0x4e/0x3c0
>>>>>>      ? __pfx_worker_thread+0x10/0x10
>>>>>>      kthread+0xf4/0x120
>>>>>>      ? __pfx_kthread+0x10/0x10
>>>>>>      ret_from_fork+0x2c/0x50
>>>>>>      </TASK>
>>>>>>     CR2: ffffa17d40e0b000
>>>>>>     ---[ end trace 0000000000000000 ]---
>>>>>>
>>>>>> The indirect reason is drm_fb_helper_memory_range_to_clip()
>>>>>> generate damage
>>>>>> rectangles which partially or completely go out of the
>>>>>> active display area.
>>>>>> The second of argument 'off' is passing from the user-space,
>>>>>> this will lead
>>>>>> to the out-of-bound if it is large than (fb_height + 1) *
>>>>>> fb_pitches; while
>>>>>> DIV_ROUND_UP() may also controbute to error by 1.
>>>>>>
>>>>>> This patch will add code to restrict the damage rect
>>>>>> computed go beyond of
>>>>>> the last line of the framebuffer.
>>>>>>
>>>>>> Signed-off-by: Sui Jingfeng <suijingfeng@loongson.cn>
>>>>>> ---
>>>>>>    drivers/gpu/drm/drm_fb_helper.c     | 16 ++++++++++++----
>>>>>>    drivers/gpu/drm/drm_fbdev_generic.c |  2 +-
>>>>>>    2 files changed, 13 insertions(+), 5 deletions(-)
>>>>>>
>>>>>> diff --git a/drivers/gpu/drm/drm_fb_helper.c
>>>>>> b/drivers/gpu/drm/drm_fb_helper.c
>>>>>> index 64458982be40..6bb1b8b27d7a 100644
>>>>>> --- a/drivers/gpu/drm/drm_fb_helper.c
>>>>>> +++ b/drivers/gpu/drm/drm_fb_helper.c
>>>>>> @@ -641,19 +641,27 @@ static void
>>>>>> drm_fb_helper_damage(struct drm_fb_helper *helper, u32 x,
>>>>>> u32 y,
>>>>>>    static void drm_fb_helper_memory_range_to_clip(struct
>>>>>> fb_info *info, off_t off, size_t len,
>>>>>>                               struct drm_rect *clip)
>>>>>>    {
>>>>>> +    u32 line_length = info->fix.line_length;
>>>>>> +    u32 fb_height = info->var.yres;
>>>>>>        off_t end = off + len;
>>>>>>        u32 x1 = 0;
>>>>>> -    u32 y1 = off / info->fix.line_length;
>>>>>> +    u32 y1 = off / line_length;
>>>>>>        u32 x2 = info->var.xres;
>>>>>> -    u32 y2 = DIV_ROUND_UP(end, info->fix.line_length);
>>>>>> +    u32 y2 = DIV_ROUND_UP(end, line_length);
>>>>>> +
>>>>>> +    /* Don't allow any of them beyond the bottom bound of
>>>>>> display area */
>>>>>> +    if (y1 > fb_height)
>>>>>> +        y1 = fb_height;
>>>>>> +    if (y2 > fb_height)
>>>>>> +        y2 = fb_height;
>>>>>>          if ((y2 - y1) == 1) {
>>>>>>            /*
>>>>>>             * We've only written to a single scanline. Try to reduce
>>>>>>             * the number of horizontal pixels that need an update.
>>>>>>             */
>>>>>> -        off_t bit_off = (off % info->fix.line_length) * 8;
>>>>>> -        off_t bit_end = (end % info->fix.line_length) * 8;
>>>>>> +        off_t bit_off = (off % line_length) * 8;
>>>>>> +        off_t bit_end = (end % line_length) * 8;
>>>>> Please scratch all these changes. The current code should work
>>>>> as intended. Only the generic fbdev emulation uses this code and
>>>>> it should really be moved there at some point.
>>>>
>>>> Are you meant  that we should remove all these changes in
>>>> drivers/gpu/drm/drm_fb_helper.c ?
>>> As Daniel mentioned, there's the discussion in the other thread. I don't
>>> want to reopen it here. Just to summarize: I'm not convinced that this
>>> should be DRM code because it can be shared with other fbdev drivers.
>>>
>>> [...]
>>>
>>>>>> diff --git a/drivers/gpu/drm/drm_fbdev_generic.c
>>>>>> b/drivers/gpu/drm/drm_fbdev_generic.c
>>>>>> index 8e5148bf40bb..b057cfbba938 100644
>>>>>> --- a/drivers/gpu/drm/drm_fbdev_generic.c
>>>>>> +++ b/drivers/gpu/drm/drm_fbdev_generic.c
>>>>>> @@ -94,7 +94,7 @@ static int
>>>>>> drm_fbdev_generic_helper_fb_probe(struct drm_fb_helper
>>>>>> *fb_helper,
>>>>>>        fb_helper->buffer = buffer;
>>>>>>        fb_helper->fb = buffer->fb;
>>>>>>    -    screen_size = buffer->gem->size;
>>>>>> +    screen_size = sizes->surface_height * buffer->fb->pitches[0];
>>> This has been bothering me over the weekend. And I think it's because
>>> what we want the screen_size to be heigth * pitch,  but the mmap'ed
>>> memory is still at page granularity. Therefore...
>>>
>>> [...]
>>>>>>        screen_buffer = vzalloc(screen_size);
>>> ... this line should explicitly allocate multiples of pages. Something
>>> like
>>>
>>>      /* allocate page-size multiples for mmap */
>>>      vzalloc(PAGE_ALIGN(screen_size))
>>>
>> I just thought about your instruction at here, thanks!
>>
>> But it is already page size aligned if we don't tough it.
>>
>> It is guaranteed by the GEM memory manger,
>>
>> so a previous patch tested by me, is turn out to be a extremely correct?
>>
>> We exposed a  page size aligned buffer(even though it is larger than needed)
>> is actually for mmap ?
> mmap() is always page aligned, because that's the smallest size the cpu
> pagetables can map. So there's fundamentally always a bit of memory at the
> end of the buffer which logically is not part of the framebuffer memory.
> And somehow we need to handle that to make sure we don't overflow.
> -Daniel

Yeah, buffer allocating should be page size aligned,

A single page share the same caching property.


fbdev test use the `smem_len` member of `fix_info` to know the true size 
of the shadow screen buffer.

Exposing a large one actually allow the test writing to somewhere beyond 
the logically visible area.


I need to learn more and testing more to verify if there are still 
risks, I'll take a look.

Thanks for sharing the knowledge.

>>
>>> It has not been a bug so far because vzalloc() always returns full pages
>>> IIRC. It's still worth fixing.
>>>
>>> Best regards
>>> Thomas
>>>
>>>
>>>>>>        if (!screen_buffer) {
>>>>>>            ret = -ENOMEM;