Received: by 2002:ab2:6203:0:b0:1f5:f2ab:c469 with SMTP id o3csp2889829lqt; Tue, 23 Apr 2024 05:03:43 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUFMFV6B0ec2csdt2y62j52yciuU0EztxW1GZQKzcU/QTp8RKxcc/X7jialNYTxnsnjChJYpNpqB62FUXvf1vGiVGZKMb5ksyexma4E3A== X-Google-Smtp-Source: AGHT+IG16Ws6k1A5uKQnw+IOH6c6OZz9pv4D2idmw4YQw4LNen5FpzTYWdmfykS0zfPBSptzQh3q X-Received: by 2002:a05:620a:2485:b0:78e:eb60:182e with SMTP id i5-20020a05620a248500b0078eeb60182emr15900711qkn.10.1713873823157; Tue, 23 Apr 2024 05:03:43 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1713873823; cv=pass; d=google.com; s=arc-20160816; b=BDBRTGoEbHEAZ2zRF90TxE1vQTcbxgSEr7ALhW76SnrbK5HgN/vY3AUeUTbk2TAuis HNi06Dpo1aqAPov8i47770PvG+tafPqW0KPmw1pZtiEkZiGTkXGUkWRoh6JdXb9XZald dXLap8/1ySTclrtu0TMkIefZKIgxAyA6N660lr4cRG0Ao+BRZ5V2h8jmiVqMNwCG+4dB 0D72OtRDZCH+ffGR6YKrMHlmCwvJuE4GXMSpTtfT4pkhW+t4Ghthd+mvKdTbb0Ge75UU UJjuZ6fD0C4KFD7h5hImIXrkPvoMf+hkgIGjq7Xar8IbbQpzj9Jk5IiSlEK0NMa9XLZo ilhQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:message-id:date:subject:cc:to :dkim-signature:dkim-signature:from; bh=nId7yfti82jidSrNPjc6pFuqg7gFIn/sC7IuAdW8lsU=; fh=6FkYJcdTVm6KgJnHQS01reUW1IGGcCtiJbkrdmdKsAU=; b=Dfasat2MNfCla3boyIXYw1U2rkBxhfAHXblGgtXoPxJsFpqJkWQymd+1zZDdLnt7fY v573NHmMUfoOTQeFjy6WI9KrNhFZcEsIT4GBjLYxqMSsRtbwB9FM5lz0xZVU9wv4pFlL nCSrhYXYGnqN4xcOHZlVbYIfb+3nEeIrq/42oFy1/WbFVhrbAo3/WBXY6doAMTMDaGFf GLXkeJMGDOvmvajfNLek+T3AvswxQgZH8XQOi8NuS/Fjy09zPyFSSN516a1o/C6juRfg n4hk5BJf3RMhRQBEyw6nxNk0LazUa46Lt/K1YadJ2hA8YnfY4FeOZ5Hl7GaGdQFvN83P I2VA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linutronix.de header.s=2020 header.b=aXPsKAUY; dkim=neutral (no key) header.i=@linutronix.de header.s=2020e; arc=pass (i=1 spf=pass spfdomain=linutronix.de dkim=pass dkdomain=linutronix.de dmarc=pass fromdomain=linutronix.de); spf=pass (google.com: domain of linux-kernel+bounces-155106-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-155106-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id n3-20020a05620a294300b0078ed673542fsi14429431qkp.171.2024.04.23.05.03.42 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Apr 2024 05:03:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-155106-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@linutronix.de header.s=2020 header.b=aXPsKAUY; dkim=neutral (no key) header.i=@linutronix.de header.s=2020e; arc=pass (i=1 spf=pass spfdomain=linutronix.de dkim=pass dkdomain=linutronix.de dmarc=pass fromdomain=linutronix.de); spf=pass (google.com: domain of linux-kernel+bounces-155106-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-155106-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id DB9DF1C21D5D for ; Tue, 23 Apr 2024 12:03:42 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 4BC6E13CA80; Tue, 23 Apr 2024 11:51:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="aXPsKAUY"; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="GE4xxKg1" Received: from galois.linutronix.de (Galois.linutronix.de [193.142.43.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0F93586AC8; Tue, 23 Apr 2024 11:51:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=193.142.43.55 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713873069; cv=none; b=KGD/KoueUc7JuL9Db+O5t3VM4VeAkAw/0EzZaMoQzU5rmkxN2XSAte0cSs/GeNPOdP9XlXuoQzidPB9W6ClxUStnvJOOONS51dg/yk9kQnlxphgIAKKq1RJ/IVhjSnOuSExfacW8d1oaCb3eqFHqevart0fgntkYQSpgxWATQ0M= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713873069; c=relaxed/simple; bh=cQlvbfsGcivyYSvJInJbINjshicdDs+x+gygQ5JtuVw=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=lebVsHrNnjZfIiNV8u7XIKht5+7kR28kVnbsVfqNHgb1U64dtmi4rWstXCRl/SHiwhddVN8VZDvI6u0L6CDsLFb72oQvvhc750Xv0GDfl4hhaa/A49x8KNPv/J2JI8ZfUTB3SG/L1IIgIddkExZOtbx9sXE+8CqI4VajpLrLHAU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de; spf=pass smtp.mailfrom=linutronix.de; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=aXPsKAUY; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=GE4xxKg1; arc=none smtp.client-ip=193.142.43.55 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linutronix.de From: Nam Cao DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1713873066; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=nId7yfti82jidSrNPjc6pFuqg7gFIn/sC7IuAdW8lsU=; b=aXPsKAUYw1xfZIpf+JY5/kFVVaYhclqesT8eNqgRT8QWYp1fy4f9W5cQ96InRPMjc81Tpx nym17Np9zhy/o3PSY9GC/WTSdhfRe+zxZSVwmbqMXeo3yn2tqse+UJuXmeNaGfVwo/IbP9 RR3rhvZjylHfmhNtzwK09DsCc8k/8g/0t1tjCJrhQ1J95nsyOWOMIqkiDN3E1o5jt20Hgn s/YPG9lovejnpZaT0rezWC1uHCgOWJuH0gnvH7cqE+4nrcpoVWHam+o4J+mUFM62wAMK2T OI+cmh+RvVNalgAyize0CWS0YTZ5x5QxY/pEWFLqPW+7if4zFIOUqwOqCTRuJg== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1713873066; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=nId7yfti82jidSrNPjc6pFuqg7gFIn/sC7IuAdW8lsU=; b=GE4xxKg1OleHEYvmyB77Oha0O4topex9HjYpEQVHoc0U0xyzeSVNI6gWt2wOvfF5KCOqyl pYqRuHdMYzNWmjBA== To: Jaya Kumar , Daniel Vetter , Helge Deller , Javier Martinez Canillas , Thomas Zimmermann , linux-fbdev@vger.kernel.org, dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org Cc: tiwai@suse.de, namcao@linutronix.de, bigeasy@linutronix.de, patrik.r.jakobsson@gmail.com, Vegard Nossum , George Kennedy , Darren Kenny , chuansheng.liu@intel.com, Harshit Mogalapalli , stable@vger.kernel.org Subject: [PATCH v2] fbdev: fix incorrect address computation in deferred IO Date: Tue, 23 Apr 2024 13:50:53 +0200 Message-Id: <20240423115053.4490-1-namcao@linutronix.de> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable With deferred IO enabled, a page fault happens when data is written to the framebuffer device. Then driver determines which page is being updated by calculating the offset of the written virtual address within the virtual memory area, and uses this offset to get the updated page within the internal buffer. This page is later copied to hardware (thus the name "deferred IO"). This offset calculation is only correct if the virtual memory area is mapped to the beginning of the internal buffer. Otherwise this is wrong. For example, if users do: mmap(ptr, 4096, PROT_WRITE, MAP_FIXED | MAP_SHARED, fd, 0xff000); Then the virtual memory area will mapped at offset 0xff000 within the internal buffer. This offset 0xff000 is not accounted for, and wrong page is updated. Correct the calculation by using vmf->pgoff instead. With this change, the variable "offset" will no longer hold the exact offset value, but it is rounded down to multiples of PAGE_SIZE. But this is still correct, because this variable is only used to calculate the page offset. Reported-by: Harshit Mogalapalli Closes: https://lore.kernel.org/linux-fbdev/271372d6-e665-4e7f-b088-dee5f4a= b341a@oracle.com Fixes: 56c134f7f1b5 ("fbdev: Track deferred-I/O pages in pageref struct") Cc: Signed-off-by: Nam Cao --- v2: - simplify the patch by using vfg->pgoff - remove tested-by tag, as the patch is now different drivers/video/fbdev/core/fb_defio.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/video/fbdev/core/fb_defio.c b/drivers/video/fbdev/core= /fb_defio.c index 1ae1d35a5942..b9607d5a370d 100644 --- a/drivers/video/fbdev/core/fb_defio.c +++ b/drivers/video/fbdev/core/fb_defio.c @@ -196,7 +196,7 @@ static vm_fault_t fb_deferred_io_track_page(struct fb_i= nfo *info, unsigned long */ static vm_fault_t fb_deferred_io_page_mkwrite(struct fb_info *info, struct= vm_fault *vmf) { - unsigned long offset =3D vmf->address - vmf->vma->vm_start; + unsigned long offset =3D vmf->pgoff << PAGE_SHIFT; struct page *page =3D vmf->page; =20 file_update_time(vmf->vma->vm_file); --=20 2.39.2