From: jeffy <jeffy.chen@rock-chips.com>
To: Sean Paul <seanpaul@chromium.org>
Cc: linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org,
tfiga@chromium.org, linux-rockchip@lists.infradead.org,
linux-arm-kernel@lists.infradead.org
Subject: Re: [PATCH] drm/rockchip: Don't allow zero sized gem buffer
Date: Fri, 26 May 2017 10:30:09 +0800 [thread overview]
Message-ID: <59279331.3050402@rock-chips.com> (raw)
In-Reply-To: <20170525153045.7svkkmfsqbqkfacp@art_vandelay>
Hi sean,
On 05/25/2017 11:30 PM, Sean Paul wrote:
> On Tue, May 23, 2017 at 02:39:43PM +0800, Jeffy Chen wrote:
>> The system would crash when trying to alloc zero sized gem buffer:
>> [ 6.712435] Unable to handle kernel NULL pointer dereference at virtual address 00000010 <--ZERO_SIZE_PTR
>> ...
>> [ 6.757502] PC is at sg_alloc_table_from_pages+0x170/0x1ec
>
> It's unfortunate that you didn't include the entire stack trace. From code
> inspection, it seems like the 0 size comes from the fb_probe path? Is there
> somewhere in the helpers that you could check the mode is sane so all drivers
> can benefit?
hmm, sorry, i was testing it on chromeos 4.4 kernel, it turns out that
we have a custom ioctl for userspace to create gem buffer(the same as
exynos drm), which might get the the 0 size.
but on upstream kernel, it could only be called by dump_create, and the
drm_mode_create_dumb_ioctl already did the size check.
will resent this patch, and rewrite the commit message, thanx.
>
> Sean
>
>>
>> Signed-off-by: Jeffy Chen <jeffy.chen@rock-chips.com>
>> ---
>>
>> drivers/gpu/drm/rockchip/rockchip_drm_gem.c | 5 +++++
>> 1 file changed, 5 insertions(+)
>>
>> diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_gem.c b/drivers/gpu/drm/rockchip/rockchip_drm_gem.c
>> index df9e570..8917922 100644
>> --- a/drivers/gpu/drm/rockchip/rockchip_drm_gem.c
>> +++ b/drivers/gpu/drm/rockchip/rockchip_drm_gem.c
>> @@ -315,6 +315,11 @@ struct rockchip_gem_object *
>> struct drm_gem_object *obj;
>> int ret;
>>
>> + if (!size) {
>> + DRM_ERROR("gem buffer size is zero\n");
>> + return ERR_PTR(-EINVAL);
>> + }
>> +
>> size = round_up(size, PAGE_SIZE);
>>
>> rk_obj = kzalloc(sizeof(*rk_obj), GFP_KERNEL);
>> --
>> 2.1.4
>>
>
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
WARNING: multiple messages have this Message-ID (diff)
From: jeffy.chen@rock-chips.com (jeffy)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH] drm/rockchip: Don't allow zero sized gem buffer
Date: Fri, 26 May 2017 10:30:09 +0800 [thread overview]
Message-ID: <59279331.3050402@rock-chips.com> (raw)
In-Reply-To: <20170525153045.7svkkmfsqbqkfacp@art_vandelay>
Hi sean,
On 05/25/2017 11:30 PM, Sean Paul wrote:
> On Tue, May 23, 2017 at 02:39:43PM +0800, Jeffy Chen wrote:
>> The system would crash when trying to alloc zero sized gem buffer:
>> [ 6.712435] Unable to handle kernel NULL pointer dereference at virtual address 00000010 <--ZERO_SIZE_PTR
>> ...
>> [ 6.757502] PC is at sg_alloc_table_from_pages+0x170/0x1ec
>
> It's unfortunate that you didn't include the entire stack trace. From code
> inspection, it seems like the 0 size comes from the fb_probe path? Is there
> somewhere in the helpers that you could check the mode is sane so all drivers
> can benefit?
hmm, sorry, i was testing it on chromeos 4.4 kernel, it turns out that
we have a custom ioctl for userspace to create gem buffer(the same as
exynos drm), which might get the the 0 size.
but on upstream kernel, it could only be called by dump_create, and the
drm_mode_create_dumb_ioctl already did the size check.
will resent this patch, and rewrite the commit message, thanx.
>
> Sean
>
>>
>> Signed-off-by: Jeffy Chen <jeffy.chen@rock-chips.com>
>> ---
>>
>> drivers/gpu/drm/rockchip/rockchip_drm_gem.c | 5 +++++
>> 1 file changed, 5 insertions(+)
>>
>> diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_gem.c b/drivers/gpu/drm/rockchip/rockchip_drm_gem.c
>> index df9e570..8917922 100644
>> --- a/drivers/gpu/drm/rockchip/rockchip_drm_gem.c
>> +++ b/drivers/gpu/drm/rockchip/rockchip_drm_gem.c
>> @@ -315,6 +315,11 @@ struct rockchip_gem_object *
>> struct drm_gem_object *obj;
>> int ret;
>>
>> + if (!size) {
>> + DRM_ERROR("gem buffer size is zero\n");
>> + return ERR_PTR(-EINVAL);
>> + }
>> +
>> size = round_up(size, PAGE_SIZE);
>>
>> rk_obj = kzalloc(sizeof(*rk_obj), GFP_KERNEL);
>> --
>> 2.1.4
>>
>
WARNING: multiple messages have this Message-ID (diff)
From: jeffy <jeffy.chen@rock-chips.com>
To: Sean Paul <seanpaul@chromium.org>
Cc: linux-kernel@vger.kernel.org, tfiga@chromium.org,
Mark Yao <mark.yao@rock-chips.com>,
Heiko Stuebner <heiko@sntech.de>,
dri-devel@lists.freedesktop.org,
linux-rockchip@lists.infradead.org,
David Airlie <airlied@linux.ie>,
linux-arm-kernel@lists.infradead.org
Subject: Re: [PATCH] drm/rockchip: Don't allow zero sized gem buffer
Date: Fri, 26 May 2017 10:30:09 +0800 [thread overview]
Message-ID: <59279331.3050402@rock-chips.com> (raw)
In-Reply-To: <20170525153045.7svkkmfsqbqkfacp@art_vandelay>
Hi sean,
On 05/25/2017 11:30 PM, Sean Paul wrote:
> On Tue, May 23, 2017 at 02:39:43PM +0800, Jeffy Chen wrote:
>> The system would crash when trying to alloc zero sized gem buffer:
>> [ 6.712435] Unable to handle kernel NULL pointer dereference at virtual address 00000010 <--ZERO_SIZE_PTR
>> ...
>> [ 6.757502] PC is at sg_alloc_table_from_pages+0x170/0x1ec
>
> It's unfortunate that you didn't include the entire stack trace. From code
> inspection, it seems like the 0 size comes from the fb_probe path? Is there
> somewhere in the helpers that you could check the mode is sane so all drivers
> can benefit?
hmm, sorry, i was testing it on chromeos 4.4 kernel, it turns out that
we have a custom ioctl for userspace to create gem buffer(the same as
exynos drm), which might get the the 0 size.
but on upstream kernel, it could only be called by dump_create, and the
drm_mode_create_dumb_ioctl already did the size check.
will resent this patch, and rewrite the commit message, thanx.
>
> Sean
>
>>
>> Signed-off-by: Jeffy Chen <jeffy.chen@rock-chips.com>
>> ---
>>
>> drivers/gpu/drm/rockchip/rockchip_drm_gem.c | 5 +++++
>> 1 file changed, 5 insertions(+)
>>
>> diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_gem.c b/drivers/gpu/drm/rockchip/rockchip_drm_gem.c
>> index df9e570..8917922 100644
>> --- a/drivers/gpu/drm/rockchip/rockchip_drm_gem.c
>> +++ b/drivers/gpu/drm/rockchip/rockchip_drm_gem.c
>> @@ -315,6 +315,11 @@ struct rockchip_gem_object *
>> struct drm_gem_object *obj;
>> int ret;
>>
>> + if (!size) {
>> + DRM_ERROR("gem buffer size is zero\n");
>> + return ERR_PTR(-EINVAL);
>> + }
>> +
>> size = round_up(size, PAGE_SIZE);
>>
>> rk_obj = kzalloc(sizeof(*rk_obj), GFP_KERNEL);
>> --
>> 2.1.4
>>
>
next prev parent reply other threads:[~2017-05-26 2:30 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-23 6:39 [PATCH] drm/rockchip: Don't allow zero sized gem buffer Jeffy Chen
2017-05-23 6:39 ` Jeffy Chen
2017-05-23 6:39 ` Jeffy Chen
2017-05-25 15:30 ` Sean Paul
2017-05-25 15:30 ` Sean Paul
2017-05-25 15:30 ` Sean Paul
2017-05-26 2:30 ` jeffy [this message]
2017-05-26 2:30 ` jeffy
2017-05-26 2:30 ` jeffy
[not found] ` <59279331.3050402-TNX95d0MmH7DzftRWevZcw@public.gmane.org>
2017-05-26 5:52 ` Christoph Hellwig
2017-05-26 5:52 ` Christoph Hellwig
2017-05-26 5:52 ` Christoph Hellwig
2017-05-26 6:50 ` Daniel Vetter
2017-05-26 6:50 ` Daniel Vetter
2017-05-26 6:50 ` Daniel Vetter
2017-05-26 13:49 ` Sean Paul
2017-05-26 13:49 ` Sean Paul
2017-05-26 13:49 ` Sean Paul
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=59279331.3050402@rock-chips.com \
--to=jeffy.chen@rock-chips.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rockchip@lists.infradead.org \
--cc=seanpaul@chromium.org \
--cc=tfiga@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.