From mboxrd@z Thu Jan 1 00:00:00 1970 From: jeffy Subject: Re: [PATCH] drm/rockchip: Don't allow zero sized gem buffer Date: Fri, 26 May 2017 10:30:09 +0800 Message-ID: <59279331.3050402@rock-chips.com> References: <1495521583-29151-1-git-send-email-jeffy.chen@rock-chips.com> <20170525153045.7svkkmfsqbqkfacp@art_vandelay> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8"; Format="flowed" Content-Transfer-Encoding: base64 Return-path: In-Reply-To: <20170525153045.7svkkmfsqbqkfacp@art_vandelay> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" To: Sean Paul Cc: linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org, tfiga@chromium.org, linux-rockchip@lists.infradead.org, linux-arm-kernel@lists.infradead.org List-Id: linux-rockchip.vger.kernel.org SGkgc2VhbiwKCk9uIDA1LzI1LzIwMTcgMTE6MzAgUE0sIFNlYW4gUGF1bCB3cm90ZToKPiBPbiBU dWUsIE1heSAyMywgMjAxNyBhdCAwMjozOTo0M1BNICswODAwLCBKZWZmeSBDaGVuIHdyb3RlOgo+ PiBUaGUgc3lzdGVtIHdvdWxkIGNyYXNoIHdoZW4gdHJ5aW5nIHRvIGFsbG9jIHplcm8gc2l6ZWQg Z2VtIGJ1ZmZlcjoKPj4gWyAgICA2LjcxMjQzNV0gVW5hYmxlIHRvIGhhbmRsZSBrZXJuZWwgTlVM TCBwb2ludGVyIGRlcmVmZXJlbmNlIGF0IHZpcnR1YWwgYWRkcmVzcyAwMDAwMDAxMCA8LS1aRVJP X1NJWkVfUFRSCj4+IC4uLgo+PiBbICAgIDYuNzU3NTAyXSBQQyBpcyBhdCBzZ19hbGxvY190YWJs ZV9mcm9tX3BhZ2VzKzB4MTcwLzB4MWVjCj4KPiBJdCdzIHVuZm9ydHVuYXRlIHRoYXQgeW91IGRp ZG4ndCBpbmNsdWRlIHRoZSBlbnRpcmUgc3RhY2sgdHJhY2UuIEZyb20gY29kZQo+IGluc3BlY3Rp b24sIGl0IHNlZW1zIGxpa2UgdGhlIDAgc2l6ZSBjb21lcyBmcm9tIHRoZSBmYl9wcm9iZSBwYXRo PyBJcyB0aGVyZQo+IHNvbWV3aGVyZSBpbiB0aGUgaGVscGVycyB0aGF0IHlvdSBjb3VsZCBjaGVj ayB0aGUgbW9kZSBpcyBzYW5lIHNvIGFsbCBkcml2ZXJzCj4gY2FuIGJlbmVmaXQ/CgpobW0sIHNv cnJ5LCBpIHdhcyB0ZXN0aW5nIGl0IG9uIGNocm9tZW9zIDQuNCBrZXJuZWwsIGl0IHR1cm5zIG91 dCB0aGF0IAp3ZSBoYXZlIGEgY3VzdG9tIGlvY3RsIGZvciB1c2Vyc3BhY2UgdG8gY3JlYXRlIGdl bSBidWZmZXIodGhlIHNhbWUgYXMgCmV4eW5vcyBkcm0pLCB3aGljaCBtaWdodCBnZXQgdGhlIHRo ZSAwIHNpemUuCgpidXQgb24gdXBzdHJlYW0ga2VybmVsLCBpdCBjb3VsZCBvbmx5IGJlIGNhbGxl ZCBieSBkdW1wX2NyZWF0ZSwgYW5kIHRoZSAKZHJtX21vZGVfY3JlYXRlX2R1bWJfaW9jdGwgYWxy ZWFkeSBkaWQgdGhlIHNpemUgY2hlY2suCgp3aWxsIHJlc2VudCB0aGlzIHBhdGNoLCBhbmQgcmV3 cml0ZSB0aGUgY29tbWl0IG1lc3NhZ2UsIHRoYW54LgoKPgo+IFNlYW4KPgo+Pgo+PiBTaWduZWQt b2ZmLWJ5OiBKZWZmeSBDaGVuIDxqZWZmeS5jaGVuQHJvY2stY2hpcHMuY29tPgo+PiAtLS0KPj4K Pj4gICBkcml2ZXJzL2dwdS9kcm0vcm9ja2NoaXAvcm9ja2NoaXBfZHJtX2dlbS5jIHwgNSArKysr Kwo+PiAgIDEgZmlsZSBjaGFuZ2VkLCA1IGluc2VydGlvbnMoKykKPj4KPj4gZGlmZiAtLWdpdCBh L2RyaXZlcnMvZ3B1L2RybS9yb2NrY2hpcC9yb2NrY2hpcF9kcm1fZ2VtLmMgYi9kcml2ZXJzL2dw dS9kcm0vcm9ja2NoaXAvcm9ja2NoaXBfZHJtX2dlbS5jCj4+IGluZGV4IGRmOWU1NzAuLjg5MTc5 MjIgMTAwNjQ0Cj4+IC0tLSBhL2RyaXZlcnMvZ3B1L2RybS9yb2NrY2hpcC9yb2NrY2hpcF9kcm1f Z2VtLmMKPj4gKysrIGIvZHJpdmVycy9ncHUvZHJtL3JvY2tjaGlwL3JvY2tjaGlwX2RybV9nZW0u Ywo+PiBAQCAtMzE1LDYgKzMxNSwxMSBAQCBzdHJ1Y3Qgcm9ja2NoaXBfZ2VtX29iamVjdCAqCj4+ ICAgCXN0cnVjdCBkcm1fZ2VtX29iamVjdCAqb2JqOwo+PiAgIAlpbnQgcmV0Owo+Pgo+PiArCWlm ICghc2l6ZSkgewo+PiArCQlEUk1fRVJST1IoImdlbSBidWZmZXIgc2l6ZSBpcyB6ZXJvXG4iKTsK Pj4gKwkJcmV0dXJuIEVSUl9QVFIoLUVJTlZBTCk7Cj4+ICsJfQo+PiArCj4+ICAgCXNpemUgPSBy b3VuZF91cChzaXplLCBQQUdFX1NJWkUpOwo+Pgo+PiAgIAlya19vYmogPSBremFsbG9jKHNpemVv Zigqcmtfb2JqKSwgR0ZQX0tFUk5FTCk7Cj4+IC0tCj4+IDIuMS40Cj4+Cj4KCgpfX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXwpkcmktZGV2ZWwgbWFpbGluZyBs aXN0CmRyaS1kZXZlbEBsaXN0cy5mcmVlZGVza3RvcC5vcmcKaHR0cHM6Ly9saXN0cy5mcmVlZGVz a3RvcC5vcmcvbWFpbG1hbi9saXN0aW5mby9kcmktZGV2ZWwK From mboxrd@z Thu Jan 1 00:00:00 1970 From: jeffy.chen@rock-chips.com (jeffy) Date: Fri, 26 May 2017 10:30:09 +0800 Subject: [PATCH] drm/rockchip: Don't allow zero sized gem buffer In-Reply-To: <20170525153045.7svkkmfsqbqkfacp@art_vandelay> References: <1495521583-29151-1-git-send-email-jeffy.chen@rock-chips.com> <20170525153045.7svkkmfsqbqkfacp@art_vandelay> Message-ID: <59279331.3050402@rock-chips.com> To: linux-arm-kernel@lists.infradead.org List-Id: linux-arm-kernel.lists.infradead.org Hi sean, On 05/25/2017 11:30 PM, Sean Paul wrote: > On Tue, May 23, 2017 at 02:39:43PM +0800, Jeffy Chen wrote: >> The system would crash when trying to alloc zero sized gem buffer: >> [ 6.712435] Unable to handle kernel NULL pointer dereference at virtual address 00000010 <--ZERO_SIZE_PTR >> ... >> [ 6.757502] PC is at sg_alloc_table_from_pages+0x170/0x1ec > > It's unfortunate that you didn't include the entire stack trace. From code > inspection, it seems like the 0 size comes from the fb_probe path? Is there > somewhere in the helpers that you could check the mode is sane so all drivers > can benefit? hmm, sorry, i was testing it on chromeos 4.4 kernel, it turns out that we have a custom ioctl for userspace to create gem buffer(the same as exynos drm), which might get the the 0 size. but on upstream kernel, it could only be called by dump_create, and the drm_mode_create_dumb_ioctl already did the size check. will resent this patch, and rewrite the commit message, thanx. > > Sean > >> >> Signed-off-by: Jeffy Chen >> --- >> >> drivers/gpu/drm/rockchip/rockchip_drm_gem.c | 5 +++++ >> 1 file changed, 5 insertions(+) >> >> diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_gem.c b/drivers/gpu/drm/rockchip/rockchip_drm_gem.c >> index df9e570..8917922 100644 >> --- a/drivers/gpu/drm/rockchip/rockchip_drm_gem.c >> +++ b/drivers/gpu/drm/rockchip/rockchip_drm_gem.c >> @@ -315,6 +315,11 @@ struct rockchip_gem_object * >> struct drm_gem_object *obj; >> int ret; >> >> + if (!size) { >> + DRM_ERROR("gem buffer size is zero\n"); >> + return ERR_PTR(-EINVAL); >> + } >> + >> size = round_up(size, PAGE_SIZE); >> >> rk_obj = kzalloc(sizeof(*rk_obj), GFP_KERNEL); >> -- >> 2.1.4 >> > From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S943108AbdEZCa0 (ORCPT ); Thu, 25 May 2017 22:30:26 -0400 Received: from regular1.263xmail.com ([211.150.99.131]:50143 "EHLO regular1.263xmail.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932649AbdEZCaY (ORCPT ); Thu, 25 May 2017 22:30:24 -0400 X-263anti-spam: KSV:0; X-MAIL-GRAY: 0 X-MAIL-DELIVERY: 1 X-KSVirus-check: 0 X-ABS-CHECKED: 4 X-RL-SENDER: jeffy.chen@rock-chips.com X-FST-TO: seanpaul@chromium.org X-SENDER-IP: 103.29.142.67 X-LOGIN-NAME: jeffy.chen@rock-chips.com X-UNIQUE-TAG: <584549da273416db18af0343eed8765d> X-ATTACHMENT-NUM: 0 X-DNS-TYPE: 0 Message-ID: <59279331.3050402@rock-chips.com> Date: Fri, 26 May 2017 10:30:09 +0800 From: jeffy User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:19.0) Gecko/20130126 Thunderbird/19.0 MIME-Version: 1.0 To: Sean Paul CC: linux-kernel@vger.kernel.org, tfiga@chromium.org, Mark Yao , Heiko Stuebner , dri-devel@lists.freedesktop.org, linux-rockchip@lists.infradead.org, David Airlie , linux-arm-kernel@lists.infradead.org Subject: Re: [PATCH] drm/rockchip: Don't allow zero sized gem buffer References: <1495521583-29151-1-git-send-email-jeffy.chen@rock-chips.com> <20170525153045.7svkkmfsqbqkfacp@art_vandelay> In-Reply-To: <20170525153045.7svkkmfsqbqkfacp@art_vandelay> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi sean, On 05/25/2017 11:30 PM, Sean Paul wrote: > On Tue, May 23, 2017 at 02:39:43PM +0800, Jeffy Chen wrote: >> The system would crash when trying to alloc zero sized gem buffer: >> [ 6.712435] Unable to handle kernel NULL pointer dereference at virtual address 00000010 <--ZERO_SIZE_PTR >> ... >> [ 6.757502] PC is at sg_alloc_table_from_pages+0x170/0x1ec > > It's unfortunate that you didn't include the entire stack trace. From code > inspection, it seems like the 0 size comes from the fb_probe path? Is there > somewhere in the helpers that you could check the mode is sane so all drivers > can benefit? hmm, sorry, i was testing it on chromeos 4.4 kernel, it turns out that we have a custom ioctl for userspace to create gem buffer(the same as exynos drm), which might get the the 0 size. but on upstream kernel, it could only be called by dump_create, and the drm_mode_create_dumb_ioctl already did the size check. will resent this patch, and rewrite the commit message, thanx. > > Sean > >> >> Signed-off-by: Jeffy Chen >> --- >> >> drivers/gpu/drm/rockchip/rockchip_drm_gem.c | 5 +++++ >> 1 file changed, 5 insertions(+) >> >> diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_gem.c b/drivers/gpu/drm/rockchip/rockchip_drm_gem.c >> index df9e570..8917922 100644 >> --- a/drivers/gpu/drm/rockchip/rockchip_drm_gem.c >> +++ b/drivers/gpu/drm/rockchip/rockchip_drm_gem.c >> @@ -315,6 +315,11 @@ struct rockchip_gem_object * >> struct drm_gem_object *obj; >> int ret; >> >> + if (!size) { >> + DRM_ERROR("gem buffer size is zero\n"); >> + return ERR_PTR(-EINVAL); >> + } >> + >> size = round_up(size, PAGE_SIZE); >> >> rk_obj = kzalloc(sizeof(*rk_obj), GFP_KERNEL); >> -- >> 2.1.4 >> >