From: Jani Nikula <jani.nikula@linux.intel.com>
To: Ziqi Zhao <astrajoan@yahoo.com>,
astrajoan@yahoo.com, airlied@gmail.com, daniel@ffwll.ch,
dri-devel@lists.freedesktop.org, ivan.orlov0322@gmail.com,
maarten.lankhorst@linux.intel.com, mripard@kernel.org,
skhan@linuxfoundation.org, tzimmermann@suse.de
Cc: netdev@vger.kernel.org, dsahern@kernel.org,
syzkaller-bugs@googlegroups.com, linux-kernel@vger.kernel.org,
edumazet@google.com, jiri@nvidia.com, jacob.e.keller@intel.com,
kuba@kernel.org, pabeni@redhat.com, davem@davemloft.net,
syzbot+622bba18029bcde672e1@syzkaller.appspotmail.com
Subject: Re: [PATCH] drm/modes: Fix division by zero error
Date: Tue, 01 Aug 2023 12:30:00 +0300 [thread overview]
Message-ID: <87o7jrw1nr.fsf@intel.com> (raw)
In-Reply-To: <20230721160749.8489-1-astrajoan@yahoo.com>
On Fri, 21 Jul 2023, Ziqi Zhao <astrajoan@yahoo.com> wrote:
> In the bug reported by Syzbot, the variable `den == (1 << 22)` and
> `mode->vscan == (1 << 10)`, causing the multiplication to overflow and
> accidentally make `den == 0`. To prevent any chance of overflow, we
> replace `num` and `den` with 64-bit unsigned integers, and explicitly
> check if the divisor `den` will overflow. If so, we employ full 64-bit
> division with rounding; otherwise we keep the 64-bit to 32-bit division
> that could potentially be better optimized.
>
> In order to minimize the performance overhead, the overflow check for
> `den` is wrapped with an `unlikely` condition. Please let me know if
> this usage is appropriate.
>
> Reported-by: syzbot+622bba18029bcde672e1@syzkaller.appspotmail.com
> Signed-off-by: Ziqi Zhao <astrajoan@yahoo.com>
> ---
> drivers/gpu/drm/drm_modes.c | 11 +++++++----
> 1 file changed, 7 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/gpu/drm/drm_modes.c b/drivers/gpu/drm/drm_modes.c
> index ac9a406250c5..aa98bd7b8bc9 100644
> --- a/drivers/gpu/drm/drm_modes.c
> +++ b/drivers/gpu/drm/drm_modes.c
> @@ -1285,13 +1285,13 @@ EXPORT_SYMBOL(drm_mode_set_name);
> */
> int drm_mode_vrefresh(const struct drm_display_mode *mode)
> {
> - unsigned int num, den;
> + unsigned long long num, den;
I think making them u64 would be more clear.
>
> if (mode->htotal == 0 || mode->vtotal == 0)
> return 0;
>
> - num = mode->clock;
> - den = mode->htotal * mode->vtotal;
> + num = mul_u32_u32(mode->clock, 1000);
> + den = mul_u32_u32(mode->htotal, mode->vtotal);
>
> if (mode->flags & DRM_MODE_FLAG_INTERLACE)
> num *= 2;
> @@ -1300,7 +1300,10 @@ int drm_mode_vrefresh(const struct drm_display_mode *mode)
> if (mode->vscan > 1)
> den *= mode->vscan;
>
> - return DIV_ROUND_CLOSEST_ULL(mul_u32_u32(num, 1000), den);
> + if (unlikely(den >> 32))
More intuitively, den > UINT_MAX.
> + return div64_u64(num + (den >> 1), den);
More intuitively, DIV64_U64_ROUND_CLOSEST(num, den).
> + else
The else after a branch with return is unnecessary. Someone's going to
send a patch to remove it later if you leave it in.
BR,
Jani.
> + return DIV_ROUND_CLOSEST_ULL(num, (unsigned int) den);
> }
> EXPORT_SYMBOL(drm_mode_vrefresh);
--
Jani Nikula, Intel Open Source Graphics Center
next prev parent reply other threads:[~2023-08-01 9:30 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-21 15:11 [syzbot] [dri?] divide error in drm_mode_vrefresh syzbot
2023-07-09 1:12 ` [PATCH] drm/modes: Fix division by zero error Ziqi Zhao
2023-07-09 1:12 ` Ziqi Zhao
2023-07-09 4:09 ` [syzbot] [dri?] divide error in drm_mode_vrefresh syzbot
2023-07-21 16:07 ` [PATCH] drm/modes: Fix division by zero error Ziqi Zhao
2023-07-21 16:07 ` Ziqi Zhao
2023-08-01 9:30 ` Jani Nikula [this message]
2023-08-01 21:55 ` [Intel-gfx] [PATCH v2] " Ziqi Zhao
2023-08-01 21:55 ` Ziqi Zhao
2023-08-01 21:55 ` Ziqi Zhao
2023-08-02 10:04 ` Jani Nikula
2023-08-02 10:04 ` Jani Nikula
2023-08-02 13:24 ` [Intel-gfx] ✗ Fi.CI.CHECKPATCH: warning for " Patchwork
2023-08-02 13:44 ` [Intel-gfx] ✓ Fi.CI.BAT: success " Patchwork
2023-08-02 17:28 ` [Intel-gfx] ✗ Fi.CI.IGT: failure " Patchwork
2023-08-02 17:47 ` [Intel-gfx] [PATCH v3] drm/modes: Fix division by zero due to overflow Ziqi Zhao
2023-08-02 17:47 ` Ziqi Zhao
2023-08-02 17:47 ` Ziqi Zhao
2023-08-03 9:35 ` Jani Nikula
2023-08-03 9:35 ` Jani Nikula
[not found] <84C84E4F-28DA-4DFF-B2E7-83C45F54C061.ref@yahoo.com>
2023-08-01 22:09 ` [PATCH] drm/modes: Fix division by zero error Astra Joan
2023-08-01 22:09 ` Astra Joan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87o7jrw1nr.fsf@intel.com \
--to=jani.nikula@linux.intel.com \
--cc=airlied@gmail.com \
--cc=astrajoan@yahoo.com \
--cc=daniel@ffwll.ch \
--cc=davem@davemloft.net \
--cc=dri-devel@lists.freedesktop.org \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=ivan.orlov0322@gmail.com \
--cc=jacob.e.keller@intel.com \
--cc=jiri@nvidia.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=maarten.lankhorst@linux.intel.com \
--cc=mripard@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=skhan@linuxfoundation.org \
--cc=syzbot+622bba18029bcde672e1@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tzimmermann@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.