From: abhinavk@codeaurora.org
To: Stephen Boyd <swboyd@chromium.org>
Cc: Rob Clark <robdclark@gmail.com>,
linux-kernel@vger.kernel.org, linux-arm-msm@vger.kernel.org,
freedreno@lists.freedesktop.org, dri-devel@lists.freedesktop.org,
Sean Paul <sean@poorly.run>,
Jeykumar Sankaran <jsanka@codeaurora.org>,
Jordan Crouse <jcrouse@codeaurora.org>,
Sean Paul <seanpaul@chromium.org>,
linux-arm-msm-owner@vger.kernel.org
Subject: Re: [PATCH 1/2] drm/msm: Avoid div-by-zero in dpu_crtc_atomic_check()
Date: Tue, 01 Sep 2020 15:05:34 -0700 [thread overview]
Message-ID: <cfa79004980a6bd72466132dc77f99db@codeaurora.org> (raw)
In-Reply-To: <20200901215942.2559119-2-swboyd@chromium.org>
On 2020-09-01 14:59, Stephen Boyd wrote:
> The cstate->num_mixers member is only set to a non-zero value once
> dpu_encoder_virt_mode_set() is called, but the atomic check function
> can
> be called by userspace before that. Let's avoid the div-by-zero here
> and
> inside _dpu_crtc_setup_lm_bounds() by skipping this part of the atomic
> check if dpu_encoder_virt_mode_set() hasn't been called yet. This fixes
> an UBSAN warning:
>
> UBSAN: Undefined behaviour in
> drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c:860:31
> division by zero
> CPU: 7 PID: 409 Comm: frecon Tainted: G S 5.4.31 #128
> Hardware name: Google Trogdor (rev0) (DT)
> Call trace:
> dump_backtrace+0x0/0x14c
> show_stack+0x20/0x2c
> dump_stack+0xa0/0xd8
> __ubsan_handle_divrem_overflow+0xec/0x110
> dpu_crtc_atomic_check+0x97c/0x9d4
> drm_atomic_helper_check_planes+0x160/0x1c8
> drm_atomic_helper_check+0x54/0xbc
> drm_atomic_check_only+0x6a8/0x880
> drm_atomic_commit+0x20/0x5c
> drm_atomic_helper_set_config+0x98/0xa0
> drm_mode_setcrtc+0x308/0x5dc
> drm_ioctl_kernel+0x9c/0x114
> drm_ioctl+0x2ac/0x4b0
> drm_compat_ioctl+0xe8/0x13c
> __arm64_compat_sys_ioctl+0x184/0x324
> el0_svc_common+0xa4/0x154
> el0_svc_compat_handler+0x
>
> Cc: Abhinav Kumar <abhinavk@codeaurora.org>
> Cc: Jeykumar Sankaran <jsanka@codeaurora.org>
> Cc: Jordan Crouse <jcrouse@codeaurora.org>
> Cc: Sean Paul <seanpaul@chromium.org>
> Fixes: 25fdd5933e4c ("drm/msm: Add SDM845 DPU support")
> Signed-off-by: Stephen Boyd <swboyd@chromium.org>
Reviewed-by: Abhinav Kumar <abhinavk@codeaurora.org>
> ---
> drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c | 8 +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c
> b/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c
> index f272a8d0f95b..74294b5ed93f 100644
> --- a/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c
> +++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c
> @@ -881,7 +881,7 @@ static int dpu_crtc_atomic_check(struct drm_crtc
> *crtc,
> struct drm_plane *plane;
> struct drm_display_mode *mode;
>
> - int cnt = 0, rc = 0, mixer_width, i, z_pos;
> + int cnt = 0, rc = 0, mixer_width = 0, i, z_pos;
>
> struct dpu_multirect_plane_states multirect_plane[DPU_STAGE_MAX * 2];
> int multirect_count = 0;
> @@ -914,9 +914,11 @@ static int dpu_crtc_atomic_check(struct drm_crtc
> *crtc,
>
> memset(pipe_staged, 0, sizeof(pipe_staged));
>
> - mixer_width = mode->hdisplay / cstate->num_mixers;
> + if (cstate->num_mixers) {
> + mixer_width = mode->hdisplay / cstate->num_mixers;
>
> - _dpu_crtc_setup_lm_bounds(crtc, state);
> + _dpu_crtc_setup_lm_bounds(crtc, state);
> + }
>
> crtc_rect.x2 = mode->hdisplay;
> crtc_rect.y2 = mode->vdisplay;
WARNING: multiple messages have this Message-ID (diff)
From: abhinavk@codeaurora.org
To: Stephen Boyd <swboyd@chromium.org>
Cc: freedreno@lists.freedesktop.org, linux-arm-msm@vger.kernel.org,
linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org,
Sean Paul <seanpaul@chromium.org>, Sean Paul <sean@poorly.run>,
linux-arm-msm-owner@vger.kernel.org
Subject: Re: [PATCH 1/2] drm/msm: Avoid div-by-zero in dpu_crtc_atomic_check()
Date: Tue, 01 Sep 2020 15:05:34 -0700 [thread overview]
Message-ID: <cfa79004980a6bd72466132dc77f99db@codeaurora.org> (raw)
In-Reply-To: <20200901215942.2559119-2-swboyd@chromium.org>
On 2020-09-01 14:59, Stephen Boyd wrote:
> The cstate->num_mixers member is only set to a non-zero value once
> dpu_encoder_virt_mode_set() is called, but the atomic check function
> can
> be called by userspace before that. Let's avoid the div-by-zero here
> and
> inside _dpu_crtc_setup_lm_bounds() by skipping this part of the atomic
> check if dpu_encoder_virt_mode_set() hasn't been called yet. This fixes
> an UBSAN warning:
>
> UBSAN: Undefined behaviour in
> drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c:860:31
> division by zero
> CPU: 7 PID: 409 Comm: frecon Tainted: G S 5.4.31 #128
> Hardware name: Google Trogdor (rev0) (DT)
> Call trace:
> dump_backtrace+0x0/0x14c
> show_stack+0x20/0x2c
> dump_stack+0xa0/0xd8
> __ubsan_handle_divrem_overflow+0xec/0x110
> dpu_crtc_atomic_check+0x97c/0x9d4
> drm_atomic_helper_check_planes+0x160/0x1c8
> drm_atomic_helper_check+0x54/0xbc
> drm_atomic_check_only+0x6a8/0x880
> drm_atomic_commit+0x20/0x5c
> drm_atomic_helper_set_config+0x98/0xa0
> drm_mode_setcrtc+0x308/0x5dc
> drm_ioctl_kernel+0x9c/0x114
> drm_ioctl+0x2ac/0x4b0
> drm_compat_ioctl+0xe8/0x13c
> __arm64_compat_sys_ioctl+0x184/0x324
> el0_svc_common+0xa4/0x154
> el0_svc_compat_handler+0x
>
> Cc: Abhinav Kumar <abhinavk@codeaurora.org>
> Cc: Jeykumar Sankaran <jsanka@codeaurora.org>
> Cc: Jordan Crouse <jcrouse@codeaurora.org>
> Cc: Sean Paul <seanpaul@chromium.org>
> Fixes: 25fdd5933e4c ("drm/msm: Add SDM845 DPU support")
> Signed-off-by: Stephen Boyd <swboyd@chromium.org>
Reviewed-by: Abhinav Kumar <abhinavk@codeaurora.org>
> ---
> drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c | 8 +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c
> b/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c
> index f272a8d0f95b..74294b5ed93f 100644
> --- a/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c
> +++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c
> @@ -881,7 +881,7 @@ static int dpu_crtc_atomic_check(struct drm_crtc
> *crtc,
> struct drm_plane *plane;
> struct drm_display_mode *mode;
>
> - int cnt = 0, rc = 0, mixer_width, i, z_pos;
> + int cnt = 0, rc = 0, mixer_width = 0, i, z_pos;
>
> struct dpu_multirect_plane_states multirect_plane[DPU_STAGE_MAX * 2];
> int multirect_count = 0;
> @@ -914,9 +914,11 @@ static int dpu_crtc_atomic_check(struct drm_crtc
> *crtc,
>
> memset(pipe_staged, 0, sizeof(pipe_staged));
>
> - mixer_width = mode->hdisplay / cstate->num_mixers;
> + if (cstate->num_mixers) {
> + mixer_width = mode->hdisplay / cstate->num_mixers;
>
> - _dpu_crtc_setup_lm_bounds(crtc, state);
> + _dpu_crtc_setup_lm_bounds(crtc, state);
> + }
>
> crtc_rect.x2 = mode->hdisplay;
> crtc_rect.y2 = mode->vdisplay;
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
next prev parent reply other threads:[~2020-09-01 22:05 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-01 21:59 [PATCH 0/2] A couple drm/msm fixes Stephen Boyd
2020-09-01 21:59 ` Stephen Boyd
2020-09-01 21:59 ` [PATCH 1/2] drm/msm: Avoid div-by-zero in dpu_crtc_atomic_check() Stephen Boyd
2020-09-01 21:59 ` Stephen Boyd
2020-09-01 22:05 ` abhinavk [this message]
2020-09-01 22:05 ` abhinavk
2020-09-02 7:05 ` Sai Prakash Ranjan
2020-09-02 7:05 ` Sai Prakash Ranjan
2020-09-01 21:59 ` [PATCH 2/2] drm/msm: Drop debug print in _dpu_crtc_setup_lm_bounds() Stephen Boyd
2020-09-01 21:59 ` Stephen Boyd
2020-09-01 22:06 ` abhinavk
2020-09-01 22:06 ` abhinavk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cfa79004980a6bd72466132dc77f99db@codeaurora.org \
--to=abhinavk@codeaurora.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=freedreno@lists.freedesktop.org \
--cc=jcrouse@codeaurora.org \
--cc=jsanka@codeaurora.org \
--cc=linux-arm-msm-owner@vger.kernel.org \
--cc=linux-arm-msm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=robdclark@gmail.com \
--cc=sean@poorly.run \
--cc=seanpaul@chromium.org \
--cc=swboyd@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.