* [PATCH] vt: fix memory overlapping when deleting chars in the buffer
@ 2022-06-27 10:29 Yangxi Xiang
2022-06-27 10:47 ` Greg Kroah-Hartman
0 siblings, 1 reply; 10+ messages in thread
From: Yangxi Xiang @ 2022-06-27 10:29 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, Jiri Slaby, Johan Hovold,
Igor Matheus Andrade Torrente, Christian Borntraeger, nick black,
Yangxi Xiang
A memory overlapping copy occurs when deleting a long line. Fix it by
using scr_memmovew.
Signed-off-by: Yangxi Xiang <xyangxi5@gmail.com>
---
drivers/tty/vt/vt.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
index f8c87c4d7399..d87bff9d8ed5 100644
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -853,9 +853,13 @@ static void insert_char(struct vc_data *vc, unsigned int nr)
static void delete_char(struct vc_data *vc, unsigned int nr)
{
unsigned short *p = (unsigned short *) vc->vc_pos;
+ unsigned short cp = (vc->vc_cols - vc->state.x - nr) * 2;
vc_uniscr_delete(vc, nr);
- scr_memcpyw(p, p + nr, (vc->vc_cols - vc->state.x - nr) * 2);
+ if (cp > nr)
+ scr_memmovew(p, p + nr, cp);
+ else
+ scr_memcpyw(p, p + nr, cp);
scr_memsetw(p + vc->vc_cols - vc->state.x - nr, vc->vc_video_erase_char,
nr * 2);
vc->vc_need_wrap = 0;
--
2.17.1
^ permalink raw reply related [flat|nested] 10+ messages in thread* Re: [PATCH] vt: fix memory overlapping when deleting chars in the buffer
2022-06-27 10:29 [PATCH] vt: fix memory overlapping when deleting chars in the buffer Yangxi Xiang
@ 2022-06-27 10:47 ` Greg Kroah-Hartman
2022-06-27 11:04 ` Yangxi Xiang
0 siblings, 1 reply; 10+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-27 10:47 UTC (permalink / raw)
To: Yangxi Xiang
Cc: linux-kernel, Jiri Slaby, Johan Hovold,
Igor Matheus Andrade Torrente, Christian Borntraeger, nick black
On Mon, Jun 27, 2022 at 06:29:40PM +0800, Yangxi Xiang wrote:
> A memory overlapping copy occurs when deleting a long line. Fix it by
> using scr_memmovew.
>
> Signed-off-by: Yangxi Xiang <xyangxi5@gmail.com>
What commit does this fix? how was this tested?
thanks,
greg k-h
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] vt: fix memory overlapping when deleting chars in the buffer
2022-06-27 10:47 ` Greg Kroah-Hartman
@ 2022-06-27 11:04 ` Yangxi Xiang
2022-06-27 11:07 ` Greg Kroah-Hartman
0 siblings, 1 reply; 10+ messages in thread
From: Yangxi Xiang @ 2022-06-27 11:04 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: linux-kernel, Jiri Slaby, Johan Hovold,
Igor Matheus Andrade Torrente, Christian Borntraeger, nick black
> What commit does this fix? how was this tested?
This bug is triggered by running a dynamic analysis on the kernel,
with the help of sanitizer to observe this bug. This memory
overlapping copy can cause data corruption when scr_memcpyw is
optimized to memcpy because memcpy does not ensure its behavior if
the destination buffer overlaps with the source buffer.
Yangxi Xiang
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] vt: fix memory overlapping when deleting chars in the buffer
2022-06-27 11:04 ` Yangxi Xiang
@ 2022-06-27 11:07 ` Greg Kroah-Hartman
2022-06-27 11:40 ` Yangxi Xiang
0 siblings, 1 reply; 10+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-27 11:07 UTC (permalink / raw)
To: Yangxi Xiang
Cc: linux-kernel, Jiri Slaby, Johan Hovold,
Igor Matheus Andrade Torrente, Christian Borntraeger, nick black
On Mon, Jun 27, 2022 at 07:04:17PM +0800, Yangxi Xiang wrote:
> > What commit does this fix? how was this tested?
>
> This bug is triggered by running a dynamic analysis on the kernel,
> with the help of sanitizer to observe this bug. This memory
> overlapping copy can cause data corruption when scr_memcpyw is
> optimized to memcpy because memcpy does not ensure its behavior if
> the destination buffer overlaps with the source buffer.
And what commit id does this fix, or has it always been broken?
thanks,
greg k-h
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] vt: fix memory overlapping when deleting chars in the buffer
2022-06-27 11:07 ` Greg Kroah-Hartman
@ 2022-06-27 11:40 ` Yangxi Xiang
2022-06-27 12:29 ` Greg Kroah-Hartman
0 siblings, 1 reply; 10+ messages in thread
From: Yangxi Xiang @ 2022-06-27 11:40 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: linux-kernel, Jiri Slaby, Johan Hovold,
Igor Matheus Andrade Torrente, Christian Borntraeger, nick black
> And what commit id does this fix, or has it always been broken?
It fixes the commit 81732c3 (tty vt: Fix line garbage in virtual
console on command line edition). The line buffer is not always
broken, because the memcpy utilized the hardware acceleration, whose
result is not deterministic. I fix this issue by replacing the
scr_memcpyw with scr_memmovew used in insert_char, and preserving the
memcpy optimization when the buffers are not overlapping.
Yangxi Xiang
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] vt: fix memory overlapping when deleting chars in the buffer
2022-06-27 11:40 ` Yangxi Xiang
@ 2022-06-27 12:29 ` Greg Kroah-Hartman
0 siblings, 0 replies; 10+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-27 12:29 UTC (permalink / raw)
To: Yangxi Xiang
Cc: linux-kernel, Jiri Slaby, Johan Hovold,
Igor Matheus Andrade Torrente, Christian Borntraeger, nick black
On Mon, Jun 27, 2022 at 07:40:16PM +0800, Yangxi Xiang wrote:
> > And what commit id does this fix, or has it always been broken?
>
> It fixes the commit 81732c3 (tty vt: Fix line garbage in virtual
> console on command line edition). The line buffer is not always
> broken, because the memcpy utilized the hardware acceleration, whose
> result is not deterministic. I fix this issue by replacing the
> scr_memcpyw with scr_memmovew used in insert_char, and preserving the
> memcpy optimization when the buffers are not overlapping.
Great, can you please resend the patch with that information all in it,
and the proper Fixes: line tag added?
thanks,
greg k-h
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH v2] vt: fix memory overlapping when deleting chars in the buffer
@ 2022-06-28 8:08 Jiri Slaby
2022-06-28 8:27 ` [PATCH] " Yangxi Xiang
0 siblings, 1 reply; 10+ messages in thread
From: Jiri Slaby @ 2022-06-28 8:08 UTC (permalink / raw)
To: Yangxi Xiang, linux-kernel
Cc: Greg Kroah-Hartman, Johan Hovold, Igor Matheus Andrade Torrente,
Christian Borntraeger, nick black
On 27. 06. 22, 14:54, Yangxi Xiang wrote:
> A memory overlapping copy occurs when deleting a long line. This memory
> overlapping copy can cause data corruption when scr_memcpyw is optimized
> to memcpy because memcpy does not ensure its behavior if the destination
> buffer overlaps with the source buffer. The line buffer is not always
> broken, because the memcpy utilizes the hardware acceleration, whose
> result is not deterministic.
>
> Fix this problem by using replacing the scr_memcpyw with scr_memmovew, and
> preserving the memcpy optimization when the buffers are not overlapping.
>
> Fixes: 81732c3b2fed ("Fix line garbage in virtual console").
> Signed-off-by: Yangxi Xiang <xyangxi5@gmail.com>
> ---
> drivers/tty/vt/vt.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
> index f8c87c4d7399..d87bff9d8ed5 100644
> --- a/drivers/tty/vt/vt.c
> +++ b/drivers/tty/vt/vt.c
> @@ -853,9 +853,13 @@ static void insert_char(struct vc_data *vc, unsigned int nr)
> static void delete_char(struct vc_data *vc, unsigned int nr)
> {
> unsigned short *p = (unsigned short *) vc->vc_pos;
> + unsigned short cp = (vc->vc_cols - vc->state.x - nr) * 2;
>
> vc_uniscr_delete(vc, nr);
> - scr_memcpyw(p, p + nr, (vc->vc_cols - vc->state.x - nr) * 2);
> + if (cp > nr)
> + scr_memmovew(p, p + nr, cp);
> + else
> + scr_memcpyw(p, p + nr, cp);
Why not to use memmove in both cases? I.e. simply switch scr_memcpyw to
scr_memmovew?
thanks,
--
js
suse labs
^ permalink raw reply [flat|nested] 10+ messages in thread* Re: [PATCH] vt: fix memory overlapping when deleting chars in the buffer
2022-06-28 8:08 [PATCH v2] " Jiri Slaby
@ 2022-06-28 8:27 ` Yangxi Xiang
2022-06-28 8:38 ` Jiri Slaby
0 siblings, 1 reply; 10+ messages in thread
From: Yangxi Xiang @ 2022-06-28 8:27 UTC (permalink / raw)
To: Jiri Slaby
Cc: linux-kernel, Greg Kroah-Hartman, Johan Hovold,
Igor Matheus Andrade Torrente, Christian Borntraeger, nick black
> Why not to use memmove in both cases? I.e. simply switch scr_memcpyw to
> scr_memmovew?
Both of them works, and I pick one of them.
Yangxi Xiang
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] vt: fix memory overlapping when deleting chars in the buffer
2022-06-28 8:27 ` [PATCH] " Yangxi Xiang
@ 2022-06-28 8:38 ` Jiri Slaby
2022-06-28 8:59 ` Yangxi Xiang
0 siblings, 1 reply; 10+ messages in thread
From: Jiri Slaby @ 2022-06-28 8:38 UTC (permalink / raw)
To: Yangxi Xiang
Cc: linux-kernel, Greg Kroah-Hartman, Johan Hovold,
Igor Matheus Andrade Torrente, Christian Borntraeger, nick black
On 28. 06. 22, 10:27, Yangxi Xiang wrote:
>> Why not to use memmove in both cases? I.e. simply switch scr_memcpyw to
>> scr_memmovew?
>
> Both of them works, and I pick one of them.
Sorry, I don't understand.
--
js
suse labs
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] vt: fix memory overlapping when deleting chars in the buffer
2022-06-28 8:38 ` Jiri Slaby
@ 2022-06-28 8:59 ` Yangxi Xiang
2022-06-28 9:11 ` Greg Kroah-Hartman
0 siblings, 1 reply; 10+ messages in thread
From: Yangxi Xiang @ 2022-06-28 8:59 UTC (permalink / raw)
To: Jiri Slaby
Cc: linux-kernel, Greg Kroah-Hartman, Johan Hovold,
Igor Matheus Andrade Torrente, Christian Borntraeger, nick black
>> Both of them works, and I pick one of them.
>
> Sorry, I don't understand.
We can use both scr_memcpyw() and scr_memmovew() for the not
overlapping case (cp <= nr), which is more likely to happen.
In this case I keep using scr_memcpyw().
Yangxi Xiang
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] vt: fix memory overlapping when deleting chars in the buffer
2022-06-28 8:59 ` Yangxi Xiang
@ 2022-06-28 9:11 ` Greg Kroah-Hartman
0 siblings, 0 replies; 10+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-28 9:11 UTC (permalink / raw)
To: Yangxi Xiang
Cc: Jiri Slaby, linux-kernel, Johan Hovold,
Igor Matheus Andrade Torrente, Christian Borntraeger, nick black
On Tue, Jun 28, 2022 at 04:59:22PM +0800, Yangxi Xiang wrote:
> >> Both of them works, and I pick one of them.
> >
> > Sorry, I don't understand.
>
> We can use both scr_memcpyw() and scr_memmovew() for the not
> overlapping case (cp <= nr), which is more likely to happen.
> In this case I keep using scr_memcpyw().
The point is we should just do one type of copy, let's pick the one that
always works and do that, no need to check anything here.
thanks,
greg k-h
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2022-06-28 9:11 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-06-27 10:29 [PATCH] vt: fix memory overlapping when deleting chars in the buffer Yangxi Xiang
2022-06-27 10:47 ` Greg Kroah-Hartman
2022-06-27 11:04 ` Yangxi Xiang
2022-06-27 11:07 ` Greg Kroah-Hartman
2022-06-27 11:40 ` Yangxi Xiang
2022-06-27 12:29 ` Greg Kroah-Hartman
-- strict thread matches above, loose matches on Subject: below --
2022-06-28 8:08 [PATCH v2] " Jiri Slaby
2022-06-28 8:27 ` [PATCH] " Yangxi Xiang
2022-06-28 8:38 ` Jiri Slaby
2022-06-28 8:59 ` Yangxi Xiang
2022-06-28 9:11 ` Greg Kroah-Hartman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox