[PATCH] drm/ast: Allocate initial CRTC state of the correct size

Thomas Zimmermann tzimmermann at suse.de
Mon Apr 20 14:13:19 UTC 2020 

Hi

Am 20.04.20 um 14:58 schrieb Konstantin Khlebnikov:
> 
> 
> On 20/04/2020 15.55, Thomas Zimmermann wrote:
>> Hi Konstantin
>>
>> Am 20.04.20 um 14:45 schrieb Konstantin Khlebnikov:
>>> I've stumbled upon this too. Trivial fix was posted but stuck in review.
>>> This is patch from Thomas Zimmermann changed according to suggestions by
>>> Daniel Vetter from https://patchwork.kernel.org/patch/11356157/
>>
>> Did you find it on the mailing list? I was waiting for this patch to get
>> merged. Apparently I forgot to push it? I'll take care of the patch.
> 
> Ah, my bad. After deeper look I've found v2
> https://patchwork.kernel.org/patch/11357645/
> But in State=New, it's definitely lost

The patch's now in drm-misc-next. [1] Thanks for the reminder.

Best regards
Thomas

[1]
https://cgit.freedesktop.org/drm/drm-misc/commit/?id=f0adbc382b8bb46a2467c4e5e1027763a197c8e1

> 
>>
>> Best regards
>> Thomas
>>
>>>
>>>
>>> The ast driver inherits from DRM's CRTC state, but still uses the atomic
>>> helper for struct drm_crtc_funcs.reset, drm_atomic_helper_crtc_reset().
>>>
>>> The helper only allocates enough memory for the core CRTC state. That
>>> results in an out-ouf-bounds access when duplicating the initial CRTC
>>> state. Simplified backtrace shown below:
>>>
>>> [   21.469321]
>>> ==================================================================
>>> [   21.469434] BUG: KASAN: slab-out-of-bounds in
>>> ast_crtc_atomic_duplicate_state+0x84/0x100 [ast]
>>> [   21.469445] Read of size 8 at addr ffff888036c1c5f8 by task
>>> systemd-udevd/382
>>> [   21.469451]
>>> [   21.469464] CPU: 2 PID: 382 Comm: systemd-udevd Tainted:
>>> G            E     5.5.0-rc6-1-default+ #214
>>> [   21.469473] Hardware name: Sun Microsystems SUN FIRE X2270 M2/SUN
>>> FIRE X2270 M2, BIOS 2.05    07/01/2010
>>> [   21.469480] Call Trace:
>>> [   21.469501]  dump_stack+0xb8/0x110
>>> [   21.469528]  print_address_description.constprop.0+0x1b/0x1e0
>>> [   21.469557]  ? ast_crtc_atomic_duplicate_state+0x84/0x100 [ast]
>>> [   21.469581]  ? ast_crtc_atomic_duplicate_state+0x84/0x100 [ast]
>>> [   21.469597]  __kasan_report.cold+0x1a/0x35
>>> [   21.469640]  ? ast_crtc_atomic_duplicate_state+0x84/0x100 [ast]
>>> [   21.469665]  kasan_report+0xe/0x20
>>> [   21.469693]  ast_crtc_atomic_duplicate_state+0x84/0x100 [ast]
>>> [   21.469733]  drm_atomic_get_crtc_state+0xbf/0x1c0
>>> [   21.469768]  __drm_atomic_helper_set_config+0x81/0x5a0
>>> [   21.469803]  ? drm_atomic_plane_check+0x690/0x690
>>> [   21.469843]  ? drm_client_rotation+0xae/0x240
>>> [   21.469876]  drm_client_modeset_commit_atomic+0x230/0x390
>>> [   21.469888]  ? __mutex_lock+0x8f0/0xbe0
>>> [   21.469929]  ? drm_client_firmware_config.isra.0+0xa60/0xa60
>>> [   21.469948]  ? drm_client_modeset_commit_force+0x28/0x230
>>> [   21.470031]  ? memset+0x20/0x40
>>> [   21.470078]  drm_client_modeset_commit_force+0x90/0x230
>>> [   21.470110]  drm_fb_helper_restore_fbdev_mode_unlocked+0x5f/0xc0
>>> [   21.470132]  drm_fb_helper_set_par+0x59/0x70
>>> [   21.470155]  fbcon_init+0x61d/0xad0
>>> [   21.470185]  ? drm_fb_helper_restore_fbdev_mode_unlocked+0xc0/0xc0
>>> [   21.470232]  visual_init+0x187/0x240
>>> [   21.470266]  do_bind_con_driver+0x2e3/0x460
>>> [   21.470321]  do_take_over_console+0x20a/0x290
>>> [   21.470371]  do_fbcon_takeover+0x85/0x100
>>> [   21.470402]  register_framebuffer+0x2fd/0x490
>>> [   21.470425]  ? kzalloc.constprop.0+0x10/0x10
>>> [   21.470503]  __drm_fb_helper_initial_config_and_unlock+0xf2/0x140
>>> [   21.470533]  drm_fbdev_client_hotplug+0x162/0x250
>>> [   21.470563]  drm_fbdev_generic_setup+0xd2/0x155
>>> [   21.470602]  ast_driver_load+0x688/0x850 [ast]
>>> <...>
>>> [   21.472625]
>>> ==================================================================
>>>
>>> Allocating enough memory for struct ast_crtc_state in a custom ast CRTC
>>> reset handler fixes the problem.
>>>
>>> Signed-off-by: Konstantin Khlebnikov <khlebnikov at yandex-team.ru>
>>> Fixes: 83be6a3ceb11 ("drm/ast: Introduce struct ast_crtc_state")
>>> Link: https://patchwork.kernel.org/patch/11356157/
>>> Cc: Thomas Zimmermann <tzimmermann at suse.de>
>>> Cc: Daniel Vetter <daniel.vetter at ffwll.ch>
>>> ---
>>>   drivers/gpu/drm/ast/ast_mode.c |   13 ++++++++++++-
>>>   1 file changed, 12 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/drivers/gpu/drm/ast/ast_mode.c
>>> b/drivers/gpu/drm/ast/ast_mode.c
>>> index cdd6c46d6557..17143e6bbfec 100644
>>> --- a/drivers/gpu/drm/ast/ast_mode.c
>>> +++ b/drivers/gpu/drm/ast/ast_mode.c
>>> @@ -918,8 +918,19 @@ static void ast_crtc_atomic_destroy_state(struct
>>> drm_crtc *crtc,
>>>       kfree(ast_state);
>>>   }
>>>   +static void ast_crtc_reset(struct drm_crtc *crtc)
>>> +{
>>> +    struct ast_crtc_state *state =
>>> +        kzalloc(sizeof(*state), GFP_KERNEL);
>>> +
>>> +    if (crtc->state)
>>> +        ast_crtc_atomic_destroy_state(crtc, crtc->state);
>>> +
>>> +    __drm_atomic_helper_crtc_reset(crtc, &state->base);
>>> +}
>>> +
>>>   static const struct drm_crtc_funcs ast_crtc_funcs = {
>>> -    .reset = drm_atomic_helper_crtc_reset,
>>> +    .reset = ast_crtc_reset,
>>>       .set_config = drm_crtc_helper_set_config,
>>>       .gamma_set = drm_atomic_helper_legacy_gamma_set,
>>>       .destroy = ast_crtc_destroy,
>>>
>>

-- 
Thomas Zimmermann
Graphics Driver Developer
SUSE Software Solutions Germany GmbH
Maxfeldstr. 5, 90409 Nürnberg, Germany
(HRB 36809, AG Nürnberg)
Geschäftsführer: Felix Imendörffer

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.freedesktop.org/archives/dri-devel/attachments/20200420/4c743614/attachment.sig>

More information about the dri-devel mailing list