lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20161021125728.GL25629@nuc-i3427.alporthouse.com>
Date:   Fri, 21 Oct 2016 13:57:28 +0100
From:   Chris Wilson <chris@...is-wilson.co.uk>
To:     Takashi Iwai <tiwai@...e.de>,
        Ville Syrjälä 
        <ville.syrjala@...ux.intel.com>, dri-devel@...ts.freedesktop.org,
        linux-kernel@...r.kernel.org,
        Noralf Trønnes <noralf@...nnes.org>,
        David Airlie <airlied@...ux.ie>
Subject: Re: [PATCH] drm/fb-helper: Don't call dirty callback for untouched
 clips

On Fri, Oct 21, 2016 at 02:30:32PM +0200, Daniel Vetter wrote:
> On Thu, Oct 20, 2016 at 05:00:35PM +0200, Takashi Iwai wrote:
> > On Thu, 20 Oct 2016 16:56:04 +0200,
> > Ville Syrjälä wrote:
> > > 
> > > On Thu, Oct 20, 2016 at 04:39:52PM +0200, Takashi Iwai wrote:
> > > > Since 4.7 kernel, we've seen the error messages like
> > > > 
> > > >  kernel: [TTM] Buffer eviction failed
> > > >  kernel: qxl 0000:00:02.0: object_init failed for (4026540032, 0x00000001)
> > > >  kernel: [drm:qxl_alloc_bo_reserved [qxl]] *ERROR* failed to allocate VRAM BO
> > > > 
> > > > on QXL when switching and accessing on VT.  The culprit was the
> > > > generic deferred_io code (qxl driver switched to it since 4.7).
> > > > There is a race between the dirty clip update and the call of
> > > > callback.
> > > > 
> > > > In drm_fb_helper_dirty(), the dirty clip is updated in the spinlock,
> > > > while it kicks off the update worker outside the spinlock.  Meanwhile
> > > > the update worker clears the dirty clip in the spinlock, too.  Thus,
> > > > when drm_fb_helper_dirty() is called concurrently, schedule_work() is
> > > > called after the clip is cleared in the first worker call.
> > > > 
> > > > This patch addresses it by validating the clip before calling the
> > > > dirty fb callback.
> > > > 
> > > > Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=98322
> > > > Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1003298
> > > > Fixes: eaa434defaca ('drm/fb-helper: Add fb_deferred_io support')
> > > > Cc: <stable@...r.kernel.org>
> > > > Signed-off-by: Takashi Iwai <tiwai@...e.de>
> > > > ---
> > > >  drivers/gpu/drm/drm_fb_helper.c | 13 +++++++++----
> > > >  1 file changed, 9 insertions(+), 4 deletions(-)
> > > > 
> > > > diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c
> > > > index 03414bde1f15..d790d205129e 100644
> > > > --- a/drivers/gpu/drm/drm_fb_helper.c
> > > > +++ b/drivers/gpu/drm/drm_fb_helper.c
> > > > @@ -636,15 +636,20 @@ static void drm_fb_helper_dirty_work(struct work_struct *work)
> > > >  						    dirty_work);
> > > >  	struct drm_clip_rect *clip = &helper->dirty_clip;
> > > >  	struct drm_clip_rect clip_copy;
> > > > +	bool dirty;
> > > >  	unsigned long flags;
> > > >  
> > > >  	spin_lock_irqsave(&helper->dirty_lock, flags);
> > > > -	clip_copy = *clip;
> > > > -	clip->x1 = clip->y1 = ~0;
> > > > -	clip->x2 = clip->y2 = 0;
> > > > +	dirty = (clip->x1 < clip->x2 && clip->y1 < clip->y2);
> > > > +	if (dirty) {
> > > > +		clip_copy = *clip;
> > > > +		clip->x1 = clip->y1 = ~0;
> > > > +		clip->x2 = clip->y2 = 0;
> > > > +	}
> > > >  	spin_unlock_irqrestore(&helper->dirty_lock, flags);
> > > >  
> > > > -	helper->fb->funcs->dirty(helper->fb, NULL, 0, 0, &clip_copy, 1);
> > > > +	if (dirty)
> > > 
> > > Could do it the other way too, ie. just make the copy, and then check the
> > > copy (can be done after dropping the lock even). Would avoid having to
> > > add the 'dirty' variable.
> > 
> > Sounds good.  Let me try...
> 
> Another thing: How do we prevent userspace from doing the same, i.e.
> submitting an empty rectangle? Do we need to patch up
> drm_mode_dirtyfb_ioctl too? Not much point if we fix this bug in the fb
> helpers and leave the barn door wide open for userspace to oops drivers
> ;-)

I think of a use for sending an empty clip: where you don't want to
push any new pixel data, but you do want to be sure that the pipeline
has been flushed.

The change I would suggest here would be

	dirty = clip->x1 <= clip->x2 && clip->y1 <= clip->y2

as the bug is not the empty rectangle but the invalid one. However, that
may be overkill, and none of the backends care about the empty rect!

But, indeed, we do not validate the incoming dirtyfb either.

diff --git a/drivers/gpu/drm/drm_framebuffer.c b/drivers/gpu/drm/drm_framebuffer.c
index 49fd7db758e0..ada6a5517945 100644
--- a/drivers/gpu/drm/drm_framebuffer.c
+++ b/drivers/gpu/drm/drm_framebuffer.c
@@ -504,10 +504,13 @@ int drm_mode_dirtyfb_ioctl(struct drm_device *dev,
        }
 
        if (num_clips && clips_ptr) {
+               int i;
+
                if (num_clips < 0 || num_clips > DRM_MODE_FB_DIRTY_MAX_CLIPS) {
                        ret = -EINVAL;
                        goto out_err1;
                }
+
                clips = kcalloc(num_clips, sizeof(*clips), GFP_KERNEL);
                if (!clips) {
                        ret = -ENOMEM;
@@ -520,6 +523,14 @@ int drm_mode_dirtyfb_ioctl(struct drm_device *dev,
                        ret = -EFAULT;
                        goto out_err2;
                }
+
+               for (i = 0; i < num_clips; i++) {
+                       if (clips[i].x2 < clips[i].x1 ||
+                           clips[i].y2 < clips[i].y1) {
+                               ret = -EINVAL;
+                               goto out_err2;
+                       }
+               }
        }
 
        if (fb->funcs->dirty) 


-- 
Chris Wilson, Intel Open Source Technology Centre

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ