* [syzbot] [dri?] divide error in drm_mode_debug_printmodeline
@ 2023-11-15 9:34 syzbot
2023-11-16 0:52 ` [syzbot] [PATCH] test " syzbot
` (11 more replies)
0 siblings, 12 replies; 22+ messages in thread
From: syzbot @ 2023-11-15 9:34 UTC (permalink / raw)
To: airlied, airlied, daniel.vetter, daniel.vetter, daniel,
dri-devel, linux-kernel, maarten.lankhorst, melissa.srw, mripard,
syzkaller-bugs, tzimmermann
Hello,
syzbot found the following issue on:
HEAD commit: ac347a0655db Merge tag 'arm64-fixes' of git://git.kernel.o..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=101ba588e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=88e7ba51eecd9cd6
dashboard link: https://syzkaller.appspot.com/bug?extid=2e93e6fb36e6fdc56574
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11252f97680000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10fd2498e80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/8fcb90d89768/disk-ac347a06.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/360d9341a71c/vmlinux-ac347a06.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a370aa406c63/bzImage-ac347a06.xz
The issue was bisected to:
commit ea40d7857d5250e5400f38c69ef9e17321e9c4a2
Author: Daniel Vetter <daniel.vetter@ffwll.ch>
Date: Fri Oct 9 23:21:56 2020 +0000
drm/vkms: fbdev emulation support
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1058223f680000
final oops: https://syzkaller.appspot.com/x/report.txt?x=1258223f680000
console output: https://syzkaller.appspot.com/x/log.txt?x=1458223f680000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2e93e6fb36e6fdc56574@syzkaller.appspotmail.com
Fixes: ea40d7857d52 ("drm/vkms: fbdev emulation support")
divide error: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 5068 Comm: syz-executor357 Not tainted 6.6.0-syzkaller-16039-gac347a0655db #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
RIP: 0010:drm_mode_vrefresh drivers/gpu/drm/drm_modes.c:1303 [inline]
RIP: 0010:drm_mode_debug_printmodeline+0x118/0x4e0 drivers/gpu/drm/drm_modes.c:60
Code: 00 41 0f b7 07 66 83 f8 02 b9 01 00 00 00 0f 43 c8 0f b7 c1 0f af e8 44 89 f0 48 69 c8 e8 03 00 00 89 e8 d1 e8 48 01 c8 31 d2 <48> f7 f5 49 89 c6 eb 0c e8 fb 07 66 fc eb 05 e8 f4 07 66 fc 48 89
RSP: 0018:ffffc9000391f8d0 EFLAGS: 00010246
RAX: 000000000001f400 RBX: ffff888025045000 RCX: 000000000001f400
RDX: 0000000000000000 RSI: 0000000000008000 RDI: ffff888025045018
RBP: 0000000000000000 R08: ffffffff8528b9af R09: 0000000000000000
R10: ffffc9000391f8a0 R11: fffff52000723f17 R12: 0000000000000080
R13: dffffc0000000000 R14: 0000000000000080 R15: ffff888025045016
FS: 0000555556932380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000005fdeb8 CR3: 000000007fcff000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
drm_mode_setcrtc+0x83b/0x1880 drivers/gpu/drm/drm_crtc.c:794
drm_ioctl_kernel+0x362/0x500 drivers/gpu/drm/drm_ioctl.c:792
drm_ioctl+0x636/0xb00 drivers/gpu/drm/drm_ioctl.c:895
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl+0xf8/0x170 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7f6c63dd6729
Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcde0dd0e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ffcde0dd2b8 RCX: 00007f6c63dd6729
RDX: 0000000020000180 RSI: 00000000c06864a2 RDI: 0000000000000003
RBP: 00007f6c63e49610 R08: 00000000fffff4e6 R09: 00007ffcde0dd2b8
R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000001
R13: 00007ffcde0dd2a8 R14: 0000000000000001 R15: 0000000000000001
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:drm_mode_vrefresh drivers/gpu/drm/drm_modes.c:1303 [inline]
RIP: 0010:drm_mode_debug_printmodeline+0x118/0x4e0 drivers/gpu/drm/drm_modes.c:60
Code: 00 41 0f b7 07 66 83 f8 02 b9 01 00 00 00 0f 43 c8 0f b7 c1 0f af e8 44 89 f0 48 69 c8 e8 03 00 00 89 e8 d1 e8 48 01 c8 31 d2 <48> f7 f5 49 89 c6 eb 0c e8 fb 07 66 fc eb 05 e8 f4 07 66 fc 48 89
RSP: 0018:ffffc9000391f8d0 EFLAGS: 00010246
RAX: 000000000001f400 RBX: ffff888025045000 RCX: 000000000001f400
RDX: 0000000000000000 RSI: 0000000000008000 RDI: ffff888025045018
RBP: 0000000000000000 R08: ffffffff8528b9af R09: 0000000000000000
R10: ffffc9000391f8a0 R11: fffff52000723f17 R12: 0000000000000080
R13: dffffc0000000000 R14: 0000000000000080 R15: ffff888025045016
FS: 0000555556932380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000064392c CR3: 000000007fcff000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 00 41 0f add %al,0xf(%rcx)
3: b7 07 mov $0x7,%bh
5: 66 83 f8 02 cmp $0x2,%ax
9: b9 01 00 00 00 mov $0x1,%ecx
e: 0f 43 c8 cmovae %eax,%ecx
11: 0f b7 c1 movzwl %cx,%eax
14: 0f af e8 imul %eax,%ebp
17: 44 89 f0 mov %r14d,%eax
1a: 48 69 c8 e8 03 00 00 imul $0x3e8,%rax,%rcx
21: 89 e8 mov %ebp,%eax
23: d1 e8 shr %eax
25: 48 01 c8 add %rcx,%rax
28: 31 d2 xor %edx,%edx
* 2a: 48 f7 f5 div %rbp <-- trapping instruction
2d: 49 89 c6 mov %rax,%r14
30: eb 0c jmp 0x3e
32: e8 fb 07 66 fc call 0xfc660832
37: eb 05 jmp 0x3e
39: e8 f4 07 66 fc call 0xfc660832
3e: 48 rex.W
3f: 89 .byte 0x89
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [syzbot] [PATCH] test divide error in drm_mode_debug_printmodeline
2023-11-15 9:34 [syzbot] [dri?] divide error in drm_mode_debug_printmodeline syzbot
@ 2023-11-16 0:52 ` syzbot
2023-11-16 2:33 ` [syzbot] syzbot
` (10 subsequent siblings)
11 siblings, 0 replies; 22+ messages in thread
From: syzbot @ 2023-11-16 0:52 UTC (permalink / raw)
To: linux-kernel
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.
***
Subject: [PATCH] test divide error in drm_mode_debug_printmodeline
Author: lizhi.xu@windriver.com
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git ac347a0655db
diff --git a/include/drm/drm_modes.h b/include/drm/drm_modes.h
index c613f0abe9dc..19e37e92dfaf 100644
--- a/include/drm/drm_modes.h
+++ b/include/drm/drm_modes.h
@@ -422,7 +422,7 @@ struct drm_display_mode {
/**
* DRM_MODE_FMT - printf string for &struct drm_display_mode
*/
-#define DRM_MODE_FMT "\"%s\": %d %d %d %d %d %d %d %d %d %d 0x%x 0x%x"
+#define DRM_MODE_FMT "\"%s\": %llu %d %d %d %d %d %d %d %d %d 0x%x 0x%x"
/**
* DRM_MODE_ARG - printf arguments for &struct drm_display_mode
@@ -526,7 +526,7 @@ static inline int of_get_drm_panel_display_mode(struct device_node *np,
#endif
void drm_mode_set_name(struct drm_display_mode *mode);
-int drm_mode_vrefresh(const struct drm_display_mode *mode);
+long drm_mode_vrefresh(const struct drm_display_mode *mode);
void drm_mode_get_hv_timing(const struct drm_display_mode *mode,
int *hdisplay, int *vdisplay);
diff --git a/drivers/gpu/drm/drm_modes.c b/drivers/gpu/drm/drm_modes.c
index ac9a406250c5..6f376001728c 100644
--- a/drivers/gpu/drm/drm_modes.c
+++ b/drivers/gpu/drm/drm_modes.c
@@ -1283,9 +1283,9 @@ EXPORT_SYMBOL(drm_mode_set_name);
* @modes's vrefresh rate in Hz, rounded to the nearest integer. Calculates the
* value first if it is not yet set.
*/
-int drm_mode_vrefresh(const struct drm_display_mode *mode)
+long drm_mode_vrefresh(const struct drm_display_mode *mode)
{
- unsigned int num, den;
+ unsigned long num, den;
if (mode->htotal == 0 || mode->vtotal == 0)
return 0;
^ permalink raw reply related [flat|nested] 22+ messages in thread
* Re: [syzbot]
2023-11-15 9:34 [syzbot] [dri?] divide error in drm_mode_debug_printmodeline syzbot
2023-11-16 0:52 ` [syzbot] [PATCH] test " syzbot
@ 2023-11-16 2:33 ` syzbot
2023-11-16 3:29 ` [syzbot] syzbot
` (9 subsequent siblings)
11 siblings, 0 replies; 22+ messages in thread
From: syzbot @ 2023-11-16 2:33 UTC (permalink / raw)
To: linux-kernel, syzkaller-bugs
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject:
Author: mazinalhaddad05@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
master
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [syzbot]
2023-11-15 9:34 [syzbot] [dri?] divide error in drm_mode_debug_printmodeline syzbot
2023-11-16 0:52 ` [syzbot] [PATCH] test " syzbot
2023-11-16 2:33 ` [syzbot] syzbot
@ 2023-11-16 3:29 ` syzbot
2023-11-18 3:42 ` [syzbot] [PATCH] Test divide err in drm syzbot
` (8 subsequent siblings)
11 siblings, 0 replies; 22+ messages in thread
From: syzbot @ 2023-11-16 3:29 UTC (permalink / raw)
To: linux-kernel, syzkaller-bugs
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject:
Author: mazinalhaddad05@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
master
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [syzbot] [PATCH] Test divide err in drm
2023-11-15 9:34 [syzbot] [dri?] divide error in drm_mode_debug_printmodeline syzbot
` (2 preceding siblings ...)
2023-11-16 3:29 ` [syzbot] syzbot
@ 2023-11-18 3:42 ` syzbot
2023-11-18 6:44 ` syzbot
` (7 subsequent siblings)
11 siblings, 0 replies; 22+ messages in thread
From: syzbot @ 2023-11-18 3:42 UTC (permalink / raw)
To: linux-kernel
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.
***
Subject: [PATCH] Test divide err in drm
Author: eadavis@qq.com
please test divide err in drm
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 888cf78c29e2
diff --git a/drivers/gpu/drm/drm_modes.c b/drivers/gpu/drm/drm_modes.c
index ac9a406250c5..e3f05539f704 100644
--- a/drivers/gpu/drm/drm_modes.c
+++ b/drivers/gpu/drm/drm_modes.c
@@ -1283,9 +1283,9 @@ EXPORT_SYMBOL(drm_mode_set_name);
* @modes's vrefresh rate in Hz, rounded to the nearest integer. Calculates the
* value first if it is not yet set.
*/
-int drm_mode_vrefresh(const struct drm_display_mode *mode)
+long drm_mode_vrefresh(const struct drm_display_mode *mode)
{
- unsigned int num, den;
+ unsigned long num, den;
if (mode->htotal == 0 || mode->vtotal == 0)
return 0;
@@ -1300,6 +1300,8 @@ int drm_mode_vrefresh(const struct drm_display_mode *mode)
if (mode->vscan > 1)
den *= mode->vscan;
+ printk("mode: %p, ht: %llu, vt: %llu, c: %llu, vsc: %llu, den: %llu, num: %llu, %s",
+ mode, mode->htotal, mode->vtotal, mode->clock, mode->vscan, den, num, __func__);
return DIV_ROUND_CLOSEST_ULL(mul_u32_u32(num, 1000), den);
}
EXPORT_SYMBOL(drm_mode_vrefresh);
diff --git a/include/drm/drm_modes.h b/include/drm/drm_modes.h
index c613f0abe9dc..19e37e92dfaf 100644
--- a/include/drm/drm_modes.h
+++ b/include/drm/drm_modes.h
@@ -422,7 +422,7 @@ struct drm_display_mode {
/**
* DRM_MODE_FMT - printf string for &struct drm_display_mode
*/
-#define DRM_MODE_FMT "\"%s\": %d %d %d %d %d %d %d %d %d %d 0x%x 0x%x"
+#define DRM_MODE_FMT "\"%s\": %llu %d %d %d %d %d %d %d %d %d 0x%x 0x%x"
/**
* DRM_MODE_ARG - printf arguments for &struct drm_display_mode
@@ -526,7 +526,7 @@ static inline int of_get_drm_panel_display_mode(struct device_node *np,
#endif
void drm_mode_set_name(struct drm_display_mode *mode);
-int drm_mode_vrefresh(const struct drm_display_mode *mode);
+long drm_mode_vrefresh(const struct drm_display_mode *mode);
void drm_mode_get_hv_timing(const struct drm_display_mode *mode,
int *hdisplay, int *vdisplay);
^ permalink raw reply related [flat|nested] 22+ messages in thread
* Re: [syzbot] [PATCH] Test divide err in drm
2023-11-15 9:34 [syzbot] [dri?] divide error in drm_mode_debug_printmodeline syzbot
` (3 preceding siblings ...)
2023-11-18 3:42 ` [syzbot] [PATCH] Test divide err in drm syzbot
@ 2023-11-18 6:44 ` syzbot
2023-11-18 10:29 ` syzbot
` (6 subsequent siblings)
11 siblings, 0 replies; 22+ messages in thread
From: syzbot @ 2023-11-18 6:44 UTC (permalink / raw)
To: linux-kernel
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.
***
Subject: [PATCH] Test divide err in drm
Author: eadavis@qq.com
please test divide err in drm
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git ac347a0655db
diff --git a/drivers/gpu/drm/drm_modes.c b/drivers/gpu/drm/drm_modes.c
index ac9a406250c5..0b0dd1c7b217 100644
--- a/drivers/gpu/drm/drm_modes.c
+++ b/drivers/gpu/drm/drm_modes.c
@@ -1285,7 +1285,7 @@ EXPORT_SYMBOL(drm_mode_set_name);
*/
int drm_mode_vrefresh(const struct drm_display_mode *mode)
{
- unsigned int num, den;
+ unsigned int num, den, n1k;
if (mode->htotal == 0 || mode->vtotal == 0)
return 0;
@@ -1297,9 +1297,14 @@ int drm_mode_vrefresh(const struct drm_display_mode *mode)
num *= 2;
if (mode->flags & DRM_MODE_FLAG_DBLSCAN)
den *= 2;
- if (mode->vscan > 1)
- den *= mode->vscan;
+ if (mode->vscan > 1) {
+ n1k = mul_u32_u32(num, 1000);
+ if (den < n1k)
+ den *= mode->vscan;
+ }
+ printk("mode: %p, ht: %d, vt: %d, c: %d, vsc: %d, den: %ld, num: %ld, n1k: %ld, %s",
+ mode, mode->htotal, mode->vtotal, mode->clock, mode->vscan, den, num, n1k, __func__);
return DIV_ROUND_CLOSEST_ULL(mul_u32_u32(num, 1000), den);
}
EXPORT_SYMBOL(drm_mode_vrefresh);
^ permalink raw reply related [flat|nested] 22+ messages in thread
* Re: [syzbot] [PATCH] Test divide err in drm
2023-11-15 9:34 [syzbot] [dri?] divide error in drm_mode_debug_printmodeline syzbot
` (4 preceding siblings ...)
2023-11-18 6:44 ` syzbot
@ 2023-11-18 10:29 ` syzbot
2023-11-18 11:59 ` syzbot
` (5 subsequent siblings)
11 siblings, 0 replies; 22+ messages in thread
From: syzbot @ 2023-11-18 10:29 UTC (permalink / raw)
To: linux-kernel
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.
***
Subject: [PATCH] Test divide err in drm
Author: eadavis@qq.com
please test divide err in drm
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git ac347a0655db
diff --git a/drivers/gpu/drm/drm_modes.c b/drivers/gpu/drm/drm_modes.c
index ac9a406250c5..ca481c7f23e1 100644
--- a/drivers/gpu/drm/drm_modes.c
+++ b/drivers/gpu/drm/drm_modes.c
@@ -1285,7 +1285,8 @@ EXPORT_SYMBOL(drm_mode_set_name);
*/
int drm_mode_vrefresh(const struct drm_display_mode *mode)
{
- unsigned int num, den;
+ unsigned int num, den, n1k;
+ int ret;
if (mode->htotal == 0 || mode->vtotal == 0)
return 0;
@@ -1297,9 +1298,15 @@ int drm_mode_vrefresh(const struct drm_display_mode *mode)
num *= 2;
if (mode->flags & DRM_MODE_FLAG_DBLSCAN)
den *= 2;
- if (mode->vscan > 1)
- den *= mode->vscan;
+ if (mode->vscan > 1) {
+ n1k = mul_u32_u32(num, 1000);
+ if (den < n1k)
+ den *= mode->vscan;
+ }
+ ret = DIV_ROUND_CLOSEST_ULL(mul_u32_u32(num, 1000), den);
+ printk("mode: %p, ht: %d, vt: %d, c: %d, vsc: %d, den: %ld, num: %ld, n1k: %ld, %d, %s",
+ mode, mode->htotal, mode->vtotal, mode->clock, mode->vscan, den, num, n1k, ret, __func__);
return DIV_ROUND_CLOSEST_ULL(mul_u32_u32(num, 1000), den);
}
EXPORT_SYMBOL(drm_mode_vrefresh);
^ permalink raw reply related [flat|nested] 22+ messages in thread
* Re: [syzbot] [PATCH] Test divide err in drm
2023-11-15 9:34 [syzbot] [dri?] divide error in drm_mode_debug_printmodeline syzbot
` (5 preceding siblings ...)
2023-11-18 10:29 ` syzbot
@ 2023-11-18 11:59 ` syzbot
2023-11-19 1:31 ` syzbot
` (4 subsequent siblings)
11 siblings, 0 replies; 22+ messages in thread
From: syzbot @ 2023-11-18 11:59 UTC (permalink / raw)
To: linux-kernel
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.
***
Subject: [PATCH] Test divide err in drm
Author: eadavis@qq.com
please test divide err in drm
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git ac347a0655db
diff --git a/drivers/gpu/drm/drm_modes.c b/drivers/gpu/drm/drm_modes.c
index ac9a406250c5..539aa26cfc72 100644
--- a/drivers/gpu/drm/drm_modes.c
+++ b/drivers/gpu/drm/drm_modes.c
@@ -1285,7 +1285,8 @@ EXPORT_SYMBOL(drm_mode_set_name);
*/
int drm_mode_vrefresh(const struct drm_display_mode *mode)
{
- unsigned int num, den;
+ unsigned int num, den, n1k;
+ int ret;
if (mode->htotal == 0 || mode->vtotal == 0)
return 0;
@@ -1297,9 +1298,17 @@ int drm_mode_vrefresh(const struct drm_display_mode *mode)
num *= 2;
if (mode->flags & DRM_MODE_FLAG_DBLSCAN)
den *= 2;
- if (mode->vscan > 1)
- den *= mode->vscan;
+ n1k = mul_u32_u32(num, 1000);
+ if (mode->vscan > 1) {
+ if (den < n1k)
+ den *= mode->vscan;
+ }
+ if (den < n1k)
+ den = n1k + 1;
+ ret = DIV_ROUND_CLOSEST_ULL(mul_u32_u32(num, 1000), den);
+ printk("mode: %p, ht: %d, vt: %d, c: %d, vsc: %d, den: %ld, num: %ld, n1k: %ld, %d, %s",
+ mode, mode->htotal, mode->vtotal, mode->clock, mode->vscan, den, num, n1k, ret, __func__);
return DIV_ROUND_CLOSEST_ULL(mul_u32_u32(num, 1000), den);
}
EXPORT_SYMBOL(drm_mode_vrefresh);
^ permalink raw reply related [flat|nested] 22+ messages in thread
* Re: [syzbot] [PATCH] Test divide err in drm
2023-11-15 9:34 [syzbot] [dri?] divide error in drm_mode_debug_printmodeline syzbot
` (6 preceding siblings ...)
2023-11-18 11:59 ` syzbot
@ 2023-11-19 1:31 ` syzbot
2023-11-19 2:24 ` [PATCH] drm/modes: Fix divide error in drm_mode_debug_printmodeline Edward Adam Davis
` (3 subsequent siblings)
11 siblings, 0 replies; 22+ messages in thread
From: syzbot @ 2023-11-19 1:31 UTC (permalink / raw)
To: linux-kernel
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.
***
Subject: [PATCH] Test divide err in drm
Author: eadavis@qq.com
please test divide err in drm
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git ac347a0655db
diff --git a/drivers/gpu/drm/drm_modes.c b/drivers/gpu/drm/drm_modes.c
index ac9a406250c5..1a3e8f3c1ece 100644
--- a/drivers/gpu/drm/drm_modes.c
+++ b/drivers/gpu/drm/drm_modes.c
@@ -36,6 +36,7 @@
#include <linux/list.h>
#include <linux/list_sort.h>
#include <linux/of.h>
+#include <linux/log2.h>
#include <video/of_display_timing.h>
#include <video/of_videomode.h>
@@ -1297,8 +1298,12 @@ int drm_mode_vrefresh(const struct drm_display_mode *mode)
num *= 2;
if (mode->flags & DRM_MODE_FLAG_DBLSCAN)
den *= 2;
- if (mode->vscan > 1)
+ if (mode->vscan > 1) {
+ printk("%d, %d, %s\n", ilog2(den), ilog2(mode->vscan), __func__);
+ if (ilog2(den) + ilog2(mode->vscan) >= 32)
+ return -EINVAL;
den *= mode->vscan;
+ }
return DIV_ROUND_CLOSEST_ULL(mul_u32_u32(num, 1000), den);
}
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [PATCH] drm/modes: Fix divide error in drm_mode_debug_printmodeline
2023-11-15 9:34 [syzbot] [dri?] divide error in drm_mode_debug_printmodeline syzbot
` (7 preceding siblings ...)
2023-11-19 1:31 ` syzbot
@ 2023-11-19 2:24 ` Edward Adam Davis
2023-11-20 11:31 ` Jani Nikula
2023-11-20 12:00 ` [syzbot] [PATCH] Test divide err in drm syzbot
` (2 subsequent siblings)
11 siblings, 1 reply; 22+ messages in thread
From: Edward Adam Davis @ 2023-11-19 2:24 UTC (permalink / raw)
To: syzbot+2e93e6fb36e6fdc56574
Cc: tzimmermann, airlied, daniel.vetter, linux-kernel, dri-devel,
melissa.srw, mripard, daniel.vetter, syzkaller-bugs
[Syz Log]
divide error: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 5068 Comm: syz-executor357 Not tainted 6.6.0-syzkaller-16039-gac347a0655db #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
RIP: 0010:drm_mode_vrefresh drivers/gpu/drm/drm_modes.c:1303 [inline]
RIP: 0010:drm_mode_debug_printmodeline+0x118/0x4e0 drivers/gpu/drm/drm_modes.c:60
Code: 00 41 0f b7 07 66 83 f8 02 b9 01 00 00 00 0f 43 c8 0f b7 c1 0f af e8 44 89 f0 48 69 c8 e8 03 00 00 89 e8 d1 e8 48 01 c8 31 d2 <48> f7 f5 49 89 c6 eb 0c e8 fb 07 66 fc eb 05 e8 f4 07 66 fc 48 89
RSP: 0018:ffffc9000391f8d0 EFLAGS: 00010246
RAX: 000000000001f400 RBX: ffff888025045000 RCX: 000000000001f400
RDX: 0000000000000000 RSI: 0000000000008000 RDI: ffff888025045018
RBP: 0000000000000000 R08: ffffffff8528b9af R09: 0000000000000000
R10: ffffc9000391f8a0 R11: fffff52000723f17 R12: 0000000000000080
R13: dffffc0000000000 R14: 0000000000000080 R15: ffff888025045016
FS: 0000555556932380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000005fdeb8 CR3: 000000007fcff000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
drm_mode_setcrtc+0x83b/0x1880 drivers/gpu/drm/drm_crtc.c:794
drm_ioctl_kernel+0x362/0x500 drivers/gpu/drm/drm_ioctl.c:792
drm_ioctl+0x636/0xb00 drivers/gpu/drm/drm_ioctl.c:895
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl+0xf8/0x170 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
[Analysis]
When calculating den in drm_mode_vrefresh(), if the vscan value is too large,
there is a probability of unsigned integer overflow.
[Fix]
Before multiplying by vscan, first determine their ilog2. When their total
exceeds 32, return -EINVAL and exit the subsequent calculation.
Reported-and-tested-by: syzbot+2e93e6fb36e6fdc56574@syzkaller.appspotmail.com
Fixes: ea40d7857d52 ("drm/vkms: fbdev emulation support")
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
drivers/gpu/drm/drm_modes.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/drm_modes.c b/drivers/gpu/drm/drm_modes.c
index ac9a406250c5..c7ec1ab041f8 100644
--- a/drivers/gpu/drm/drm_modes.c
+++ b/drivers/gpu/drm/drm_modes.c
@@ -36,6 +36,7 @@
#include <linux/list.h>
#include <linux/list_sort.h>
#include <linux/of.h>
+#include <linux/log2.h>
#include <video/of_display_timing.h>
#include <video/of_videomode.h>
@@ -1297,8 +1298,11 @@ int drm_mode_vrefresh(const struct drm_display_mode *mode)
num *= 2;
if (mode->flags & DRM_MODE_FLAG_DBLSCAN)
den *= 2;
- if (mode->vscan > 1)
+ if (mode->vscan > 1) {
+ if (ilog2(den) + ilog2(mode->vscan) >= 32)
+ return -EINVAL;
den *= mode->vscan;
+ }
return DIV_ROUND_CLOSEST_ULL(mul_u32_u32(num, 1000), den);
}
--
2.25.1
^ permalink raw reply related [flat|nested] 22+ messages in thread
* Re: [PATCH] drm/modes: Fix divide error in drm_mode_debug_printmodeline
2023-11-19 2:24 ` [PATCH] drm/modes: Fix divide error in drm_mode_debug_printmodeline Edward Adam Davis
@ 2023-11-20 11:31 ` Jani Nikula
0 siblings, 0 replies; 22+ messages in thread
From: Jani Nikula @ 2023-11-20 11:31 UTC (permalink / raw)
To: Edward Adam Davis, syzbot+2e93e6fb36e6fdc56574
Cc: tzimmermann, airlied, daniel.vetter, linux-kernel, dri-devel,
melissa.srw, mripard, daniel.vetter, syzkaller-bugs
On Sun, 19 Nov 2023, Edward Adam Davis <eadavis@qq.com> wrote:
> [Syz Log]
> divide error: 0000 [#1] PREEMPT SMP KASAN
> CPU: 0 PID: 5068 Comm: syz-executor357 Not tainted 6.6.0-syzkaller-16039-gac347a0655db #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
> RIP: 0010:drm_mode_vrefresh drivers/gpu/drm/drm_modes.c:1303 [inline]
> RIP: 0010:drm_mode_debug_printmodeline+0x118/0x4e0 drivers/gpu/drm/drm_modes.c:60
> Code: 00 41 0f b7 07 66 83 f8 02 b9 01 00 00 00 0f 43 c8 0f b7 c1 0f af e8 44 89 f0 48 69 c8 e8 03 00 00 89 e8 d1 e8 48 01 c8 31 d2 <48> f7 f5 49 89 c6 eb 0c e8 fb 07 66 fc eb 05 e8 f4 07 66 fc 48 89
> RSP: 0018:ffffc9000391f8d0 EFLAGS: 00010246
> RAX: 000000000001f400 RBX: ffff888025045000 RCX: 000000000001f400
> RDX: 0000000000000000 RSI: 0000000000008000 RDI: ffff888025045018
> RBP: 0000000000000000 R08: ffffffff8528b9af R09: 0000000000000000
> R10: ffffc9000391f8a0 R11: fffff52000723f17 R12: 0000000000000080
> R13: dffffc0000000000 R14: 0000000000000080 R15: ffff888025045016
> FS: 0000555556932380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00000000005fdeb8 CR3: 000000007fcff000 CR4: 00000000003506f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> <TASK>
> drm_mode_setcrtc+0x83b/0x1880 drivers/gpu/drm/drm_crtc.c:794
> drm_ioctl_kernel+0x362/0x500 drivers/gpu/drm/drm_ioctl.c:792
> drm_ioctl+0x636/0xb00 drivers/gpu/drm/drm_ioctl.c:895
> vfs_ioctl fs/ioctl.c:51 [inline]
> __do_sys_ioctl fs/ioctl.c:871 [inline]
> __se_sys_ioctl+0xf8/0x170 fs/ioctl.c:857
> do_syscall_x64 arch/x86/entry/common.c:51 [inline]
> do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
> entry_SYSCALL_64_after_hwframe+0x63/0x6b
>
> [Analysis]
> When calculating den in drm_mode_vrefresh(), if the vscan value is too large,
> there is a probability of unsigned integer overflow.
>
> [Fix]
> Before multiplying by vscan, first determine their ilog2. When their total
> exceeds 32, return -EINVAL and exit the subsequent calculation.
>
> Reported-and-tested-by: syzbot+2e93e6fb36e6fdc56574@syzkaller.appspotmail.com
> Fixes: ea40d7857d52 ("drm/vkms: fbdev emulation support")
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> ---
> drivers/gpu/drm/drm_modes.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/drm_modes.c b/drivers/gpu/drm/drm_modes.c
> index ac9a406250c5..c7ec1ab041f8 100644
> --- a/drivers/gpu/drm/drm_modes.c
> +++ b/drivers/gpu/drm/drm_modes.c
> @@ -36,6 +36,7 @@
> #include <linux/list.h>
> #include <linux/list_sort.h>
> #include <linux/of.h>
> +#include <linux/log2.h>
>
> #include <video/of_display_timing.h>
> #include <video/of_videomode.h>
> @@ -1297,8 +1298,11 @@ int drm_mode_vrefresh(const struct drm_display_mode *mode)
> num *= 2;
> if (mode->flags & DRM_MODE_FLAG_DBLSCAN)
> den *= 2;
> - if (mode->vscan > 1)
> + if (mode->vscan > 1) {
> + if (ilog2(den) + ilog2(mode->vscan) >= 32)
For future reference, check_mul_overflow() is the way to handle this.
> + return -EINVAL;
Just so there's no confusion: NAK.
I'd be surprised if there were even a single place in the kernel where
someone checks drm_mode_vrefresh() for a negative error return.
This function must succeed.
Please change the types as needed instead.
BR,
Jani.
> den *= mode->vscan;
> + }
>
> return DIV_ROUND_CLOSEST_ULL(mul_u32_u32(num, 1000), den);
> }
--
Jani Nikula, Intel
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PATCH] drm/modes: Fix divide error in drm_mode_debug_printmodeline
@ 2023-11-20 11:31 ` Jani Nikula
0 siblings, 0 replies; 22+ messages in thread
From: Jani Nikula @ 2023-11-20 11:31 UTC (permalink / raw)
To: Edward Adam Davis, syzbot+2e93e6fb36e6fdc56574
Cc: airlied, daniel.vetter, syzkaller-bugs, linux-kernel, dri-devel,
melissa.srw, mripard, tzimmermann, daniel.vetter
On Sun, 19 Nov 2023, Edward Adam Davis <eadavis@qq.com> wrote:
> [Syz Log]
> divide error: 0000 [#1] PREEMPT SMP KASAN
> CPU: 0 PID: 5068 Comm: syz-executor357 Not tainted 6.6.0-syzkaller-16039-gac347a0655db #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
> RIP: 0010:drm_mode_vrefresh drivers/gpu/drm/drm_modes.c:1303 [inline]
> RIP: 0010:drm_mode_debug_printmodeline+0x118/0x4e0 drivers/gpu/drm/drm_modes.c:60
> Code: 00 41 0f b7 07 66 83 f8 02 b9 01 00 00 00 0f 43 c8 0f b7 c1 0f af e8 44 89 f0 48 69 c8 e8 03 00 00 89 e8 d1 e8 48 01 c8 31 d2 <48> f7 f5 49 89 c6 eb 0c e8 fb 07 66 fc eb 05 e8 f4 07 66 fc 48 89
> RSP: 0018:ffffc9000391f8d0 EFLAGS: 00010246
> RAX: 000000000001f400 RBX: ffff888025045000 RCX: 000000000001f400
> RDX: 0000000000000000 RSI: 0000000000008000 RDI: ffff888025045018
> RBP: 0000000000000000 R08: ffffffff8528b9af R09: 0000000000000000
> R10: ffffc9000391f8a0 R11: fffff52000723f17 R12: 0000000000000080
> R13: dffffc0000000000 R14: 0000000000000080 R15: ffff888025045016
> FS: 0000555556932380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00000000005fdeb8 CR3: 000000007fcff000 CR4: 00000000003506f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> <TASK>
> drm_mode_setcrtc+0x83b/0x1880 drivers/gpu/drm/drm_crtc.c:794
> drm_ioctl_kernel+0x362/0x500 drivers/gpu/drm/drm_ioctl.c:792
> drm_ioctl+0x636/0xb00 drivers/gpu/drm/drm_ioctl.c:895
> vfs_ioctl fs/ioctl.c:51 [inline]
> __do_sys_ioctl fs/ioctl.c:871 [inline]
> __se_sys_ioctl+0xf8/0x170 fs/ioctl.c:857
> do_syscall_x64 arch/x86/entry/common.c:51 [inline]
> do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
> entry_SYSCALL_64_after_hwframe+0x63/0x6b
>
> [Analysis]
> When calculating den in drm_mode_vrefresh(), if the vscan value is too large,
> there is a probability of unsigned integer overflow.
>
> [Fix]
> Before multiplying by vscan, first determine their ilog2. When their total
> exceeds 32, return -EINVAL and exit the subsequent calculation.
>
> Reported-and-tested-by: syzbot+2e93e6fb36e6fdc56574@syzkaller.appspotmail.com
> Fixes: ea40d7857d52 ("drm/vkms: fbdev emulation support")
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> ---
> drivers/gpu/drm/drm_modes.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/drm_modes.c b/drivers/gpu/drm/drm_modes.c
> index ac9a406250c5..c7ec1ab041f8 100644
> --- a/drivers/gpu/drm/drm_modes.c
> +++ b/drivers/gpu/drm/drm_modes.c
> @@ -36,6 +36,7 @@
> #include <linux/list.h>
> #include <linux/list_sort.h>
> #include <linux/of.h>
> +#include <linux/log2.h>
>
> #include <video/of_display_timing.h>
> #include <video/of_videomode.h>
> @@ -1297,8 +1298,11 @@ int drm_mode_vrefresh(const struct drm_display_mode *mode)
> num *= 2;
> if (mode->flags & DRM_MODE_FLAG_DBLSCAN)
> den *= 2;
> - if (mode->vscan > 1)
> + if (mode->vscan > 1) {
> + if (ilog2(den) + ilog2(mode->vscan) >= 32)
For future reference, check_mul_overflow() is the way to handle this.
> + return -EINVAL;
Just so there's no confusion: NAK.
I'd be surprised if there were even a single place in the kernel where
someone checks drm_mode_vrefresh() for a negative error return.
This function must succeed.
Please change the types as needed instead.
BR,
Jani.
> den *= mode->vscan;
> + }
>
> return DIV_ROUND_CLOSEST_ULL(mul_u32_u32(num, 1000), den);
> }
--
Jani Nikula, Intel
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [syzbot] [PATCH] Test divide err in drm
2023-11-15 9:34 [syzbot] [dri?] divide error in drm_mode_debug_printmodeline syzbot
` (8 preceding siblings ...)
2023-11-19 2:24 ` [PATCH] drm/modes: Fix divide error in drm_mode_debug_printmodeline Edward Adam Davis
@ 2023-11-20 12:00 ` syzbot
2023-11-20 12:22 ` syzbot
2023-11-20 13:30 ` syzbot
11 siblings, 0 replies; 22+ messages in thread
From: syzbot @ 2023-11-20 12:00 UTC (permalink / raw)
To: linux-kernel
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.
***
Subject: [PATCH] Test divide err in drm
Author: eadavis@qq.com
please test divide err in drm
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git ac347a0655db
diff --git a/drivers/gpu/drm/drm_modes.c b/drivers/gpu/drm/drm_modes.c
index ac9a406250c5..117ee4e41c63 100644
--- a/drivers/gpu/drm/drm_modes.c
+++ b/drivers/gpu/drm/drm_modes.c
@@ -36,6 +36,7 @@
#include <linux/list.h>
#include <linux/list_sort.h>
#include <linux/of.h>
+#include <linux/overflow.h>
#include <video/of_display_timing.h>
#include <video/of_videomode.h>
@@ -1297,8 +1298,11 @@ int drm_mode_vrefresh(const struct drm_display_mode *mode)
num *= 2;
if (mode->flags & DRM_MODE_FLAG_DBLSCAN)
den *= 2;
- if (mode->vscan > 1)
+ if (mode->vscan > 1) {
+ if (unlikely(check_mul_overflow(den, mode->vscan, &den)))
+ return 0;
den *= mode->vscan;
+ }
return DIV_ROUND_CLOSEST_ULL(mul_u32_u32(num, 1000), den);
}
^ permalink raw reply related [flat|nested] 22+ messages in thread
* Re: [syzbot] [PATCH] Test divide err in drm
2023-11-15 9:34 [syzbot] [dri?] divide error in drm_mode_debug_printmodeline syzbot
` (9 preceding siblings ...)
2023-11-20 12:00 ` [syzbot] [PATCH] Test divide err in drm syzbot
@ 2023-11-20 12:22 ` syzbot
2023-11-20 13:30 ` syzbot
11 siblings, 0 replies; 22+ messages in thread
From: syzbot @ 2023-11-20 12:22 UTC (permalink / raw)
To: linux-kernel
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.
***
Subject: [PATCH] Test divide err in drm
Author: eadavis@qq.com
please test divide err in drm
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git ac347a0655db
diff --git a/drivers/gpu/drm/drm_modes.c b/drivers/gpu/drm/drm_modes.c
index ac9a406250c5..7c6d0229630d 100644
--- a/drivers/gpu/drm/drm_modes.c
+++ b/drivers/gpu/drm/drm_modes.c
@@ -36,6 +36,7 @@
#include <linux/list.h>
#include <linux/list_sort.h>
#include <linux/of.h>
+#include <linux/overflow.h>
#include <video/of_display_timing.h>
#include <video/of_videomode.h>
@@ -1285,7 +1286,7 @@ EXPORT_SYMBOL(drm_mode_set_name);
*/
int drm_mode_vrefresh(const struct drm_display_mode *mode)
{
- unsigned int num, den;
+ unsigned int num, den, x;
if (mode->htotal == 0 || mode->vtotal == 0)
return 0;
@@ -1297,8 +1298,11 @@ int drm_mode_vrefresh(const struct drm_display_mode *mode)
num *= 2;
if (mode->flags & DRM_MODE_FLAG_DBLSCAN)
den *= 2;
- if (mode->vscan > 1)
+ if (mode->vscan > 1) {
+ if (unlikely(check_mul_overflow(den, mode->vscan, &x)))
+ return 0;
den *= mode->vscan;
+ }
return DIV_ROUND_CLOSEST_ULL(mul_u32_u32(num, 1000), den);
}
^ permalink raw reply related [flat|nested] 22+ messages in thread
* Re: [syzbot] [PATCH] Test divide err in drm
2023-11-15 9:34 [syzbot] [dri?] divide error in drm_mode_debug_printmodeline syzbot
` (10 preceding siblings ...)
2023-11-20 12:22 ` syzbot
@ 2023-11-20 13:30 ` syzbot
11 siblings, 0 replies; 22+ messages in thread
From: syzbot @ 2023-11-20 13:30 UTC (permalink / raw)
To: linux-kernel
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.
***
Subject: [PATCH] Test divide err in drm
Author: eadavis@qq.com
please test divide err in drm
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git ac347a0655db
diff --git a/drivers/gpu/drm/drm_modes.c b/drivers/gpu/drm/drm_modes.c
index ac9a406250c5..60739d861da2 100644
--- a/drivers/gpu/drm/drm_modes.c
+++ b/drivers/gpu/drm/drm_modes.c
@@ -36,6 +36,7 @@
#include <linux/list.h>
#include <linux/list_sort.h>
#include <linux/of.h>
+#include <linux/overflow.h>
#include <video/of_display_timing.h>
#include <video/of_videomode.h>
@@ -1297,8 +1298,10 @@ int drm_mode_vrefresh(const struct drm_display_mode *mode)
num *= 2;
if (mode->flags & DRM_MODE_FLAG_DBLSCAN)
den *= 2;
- if (mode->vscan > 1)
- den *= mode->vscan;
+ if (mode->vscan > 1) {
+ if (unlikely(check_mul_overflow(den, mode->vscan, &den)))
+ return 0;
+ }
return DIV_ROUND_CLOSEST_ULL(mul_u32_u32(num, 1000), den);
}
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [PATCH V2] drm/modes: Fix divide error in drm_mode_debug_printmodeline
2023-11-20 11:31 ` Jani Nikula
(?)
@ 2023-11-20 14:41 ` Edward Adam Davis
2023-11-20 15:12 ` [Nouveau] " Ville Syrjälä
-1 siblings, 1 reply; 22+ messages in thread
From: Edward Adam Davis @ 2023-11-20 14:41 UTC (permalink / raw)
To: jani.nikula
Cc: airlied, daniel.vetter, eadavis, linux-kernel, dri-devel,
melissa.srw, mripard, tzimmermann, daniel.vetter, syzkaller-bugs,
syzbot+2e93e6fb36e6fdc56574
[Syz Log]
divide error: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 5068 Comm: syz-executor357 Not tainted 6.6.0-syzkaller-16039-gac347a0655db #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
RIP: 0010:drm_mode_vrefresh drivers/gpu/drm/drm_modes.c:1303 [inline]
RIP: 0010:drm_mode_debug_printmodeline+0x118/0x4e0 drivers/gpu/drm/drm_modes.c:60
Code: 00 41 0f b7 07 66 83 f8 02 b9 01 00 00 00 0f 43 c8 0f b7 c1 0f af e8 44 89 f0 48 69 c8 e8 03 00 00 89 e8 d1 e8 48 01 c8 31 d2 <48> f7 f5 49 89 c6 eb 0c e8 fb 07 66 fc eb 05 e8 f4 07 66 fc 48 89
RSP: 0018:ffffc9000391f8d0 EFLAGS: 00010246
RAX: 000000000001f400 RBX: ffff888025045000 RCX: 000000000001f400
RDX: 0000000000000000 RSI: 0000000000008000 RDI: ffff888025045018
RBP: 0000000000000000 R08: ffffffff8528b9af R09: 0000000000000000
R10: ffffc9000391f8a0 R11: fffff52000723f17 R12: 0000000000000080
R13: dffffc0000000000 R14: 0000000000000080 R15: ffff888025045016
FS: 0000555556932380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000005fdeb8 CR3: 000000007fcff000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
drm_mode_setcrtc+0x83b/0x1880 drivers/gpu/drm/drm_crtc.c:794
drm_ioctl_kernel+0x362/0x500 drivers/gpu/drm/drm_ioctl.c:792
drm_ioctl+0x636/0xb00 drivers/gpu/drm/drm_ioctl.c:895
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl+0xf8/0x170 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
[Analysis]
When calculating den in drm_mode_vrefresh(), if the vscan value is too large,
there is a probability of unsigned integer overflow.
[Fix]
Before multiplying by vscan, first check if their product will overflow.
If overflow occurs, return 0 and exit the subsequent process.
Reported-and-tested-by: syzbot+2e93e6fb36e6fdc56574@syzkaller.appspotmail.com
Fixes: ea40d7857d52 ("drm/vkms: fbdev emulation support")
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
drivers/gpu/drm/drm_modes.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletion(-)
diff --git a/drivers/gpu/drm/drm_modes.c b/drivers/gpu/drm/drm_modes.c
index ac9a406250c5..60739d861da2 100644
--- a/drivers/gpu/drm/drm_modes.c
+++ b/drivers/gpu/drm/drm_modes.c
@@ -36,6 +36,7 @@
#include <linux/list.h>
#include <linux/list_sort.h>
#include <linux/of.h>
+#include <linux/overflow.h>
#include <video/of_display_timing.h>
#include <video/of_videomode.h>
@@ -1297,8 +1298,10 @@ int drm_mode_vrefresh(const struct drm_display_mode *mode)
num *= 2;
if (mode->flags & DRM_MODE_FLAG_DBLSCAN)
den *= 2;
- if (mode->vscan > 1)
- den *= mode->vscan;
+ if (mode->vscan > 1) {
+ if (unlikely(check_mul_overflow(den, mode->vscan, &den)))
+ return 0;
+ }
return DIV_ROUND_CLOSEST_ULL(mul_u32_u32(num, 1000), den);
}
--
2.25.1
^ permalink raw reply related [flat|nested] 22+ messages in thread
* Re: [PATCH V2] drm/modes: Fix divide error in drm_mode_debug_printmodeline
2023-11-20 14:41 ` [PATCH V2] " Edward Adam Davis
2023-11-20 15:12 ` [Nouveau] " Ville Syrjälä
@ 2023-11-20 15:12 ` Ville Syrjälä
0 siblings, 0 replies; 22+ messages in thread
From: Ville Syrjälä @ 2023-11-20 15:12 UTC (permalink / raw)
To: Edward Adam Davis
Cc: jani.nikula, airlied, daniel.vetter, linux-kernel, dri-devel,
melissa.srw, mripard, tzimmermann, daniel.vetter, syzkaller-bugs,
syzbot+2e93e6fb36e6fdc56574, Karol Herbst, Lyude Paul,
Danilo Krummrich, nouveau
On Mon, Nov 20, 2023 at 10:41:18PM +0800, Edward Adam Davis wrote:
> [Syz Log]
> divide error: 0000 [#1] PREEMPT SMP KASAN
> CPU: 0 PID: 5068 Comm: syz-executor357 Not tainted 6.6.0-syzkaller-16039-gac347a0655db #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
> RIP: 0010:drm_mode_vrefresh drivers/gpu/drm/drm_modes.c:1303 [inline]
> RIP: 0010:drm_mode_debug_printmodeline+0x118/0x4e0 drivers/gpu/drm/drm_modes.c:60
> Code: 00 41 0f b7 07 66 83 f8 02 b9 01 00 00 00 0f 43 c8 0f b7 c1 0f af e8 44 89 f0 48 69 c8 e8 03 00 00 89 e8 d1 e8 48 01 c8 31 d2 <48> f7 f5 49 89 c6 eb 0c e8 fb 07 66 fc eb 05 e8 f4 07 66 fc 48 89
> RSP: 0018:ffffc9000391f8d0 EFLAGS: 00010246
> RAX: 000000000001f400 RBX: ffff888025045000 RCX: 000000000001f400
> RDX: 0000000000000000 RSI: 0000000000008000 RDI: ffff888025045018
> RBP: 0000000000000000 R08: ffffffff8528b9af R09: 0000000000000000
> R10: ffffc9000391f8a0 R11: fffff52000723f17 R12: 0000000000000080
> R13: dffffc0000000000 R14: 0000000000000080 R15: ffff888025045016
> FS: 0000555556932380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00000000005fdeb8 CR3: 000000007fcff000 CR4: 00000000003506f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> <TASK>
> drm_mode_setcrtc+0x83b/0x1880 drivers/gpu/drm/drm_crtc.c:794
> drm_ioctl_kernel+0x362/0x500 drivers/gpu/drm/drm_ioctl.c:792
> drm_ioctl+0x636/0xb00 drivers/gpu/drm/drm_ioctl.c:895
> vfs_ioctl fs/ioctl.c:51 [inline]
> __do_sys_ioctl fs/ioctl.c:871 [inline]
> __se_sys_ioctl+0xf8/0x170 fs/ioctl.c:857
> do_syscall_x64 arch/x86/entry/common.c:51 [inline]
> do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
> entry_SYSCALL_64_after_hwframe+0x63/0x6b
>
> [Analysis]
> When calculating den in drm_mode_vrefresh(), if the vscan value is too large,
> there is a probability of unsigned integer overflow.
>
> [Fix]
> Before multiplying by vscan, first check if their product will overflow.
> If overflow occurs, return 0 and exit the subsequent process.
>
> Reported-and-tested-by: syzbot+2e93e6fb36e6fdc56574@syzkaller.appspotmail.com
> Fixes: ea40d7857d52 ("drm/vkms: fbdev emulation support")
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> ---
> drivers/gpu/drm/drm_modes.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletion(-)
>
> diff --git a/drivers/gpu/drm/drm_modes.c b/drivers/gpu/drm/drm_modes.c
> index ac9a406250c5..60739d861da2 100644
> --- a/drivers/gpu/drm/drm_modes.c
> +++ b/drivers/gpu/drm/drm_modes.c
> @@ -36,6 +36,7 @@
> #include <linux/list.h>
> #include <linux/list_sort.h>
> #include <linux/of.h>
> +#include <linux/overflow.h>
>
> #include <video/of_display_timing.h>
> #include <video/of_videomode.h>
> @@ -1297,8 +1298,10 @@ int drm_mode_vrefresh(const struct drm_display_mode *mode)
> num *= 2;
> if (mode->flags & DRM_MODE_FLAG_DBLSCAN)
> den *= 2;
> - if (mode->vscan > 1)
> - den *= mode->vscan;
> + if (mode->vscan > 1) {
> + if (unlikely(check_mul_overflow(den, mode->vscan, &den)))
> + return 0;
> + }
I can't see any driver that actually supports vscan>1. Only
nouveau has some code for it, but doesn't look like it does
anything sensible. All other drivers for sure should be
rejecting vscan>1 outright. Which driver is this?
Is there an actual usecase where nouveau needs this (and does
it even work?) or could we just rip out the whole thing and
reject vscan>1 globally?
>
> return DIV_ROUND_CLOSEST_ULL(mul_u32_u32(num, 1000), den);
> }
> --
> 2.25.1
--
Ville Syrjälä
Intel
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [Nouveau] [PATCH V2] drm/modes: Fix divide error in drm_mode_debug_printmodeline
@ 2023-11-20 15:12 ` Ville Syrjälä
0 siblings, 0 replies; 22+ messages in thread
From: Ville Syrjälä @ 2023-11-20 15:12 UTC (permalink / raw)
To: Edward Adam Davis
Cc: mripard, airlied, syzkaller-bugs, linux-kernel, dri-devel,
melissa.srw, jani.nikula, nouveau, daniel.vetter,
syzbot+2e93e6fb36e6fdc56574
On Mon, Nov 20, 2023 at 10:41:18PM +0800, Edward Adam Davis wrote:
> [Syz Log]
> divide error: 0000 [#1] PREEMPT SMP KASAN
> CPU: 0 PID: 5068 Comm: syz-executor357 Not tainted 6.6.0-syzkaller-16039-gac347a0655db #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
> RIP: 0010:drm_mode_vrefresh drivers/gpu/drm/drm_modes.c:1303 [inline]
> RIP: 0010:drm_mode_debug_printmodeline+0x118/0x4e0 drivers/gpu/drm/drm_modes.c:60
> Code: 00 41 0f b7 07 66 83 f8 02 b9 01 00 00 00 0f 43 c8 0f b7 c1 0f af e8 44 89 f0 48 69 c8 e8 03 00 00 89 e8 d1 e8 48 01 c8 31 d2 <48> f7 f5 49 89 c6 eb 0c e8 fb 07 66 fc eb 05 e8 f4 07 66 fc 48 89
> RSP: 0018:ffffc9000391f8d0 EFLAGS: 00010246
> RAX: 000000000001f400 RBX: ffff888025045000 RCX: 000000000001f400
> RDX: 0000000000000000 RSI: 0000000000008000 RDI: ffff888025045018
> RBP: 0000000000000000 R08: ffffffff8528b9af R09: 0000000000000000
> R10: ffffc9000391f8a0 R11: fffff52000723f17 R12: 0000000000000080
> R13: dffffc0000000000 R14: 0000000000000080 R15: ffff888025045016
> FS: 0000555556932380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00000000005fdeb8 CR3: 000000007fcff000 CR4: 00000000003506f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> <TASK>
> drm_mode_setcrtc+0x83b/0x1880 drivers/gpu/drm/drm_crtc.c:794
> drm_ioctl_kernel+0x362/0x500 drivers/gpu/drm/drm_ioctl.c:792
> drm_ioctl+0x636/0xb00 drivers/gpu/drm/drm_ioctl.c:895
> vfs_ioctl fs/ioctl.c:51 [inline]
> __do_sys_ioctl fs/ioctl.c:871 [inline]
> __se_sys_ioctl+0xf8/0x170 fs/ioctl.c:857
> do_syscall_x64 arch/x86/entry/common.c:51 [inline]
> do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
> entry_SYSCALL_64_after_hwframe+0x63/0x6b
>
> [Analysis]
> When calculating den in drm_mode_vrefresh(), if the vscan value is too large,
> there is a probability of unsigned integer overflow.
>
> [Fix]
> Before multiplying by vscan, first check if their product will overflow.
> If overflow occurs, return 0 and exit the subsequent process.
>
> Reported-and-tested-by: syzbot+2e93e6fb36e6fdc56574@syzkaller.appspotmail.com
> Fixes: ea40d7857d52 ("drm/vkms: fbdev emulation support")
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> ---
> drivers/gpu/drm/drm_modes.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletion(-)
>
> diff --git a/drivers/gpu/drm/drm_modes.c b/drivers/gpu/drm/drm_modes.c
> index ac9a406250c5..60739d861da2 100644
> --- a/drivers/gpu/drm/drm_modes.c
> +++ b/drivers/gpu/drm/drm_modes.c
> @@ -36,6 +36,7 @@
> #include <linux/list.h>
> #include <linux/list_sort.h>
> #include <linux/of.h>
> +#include <linux/overflow.h>
>
> #include <video/of_display_timing.h>
> #include <video/of_videomode.h>
> @@ -1297,8 +1298,10 @@ int drm_mode_vrefresh(const struct drm_display_mode *mode)
> num *= 2;
> if (mode->flags & DRM_MODE_FLAG_DBLSCAN)
> den *= 2;
> - if (mode->vscan > 1)
> - den *= mode->vscan;
> + if (mode->vscan > 1) {
> + if (unlikely(check_mul_overflow(den, mode->vscan, &den)))
> + return 0;
> + }
I can't see any driver that actually supports vscan>1. Only
nouveau has some code for it, but doesn't look like it does
anything sensible. All other drivers for sure should be
rejecting vscan>1 outright. Which driver is this?
Is there an actual usecase where nouveau needs this (and does
it even work?) or could we just rip out the whole thing and
reject vscan>1 globally?
>
> return DIV_ROUND_CLOSEST_ULL(mul_u32_u32(num, 1000), den);
> }
> --
> 2.25.1
--
Ville Syrjälä
Intel
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PATCH V2] drm/modes: Fix divide error in drm_mode_debug_printmodeline
@ 2023-11-20 15:12 ` Ville Syrjälä
0 siblings, 0 replies; 22+ messages in thread
From: Ville Syrjälä @ 2023-11-20 15:12 UTC (permalink / raw)
To: Edward Adam Davis
Cc: mripard, Karol Herbst, airlied, daniel.vetter, syzkaller-bugs,
linux-kernel, dri-devel, melissa.srw, Danilo Krummrich,
tzimmermann, nouveau, daniel.vetter, syzbot+2e93e6fb36e6fdc56574
On Mon, Nov 20, 2023 at 10:41:18PM +0800, Edward Adam Davis wrote:
> [Syz Log]
> divide error: 0000 [#1] PREEMPT SMP KASAN
> CPU: 0 PID: 5068 Comm: syz-executor357 Not tainted 6.6.0-syzkaller-16039-gac347a0655db #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
> RIP: 0010:drm_mode_vrefresh drivers/gpu/drm/drm_modes.c:1303 [inline]
> RIP: 0010:drm_mode_debug_printmodeline+0x118/0x4e0 drivers/gpu/drm/drm_modes.c:60
> Code: 00 41 0f b7 07 66 83 f8 02 b9 01 00 00 00 0f 43 c8 0f b7 c1 0f af e8 44 89 f0 48 69 c8 e8 03 00 00 89 e8 d1 e8 48 01 c8 31 d2 <48> f7 f5 49 89 c6 eb 0c e8 fb 07 66 fc eb 05 e8 f4 07 66 fc 48 89
> RSP: 0018:ffffc9000391f8d0 EFLAGS: 00010246
> RAX: 000000000001f400 RBX: ffff888025045000 RCX: 000000000001f400
> RDX: 0000000000000000 RSI: 0000000000008000 RDI: ffff888025045018
> RBP: 0000000000000000 R08: ffffffff8528b9af R09: 0000000000000000
> R10: ffffc9000391f8a0 R11: fffff52000723f17 R12: 0000000000000080
> R13: dffffc0000000000 R14: 0000000000000080 R15: ffff888025045016
> FS: 0000555556932380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00000000005fdeb8 CR3: 000000007fcff000 CR4: 00000000003506f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> <TASK>
> drm_mode_setcrtc+0x83b/0x1880 drivers/gpu/drm/drm_crtc.c:794
> drm_ioctl_kernel+0x362/0x500 drivers/gpu/drm/drm_ioctl.c:792
> drm_ioctl+0x636/0xb00 drivers/gpu/drm/drm_ioctl.c:895
> vfs_ioctl fs/ioctl.c:51 [inline]
> __do_sys_ioctl fs/ioctl.c:871 [inline]
> __se_sys_ioctl+0xf8/0x170 fs/ioctl.c:857
> do_syscall_x64 arch/x86/entry/common.c:51 [inline]
> do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
> entry_SYSCALL_64_after_hwframe+0x63/0x6b
>
> [Analysis]
> When calculating den in drm_mode_vrefresh(), if the vscan value is too large,
> there is a probability of unsigned integer overflow.
>
> [Fix]
> Before multiplying by vscan, first check if their product will overflow.
> If overflow occurs, return 0 and exit the subsequent process.
>
> Reported-and-tested-by: syzbot+2e93e6fb36e6fdc56574@syzkaller.appspotmail.com
> Fixes: ea40d7857d52 ("drm/vkms: fbdev emulation support")
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> ---
> drivers/gpu/drm/drm_modes.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletion(-)
>
> diff --git a/drivers/gpu/drm/drm_modes.c b/drivers/gpu/drm/drm_modes.c
> index ac9a406250c5..60739d861da2 100644
> --- a/drivers/gpu/drm/drm_modes.c
> +++ b/drivers/gpu/drm/drm_modes.c
> @@ -36,6 +36,7 @@
> #include <linux/list.h>
> #include <linux/list_sort.h>
> #include <linux/of.h>
> +#include <linux/overflow.h>
>
> #include <video/of_display_timing.h>
> #include <video/of_videomode.h>
> @@ -1297,8 +1298,10 @@ int drm_mode_vrefresh(const struct drm_display_mode *mode)
> num *= 2;
> if (mode->flags & DRM_MODE_FLAG_DBLSCAN)
> den *= 2;
> - if (mode->vscan > 1)
> - den *= mode->vscan;
> + if (mode->vscan > 1) {
> + if (unlikely(check_mul_overflow(den, mode->vscan, &den)))
> + return 0;
> + }
I can't see any driver that actually supports vscan>1. Only
nouveau has some code for it, but doesn't look like it does
anything sensible. All other drivers for sure should be
rejecting vscan>1 outright. Which driver is this?
Is there an actual usecase where nouveau needs this (and does
it even work?) or could we just rip out the whole thing and
reject vscan>1 globally?
>
> return DIV_ROUND_CLOSEST_ULL(mul_u32_u32(num, 1000), den);
> }
> --
> 2.25.1
--
Ville Syrjälä
Intel
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PATCH V2] drm/modes: Fix divide error in drm_mode_debug_printmodeline
2023-11-20 15:12 ` [Nouveau] " Ville Syrjälä
(?)
@ 2023-11-21 9:20 ` Jani Nikula
-1 siblings, 0 replies; 22+ messages in thread
From: Jani Nikula @ 2023-11-21 9:20 UTC (permalink / raw)
To: Ville Syrjälä, Edward Adam Davis
Cc: airlied, daniel.vetter, linux-kernel, dri-devel, melissa.srw,
mripard, tzimmermann, daniel.vetter, syzkaller-bugs,
syzbot+2e93e6fb36e6fdc56574, Karol Herbst, Lyude Paul,
Danilo Krummrich, nouveau
On Mon, 20 Nov 2023, Ville Syrjälä <ville.syrjala@linux.intel.com> wrote:
> On Mon, Nov 20, 2023 at 10:41:18PM +0800, Edward Adam Davis wrote:
>> [Syz Log]
>> divide error: 0000 [#1] PREEMPT SMP KASAN
>> CPU: 0 PID: 5068 Comm: syz-executor357 Not tainted 6.6.0-syzkaller-16039-gac347a0655db #0
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
>> RIP: 0010:drm_mode_vrefresh drivers/gpu/drm/drm_modes.c:1303 [inline]
>> RIP: 0010:drm_mode_debug_printmodeline+0x118/0x4e0 drivers/gpu/drm/drm_modes.c:60
>> Code: 00 41 0f b7 07 66 83 f8 02 b9 01 00 00 00 0f 43 c8 0f b7 c1 0f af e8 44 89 f0 48 69 c8 e8 03 00 00 89 e8 d1 e8 48 01 c8 31 d2 <48> f7 f5 49 89 c6 eb 0c e8 fb 07 66 fc eb 05 e8 f4 07 66 fc 48 89
>> RSP: 0018:ffffc9000391f8d0 EFLAGS: 00010246
>> RAX: 000000000001f400 RBX: ffff888025045000 RCX: 000000000001f400
>> RDX: 0000000000000000 RSI: 0000000000008000 RDI: ffff888025045018
>> RBP: 0000000000000000 R08: ffffffff8528b9af R09: 0000000000000000
>> R10: ffffc9000391f8a0 R11: fffff52000723f17 R12: 0000000000000080
>> R13: dffffc0000000000 R14: 0000000000000080 R15: ffff888025045016
>> FS: 0000555556932380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
>> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> CR2: 00000000005fdeb8 CR3: 000000007fcff000 CR4: 00000000003506f0
>> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>> Call Trace:
>> <TASK>
>> drm_mode_setcrtc+0x83b/0x1880 drivers/gpu/drm/drm_crtc.c:794
>> drm_ioctl_kernel+0x362/0x500 drivers/gpu/drm/drm_ioctl.c:792
>> drm_ioctl+0x636/0xb00 drivers/gpu/drm/drm_ioctl.c:895
>> vfs_ioctl fs/ioctl.c:51 [inline]
>> __do_sys_ioctl fs/ioctl.c:871 [inline]
>> __se_sys_ioctl+0xf8/0x170 fs/ioctl.c:857
>> do_syscall_x64 arch/x86/entry/common.c:51 [inline]
>> do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
>> entry_SYSCALL_64_after_hwframe+0x63/0x6b
>>
>> [Analysis]
>> When calculating den in drm_mode_vrefresh(), if the vscan value is too large,
>> there is a probability of unsigned integer overflow.
>>
>> [Fix]
>> Before multiplying by vscan, first check if their product will overflow.
>> If overflow occurs, return 0 and exit the subsequent process.
>>
>> Reported-and-tested-by: syzbot+2e93e6fb36e6fdc56574@syzkaller.appspotmail.com
>> Fixes: ea40d7857d52 ("drm/vkms: fbdev emulation support")
>> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
>> ---
>> drivers/gpu/drm/drm_modes.c | 7 +++++--
>> 1 file changed, 5 insertions(+), 2 deletion(-)
>>
>> diff --git a/drivers/gpu/drm/drm_modes.c b/drivers/gpu/drm/drm_modes.c
>> index ac9a406250c5..60739d861da2 100644
>> --- a/drivers/gpu/drm/drm_modes.c
>> +++ b/drivers/gpu/drm/drm_modes.c
>> @@ -36,6 +36,7 @@
>> #include <linux/list.h>
>> #include <linux/list_sort.h>
>> #include <linux/of.h>
>> +#include <linux/overflow.h>
>>
>> #include <video/of_display_timing.h>
>> #include <video/of_videomode.h>
>> @@ -1297,8 +1298,10 @@ int drm_mode_vrefresh(const struct drm_display_mode *mode)
>> num *= 2;
>> if (mode->flags & DRM_MODE_FLAG_DBLSCAN)
>> den *= 2;
>> - if (mode->vscan > 1)
>> - den *= mode->vscan;
>> + if (mode->vscan > 1) {
>> + if (unlikely(check_mul_overflow(den, mode->vscan, &den)))
>> + return 0;
>> + }
>
> I can't see any driver that actually supports vscan>1. Only
> nouveau has some code for it, but doesn't look like it does
> anything sensible. All other drivers for sure should be
> rejecting vscan>1 outright. Which driver is this?
>
> Is there an actual usecase where nouveau needs this (and does
> it even work?) or could we just rip out the whole thing and
> reject vscan>1 globally?
I thought the whole thing seemed familiar [1].
BR,
Jani.
[1] https://lore.kernel.org/r/20230802174746.2256-1-astrajoan@yahoo.com
>
>>
>> return DIV_ROUND_CLOSEST_ULL(mul_u32_u32(num, 1000), den);
>> }
>> --
>> 2.25.1
--
Jani Nikula, Intel
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [Nouveau] [PATCH V2] drm/modes: Fix divide error in drm_mode_debug_printmodeline
@ 2023-11-21 9:20 ` Jani Nikula
0 siblings, 0 replies; 22+ messages in thread
From: Jani Nikula @ 2023-11-21 9:20 UTC (permalink / raw)
To: Ville Syrjälä, Edward Adam Davis
Cc: airlied, syzkaller-bugs, linux-kernel, dri-devel, melissa.srw,
mripard, nouveau, daniel.vetter, syzbot+2e93e6fb36e6fdc56574
On Mon, 20 Nov 2023, Ville Syrjälä <ville.syrjala@linux.intel.com> wrote:
> On Mon, Nov 20, 2023 at 10:41:18PM +0800, Edward Adam Davis wrote:
>> [Syz Log]
>> divide error: 0000 [#1] PREEMPT SMP KASAN
>> CPU: 0 PID: 5068 Comm: syz-executor357 Not tainted 6.6.0-syzkaller-16039-gac347a0655db #0
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
>> RIP: 0010:drm_mode_vrefresh drivers/gpu/drm/drm_modes.c:1303 [inline]
>> RIP: 0010:drm_mode_debug_printmodeline+0x118/0x4e0 drivers/gpu/drm/drm_modes.c:60
>> Code: 00 41 0f b7 07 66 83 f8 02 b9 01 00 00 00 0f 43 c8 0f b7 c1 0f af e8 44 89 f0 48 69 c8 e8 03 00 00 89 e8 d1 e8 48 01 c8 31 d2 <48> f7 f5 49 89 c6 eb 0c e8 fb 07 66 fc eb 05 e8 f4 07 66 fc 48 89
>> RSP: 0018:ffffc9000391f8d0 EFLAGS: 00010246
>> RAX: 000000000001f400 RBX: ffff888025045000 RCX: 000000000001f400
>> RDX: 0000000000000000 RSI: 0000000000008000 RDI: ffff888025045018
>> RBP: 0000000000000000 R08: ffffffff8528b9af R09: 0000000000000000
>> R10: ffffc9000391f8a0 R11: fffff52000723f17 R12: 0000000000000080
>> R13: dffffc0000000000 R14: 0000000000000080 R15: ffff888025045016
>> FS: 0000555556932380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
>> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> CR2: 00000000005fdeb8 CR3: 000000007fcff000 CR4: 00000000003506f0
>> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>> Call Trace:
>> <TASK>
>> drm_mode_setcrtc+0x83b/0x1880 drivers/gpu/drm/drm_crtc.c:794
>> drm_ioctl_kernel+0x362/0x500 drivers/gpu/drm/drm_ioctl.c:792
>> drm_ioctl+0x636/0xb00 drivers/gpu/drm/drm_ioctl.c:895
>> vfs_ioctl fs/ioctl.c:51 [inline]
>> __do_sys_ioctl fs/ioctl.c:871 [inline]
>> __se_sys_ioctl+0xf8/0x170 fs/ioctl.c:857
>> do_syscall_x64 arch/x86/entry/common.c:51 [inline]
>> do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
>> entry_SYSCALL_64_after_hwframe+0x63/0x6b
>>
>> [Analysis]
>> When calculating den in drm_mode_vrefresh(), if the vscan value is too large,
>> there is a probability of unsigned integer overflow.
>>
>> [Fix]
>> Before multiplying by vscan, first check if their product will overflow.
>> If overflow occurs, return 0 and exit the subsequent process.
>>
>> Reported-and-tested-by: syzbot+2e93e6fb36e6fdc56574@syzkaller.appspotmail.com
>> Fixes: ea40d7857d52 ("drm/vkms: fbdev emulation support")
>> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
>> ---
>> drivers/gpu/drm/drm_modes.c | 7 +++++--
>> 1 file changed, 5 insertions(+), 2 deletion(-)
>>
>> diff --git a/drivers/gpu/drm/drm_modes.c b/drivers/gpu/drm/drm_modes.c
>> index ac9a406250c5..60739d861da2 100644
>> --- a/drivers/gpu/drm/drm_modes.c
>> +++ b/drivers/gpu/drm/drm_modes.c
>> @@ -36,6 +36,7 @@
>> #include <linux/list.h>
>> #include <linux/list_sort.h>
>> #include <linux/of.h>
>> +#include <linux/overflow.h>
>>
>> #include <video/of_display_timing.h>
>> #include <video/of_videomode.h>
>> @@ -1297,8 +1298,10 @@ int drm_mode_vrefresh(const struct drm_display_mode *mode)
>> num *= 2;
>> if (mode->flags & DRM_MODE_FLAG_DBLSCAN)
>> den *= 2;
>> - if (mode->vscan > 1)
>> - den *= mode->vscan;
>> + if (mode->vscan > 1) {
>> + if (unlikely(check_mul_overflow(den, mode->vscan, &den)))
>> + return 0;
>> + }
>
> I can't see any driver that actually supports vscan>1. Only
> nouveau has some code for it, but doesn't look like it does
> anything sensible. All other drivers for sure should be
> rejecting vscan>1 outright. Which driver is this?
>
> Is there an actual usecase where nouveau needs this (and does
> it even work?) or could we just rip out the whole thing and
> reject vscan>1 globally?
I thought the whole thing seemed familiar [1].
BR,
Jani.
[1] https://lore.kernel.org/r/20230802174746.2256-1-astrajoan@yahoo.com
>
>>
>> return DIV_ROUND_CLOSEST_ULL(mul_u32_u32(num, 1000), den);
>> }
>> --
>> 2.25.1
--
Jani Nikula, Intel
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PATCH V2] drm/modes: Fix divide error in drm_mode_debug_printmodeline
@ 2023-11-21 9:20 ` Jani Nikula
0 siblings, 0 replies; 22+ messages in thread
From: Jani Nikula @ 2023-11-21 9:20 UTC (permalink / raw)
To: Ville Syrjälä, Edward Adam Davis
Cc: Karol Herbst, airlied, daniel.vetter, syzkaller-bugs,
linux-kernel, dri-devel, melissa.srw, Danilo Krummrich, mripard,
tzimmermann, nouveau, daniel.vetter, syzbot+2e93e6fb36e6fdc56574
On Mon, 20 Nov 2023, Ville Syrjälä <ville.syrjala@linux.intel.com> wrote:
> On Mon, Nov 20, 2023 at 10:41:18PM +0800, Edward Adam Davis wrote:
>> [Syz Log]
>> divide error: 0000 [#1] PREEMPT SMP KASAN
>> CPU: 0 PID: 5068 Comm: syz-executor357 Not tainted 6.6.0-syzkaller-16039-gac347a0655db #0
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
>> RIP: 0010:drm_mode_vrefresh drivers/gpu/drm/drm_modes.c:1303 [inline]
>> RIP: 0010:drm_mode_debug_printmodeline+0x118/0x4e0 drivers/gpu/drm/drm_modes.c:60
>> Code: 00 41 0f b7 07 66 83 f8 02 b9 01 00 00 00 0f 43 c8 0f b7 c1 0f af e8 44 89 f0 48 69 c8 e8 03 00 00 89 e8 d1 e8 48 01 c8 31 d2 <48> f7 f5 49 89 c6 eb 0c e8 fb 07 66 fc eb 05 e8 f4 07 66 fc 48 89
>> RSP: 0018:ffffc9000391f8d0 EFLAGS: 00010246
>> RAX: 000000000001f400 RBX: ffff888025045000 RCX: 000000000001f400
>> RDX: 0000000000000000 RSI: 0000000000008000 RDI: ffff888025045018
>> RBP: 0000000000000000 R08: ffffffff8528b9af R09: 0000000000000000
>> R10: ffffc9000391f8a0 R11: fffff52000723f17 R12: 0000000000000080
>> R13: dffffc0000000000 R14: 0000000000000080 R15: ffff888025045016
>> FS: 0000555556932380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
>> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> CR2: 00000000005fdeb8 CR3: 000000007fcff000 CR4: 00000000003506f0
>> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>> Call Trace:
>> <TASK>
>> drm_mode_setcrtc+0x83b/0x1880 drivers/gpu/drm/drm_crtc.c:794
>> drm_ioctl_kernel+0x362/0x500 drivers/gpu/drm/drm_ioctl.c:792
>> drm_ioctl+0x636/0xb00 drivers/gpu/drm/drm_ioctl.c:895
>> vfs_ioctl fs/ioctl.c:51 [inline]
>> __do_sys_ioctl fs/ioctl.c:871 [inline]
>> __se_sys_ioctl+0xf8/0x170 fs/ioctl.c:857
>> do_syscall_x64 arch/x86/entry/common.c:51 [inline]
>> do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
>> entry_SYSCALL_64_after_hwframe+0x63/0x6b
>>
>> [Analysis]
>> When calculating den in drm_mode_vrefresh(), if the vscan value is too large,
>> there is a probability of unsigned integer overflow.
>>
>> [Fix]
>> Before multiplying by vscan, first check if their product will overflow.
>> If overflow occurs, return 0 and exit the subsequent process.
>>
>> Reported-and-tested-by: syzbot+2e93e6fb36e6fdc56574@syzkaller.appspotmail.com
>> Fixes: ea40d7857d52 ("drm/vkms: fbdev emulation support")
>> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
>> ---
>> drivers/gpu/drm/drm_modes.c | 7 +++++--
>> 1 file changed, 5 insertions(+), 2 deletion(-)
>>
>> diff --git a/drivers/gpu/drm/drm_modes.c b/drivers/gpu/drm/drm_modes.c
>> index ac9a406250c5..60739d861da2 100644
>> --- a/drivers/gpu/drm/drm_modes.c
>> +++ b/drivers/gpu/drm/drm_modes.c
>> @@ -36,6 +36,7 @@
>> #include <linux/list.h>
>> #include <linux/list_sort.h>
>> #include <linux/of.h>
>> +#include <linux/overflow.h>
>>
>> #include <video/of_display_timing.h>
>> #include <video/of_videomode.h>
>> @@ -1297,8 +1298,10 @@ int drm_mode_vrefresh(const struct drm_display_mode *mode)
>> num *= 2;
>> if (mode->flags & DRM_MODE_FLAG_DBLSCAN)
>> den *= 2;
>> - if (mode->vscan > 1)
>> - den *= mode->vscan;
>> + if (mode->vscan > 1) {
>> + if (unlikely(check_mul_overflow(den, mode->vscan, &den)))
>> + return 0;
>> + }
>
> I can't see any driver that actually supports vscan>1. Only
> nouveau has some code for it, but doesn't look like it does
> anything sensible. All other drivers for sure should be
> rejecting vscan>1 outright. Which driver is this?
>
> Is there an actual usecase where nouveau needs this (and does
> it even work?) or could we just rip out the whole thing and
> reject vscan>1 globally?
I thought the whole thing seemed familiar [1].
BR,
Jani.
[1] https://lore.kernel.org/r/20230802174746.2256-1-astrajoan@yahoo.com
>
>>
>> return DIV_ROUND_CLOSEST_ULL(mul_u32_u32(num, 1000), den);
>> }
>> --
>> 2.25.1
--
Jani Nikula, Intel
^ permalink raw reply [flat|nested] 22+ messages in thread
end of thread, other threads:[~2023-11-21 9:21 UTC | newest]
Thread overview: 22+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-11-15 9:34 [syzbot] [dri?] divide error in drm_mode_debug_printmodeline syzbot
2023-11-16 0:52 ` [syzbot] [PATCH] test " syzbot
2023-11-16 2:33 ` [syzbot] syzbot
2023-11-16 3:29 ` [syzbot] syzbot
2023-11-18 3:42 ` [syzbot] [PATCH] Test divide err in drm syzbot
2023-11-18 6:44 ` syzbot
2023-11-18 10:29 ` syzbot
2023-11-18 11:59 ` syzbot
2023-11-19 1:31 ` syzbot
2023-11-19 2:24 ` [PATCH] drm/modes: Fix divide error in drm_mode_debug_printmodeline Edward Adam Davis
2023-11-20 11:31 ` Jani Nikula
2023-11-20 11:31 ` Jani Nikula
2023-11-20 14:41 ` [PATCH V2] " Edward Adam Davis
2023-11-20 15:12 ` Ville Syrjälä
2023-11-20 15:12 ` Ville Syrjälä
2023-11-20 15:12 ` [Nouveau] " Ville Syrjälä
2023-11-21 9:20 ` Jani Nikula
2023-11-21 9:20 ` Jani Nikula
2023-11-21 9:20 ` [Nouveau] " Jani Nikula
2023-11-20 12:00 ` [syzbot] [PATCH] Test divide err in drm syzbot
2023-11-20 12:22 ` syzbot
2023-11-20 13:30 ` syzbot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.