linux-fbdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH v2] fbdev: fix incorrect address computation in deferred IO
@ 2024-04-23 11:50 Nam Cao
  2024-04-23 13:07 ` Thomas Zimmermann
  0 siblings, 1 reply; 5+ messages in thread
From: Nam Cao @ 2024-04-23 11:50 UTC (permalink / raw)
  To: Jaya Kumar, Daniel Vetter, Helge Deller,
	Javier Martinez Canillas, Thomas Zimmermann, linux-fbdev,
	dri-devel, linux-kernel
  Cc: tiwai, namcao, bigeasy, patrik.r.jakobsson, Vegard Nossum,
	George Kennedy, Darren Kenny, chuansheng.liu,
	Harshit Mogalapalli, stable

With deferred IO enabled, a page fault happens when data is written to the
framebuffer device. Then driver determines which page is being updated by
calculating the offset of the written virtual address within the virtual
memory area, and uses this offset to get the updated page within the
internal buffer. This page is later copied to hardware (thus the name
"deferred IO").

This offset calculation is only correct if the virtual memory area is
mapped to the beginning of the internal buffer. Otherwise this is wrong.
For example, if users do:
    mmap(ptr, 4096, PROT_WRITE, MAP_FIXED | MAP_SHARED, fd, 0xff000);

Then the virtual memory area will mapped at offset 0xff000 within the
internal buffer. This offset 0xff000 is not accounted for, and wrong page
is updated.

Correct the calculation by using vmf->pgoff instead. With this change, the
variable "offset" will no longer hold the exact offset value, but it is
rounded down to multiples of PAGE_SIZE. But this is still correct, because
this variable is only used to calculate the page offset.

Reported-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Closes: https://lore.kernel.org/linux-fbdev/271372d6-e665-4e7f-b088-dee5f4ab341a@oracle.com
Fixes: 56c134f7f1b5 ("fbdev: Track deferred-I/O pages in pageref struct")
Cc: <stable@vger.kernel.org>
Signed-off-by: Nam Cao <namcao@linutronix.de>
---
v2:
  - simplify the patch by using vfg->pgoff
  - remove tested-by tag, as the patch is now different

 drivers/video/fbdev/core/fb_defio.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/video/fbdev/core/fb_defio.c b/drivers/video/fbdev/core/fb_defio.c
index 1ae1d35a5942..b9607d5a370d 100644
--- a/drivers/video/fbdev/core/fb_defio.c
+++ b/drivers/video/fbdev/core/fb_defio.c
@@ -196,7 +196,7 @@ static vm_fault_t fb_deferred_io_track_page(struct fb_info *info, unsigned long
  */
 static vm_fault_t fb_deferred_io_page_mkwrite(struct fb_info *info, struct vm_fault *vmf)
 {
-	unsigned long offset = vmf->address - vmf->vma->vm_start;
+	unsigned long offset = vmf->pgoff << PAGE_SHIFT;
 	struct page *page = vmf->page;
 
 	file_update_time(vmf->vma->vm_file);
-- 
2.39.2


^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [PATCH v2] fbdev: fix incorrect address computation in deferred IO
  2024-04-23 11:50 [PATCH v2] fbdev: fix incorrect address computation in deferred IO Nam Cao
@ 2024-04-23 13:07 ` Thomas Zimmermann
  2024-04-23 13:26   ` Harshit Mogalapalli
  0 siblings, 1 reply; 5+ messages in thread
From: Thomas Zimmermann @ 2024-04-23 13:07 UTC (permalink / raw)
  To: Nam Cao, Jaya Kumar, Daniel Vetter, Helge Deller,
	Javier Martinez Canillas, linux-fbdev, dri-devel, linux-kernel
  Cc: tiwai, bigeasy, patrik.r.jakobsson, Vegard Nossum,
	George Kennedy, Darren Kenny, chuansheng.liu,
	Harshit Mogalapalli, stable

Hi

Am 23.04.24 um 13:50 schrieb Nam Cao:
> With deferred IO enabled, a page fault happens when data is written to the
> framebuffer device. Then driver determines which page is being updated by
> calculating the offset of the written virtual address within the virtual
> memory area, and uses this offset to get the updated page within the
> internal buffer. This page is later copied to hardware (thus the name
> "deferred IO").
>
> This offset calculation is only correct if the virtual memory area is
> mapped to the beginning of the internal buffer. Otherwise this is wrong.
> For example, if users do:
>      mmap(ptr, 4096, PROT_WRITE, MAP_FIXED | MAP_SHARED, fd, 0xff000);
>
> Then the virtual memory area will mapped at offset 0xff000 within the
> internal buffer. This offset 0xff000 is not accounted for, and wrong page
> is updated.
>
> Correct the calculation by using vmf->pgoff instead. With this change, the
> variable "offset" will no longer hold the exact offset value, but it is
> rounded down to multiples of PAGE_SIZE. But this is still correct, because
> this variable is only used to calculate the page offset.
>
> Reported-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
> Closes: https://lore.kernel.org/linux-fbdev/271372d6-e665-4e7f-b088-dee5f4ab341a@oracle.com
> Fixes: 56c134f7f1b5 ("fbdev: Track deferred-I/O pages in pageref struct")
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Nam Cao <namcao@linutronix.de>

Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>

Thank you so much. I'll take care of merging the patch later this week.

Best regards
Thomas

> ---
> v2:
>    - simplify the patch by using vfg->pgoff
>    - remove tested-by tag, as the patch is now different
>
>   drivers/video/fbdev/core/fb_defio.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/video/fbdev/core/fb_defio.c b/drivers/video/fbdev/core/fb_defio.c
> index 1ae1d35a5942..b9607d5a370d 100644
> --- a/drivers/video/fbdev/core/fb_defio.c
> +++ b/drivers/video/fbdev/core/fb_defio.c
> @@ -196,7 +196,7 @@ static vm_fault_t fb_deferred_io_track_page(struct fb_info *info, unsigned long
>    */
>   static vm_fault_t fb_deferred_io_page_mkwrite(struct fb_info *info, struct vm_fault *vmf)
>   {
> -	unsigned long offset = vmf->address - vmf->vma->vm_start;
> +	unsigned long offset = vmf->pgoff << PAGE_SHIFT;
>   	struct page *page = vmf->page;
>   
>   	file_update_time(vmf->vma->vm_file);

-- 
--
Thomas Zimmermann
Graphics Driver Developer
SUSE Software Solutions Germany GmbH
Frankenstrasse 146, 90461 Nuernberg, Germany
GF: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman
HRB 36809 (AG Nuernberg)


^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH v2] fbdev: fix incorrect address computation in deferred IO
  2024-04-23 13:07 ` Thomas Zimmermann
@ 2024-04-23 13:26   ` Harshit Mogalapalli
  2024-04-23 13:34     ` Nam Cao
  0 siblings, 1 reply; 5+ messages in thread
From: Harshit Mogalapalli @ 2024-04-23 13:26 UTC (permalink / raw)
  To: Thomas Zimmermann, Nam Cao, Jaya Kumar, Daniel Vetter,
	Helge Deller, Javier Martinez Canillas, linux-fbdev, dri-devel,
	linux-kernel
  Cc: tiwai, bigeasy, patrik.r.jakobsson, Vegard Nossum,
	George Kennedy, Darren Kenny, chuansheng.liu, stable

Hi,

On 23/04/24 18:37, Thomas Zimmermann wrote:
> Hi
> 
> Am 23.04.24 um 13:50 schrieb Nam Cao:
>> With deferred IO enabled, a page fault happens when data is written to 
>> the
>> framebuffer device. Then driver determines which page is being updated by
>> calculating the offset of the written virtual address within the virtual
>> memory area, and uses this offset to get the updated page within the
>> internal buffer. This page is later copied to hardware (thus the name
>> "deferred IO").
>>
>> This offset calculation is only correct if the virtual memory area is
>> mapped to the beginning of the internal buffer. Otherwise this is wrong.
>> For example, if users do:
>>      mmap(ptr, 4096, PROT_WRITE, MAP_FIXED | MAP_SHARED, fd, 0xff000);
>>
>> Then the virtual memory area will mapped at offset 0xff000 within the
>> internal buffer. This offset 0xff000 is not accounted for, and wrong page
>> is updated.
>>
>> Correct the calculation by using vmf->pgoff instead. With this change, 
>> the
>> variable "offset" will no longer hold the exact offset value, but it is
>> rounded down to multiples of PAGE_SIZE. But this is still correct, 
>> because
>> this variable is only used to calculate the page offset.
>>
>> Reported-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
>> Closes: 
>> https://lore.kernel.org/linux-fbdev/271372d6-e665-4e7f-b088-dee5f4ab341a@oracle.com
>> Fixes: 56c134f7f1b5 ("fbdev: Track deferred-I/O pages in pageref struct")
>> Cc: <stable@vger.kernel.org>
>> Signed-off-by: Nam Cao <namcao@linutronix.de>
> 
> Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
> 

Thanks everyone!

I have tested the patched kernel with the syzkaller reproducer and 
couldn't see a problem.

Regards,
Harshit

> Thank you so much. I'll take care of merging the patch later this week.
> 
> Best regards
> Thomas
> 
>> ---
>> v2:
>>    - simplify the patch by using vfg->pgoff
>>    - remove tested-by tag, as the patch is now different
>>
>>   drivers/video/fbdev/core/fb_defio.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/video/fbdev/core/fb_defio.c 
>> b/drivers/video/fbdev/core/fb_defio.c
>> index 1ae1d35a5942..b9607d5a370d 100644
>> --- a/drivers/video/fbdev/core/fb_defio.c
>> +++ b/drivers/video/fbdev/core/fb_defio.c
>> @@ -196,7 +196,7 @@ static vm_fault_t fb_deferred_io_track_page(struct 
>> fb_info *info, unsigned long
>>    */
>>   static vm_fault_t fb_deferred_io_page_mkwrite(struct fb_info *info, 
>> struct vm_fault *vmf)
>>   {
>> -    unsigned long offset = vmf->address - vmf->vma->vm_start;
>> +    unsigned long offset = vmf->pgoff << PAGE_SHIFT;
>>       struct page *page = vmf->page;
>>       file_update_time(vmf->vma->vm_file);
> 


^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH v2] fbdev: fix incorrect address computation in deferred IO
  2024-04-23 13:26   ` Harshit Mogalapalli
@ 2024-04-23 13:34     ` Nam Cao
  2024-04-23 13:49       ` Harshit Mogalapalli
  0 siblings, 1 reply; 5+ messages in thread
From: Nam Cao @ 2024-04-23 13:34 UTC (permalink / raw)
  To: Harshit Mogalapalli
  Cc: Thomas Zimmermann, Jaya Kumar, Daniel Vetter, Helge Deller,
	Javier Martinez Canillas, linux-fbdev, dri-devel, linux-kernel,
	tiwai, bigeasy, patrik.r.jakobsson, Vegard Nossum,
	George Kennedy, Darren Kenny, chuansheng.liu, stable

On Tue, Apr 23, 2024 at 06:56:52PM +0530, Harshit Mogalapalli wrote:
> Thanks everyone!
> 
> I have tested the patched kernel with the syzkaller reproducer and couldn't
> see a problem.

If you want to take credit for testing it, send us:

	Tested-by: Your Name <your@email>

And that tag will appear in the final commit.

But completely up to you.

Best regards,
Nam

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH v2] fbdev: fix incorrect address computation in deferred IO
  2024-04-23 13:34     ` Nam Cao
@ 2024-04-23 13:49       ` Harshit Mogalapalli
  0 siblings, 0 replies; 5+ messages in thread
From: Harshit Mogalapalli @ 2024-04-23 13:49 UTC (permalink / raw)
  To: Nam Cao
  Cc: Thomas Zimmermann, Jaya Kumar, Daniel Vetter, Helge Deller,
	Javier Martinez Canillas, linux-fbdev, dri-devel, linux-kernel,
	tiwai, bigeasy, patrik.r.jakobsson, Vegard Nossum,
	George Kennedy, Darren Kenny, chuansheng.liu, stable

Hi Nam,

On 23/04/24 19:04, Nam Cao wrote:
> On Tue, Apr 23, 2024 at 06:56:52PM +0530, Harshit Mogalapalli wrote:
>> Thanks everyone!
>>
>> I have tested the patched kernel with the syzkaller reproducer and couldn't
>> see a problem.
> 
> If you want to take credit for testing it, send us:
> 
> 	Tested-by: Your Name <your@email>
> 
> And that tag will appear in the final commit.
> 

Tested-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>

Thanks,
Harshit


> But completely up to you.
> 
> Best regards,
> Nam


^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2024-04-23 13:50 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-04-23 11:50 [PATCH v2] fbdev: fix incorrect address computation in deferred IO Nam Cao
2024-04-23 13:07 ` Thomas Zimmermann
2024-04-23 13:26   ` Harshit Mogalapalli
2024-04-23 13:34     ` Nam Cao
2024-04-23 13:49       ` Harshit Mogalapalli

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).