From: Daniel Vetter <email@example.com> To: Linus Torvalds <firstname.lastname@example.org> Cc: "Maciej W. Rozycki" <email@example.com>, Tetsuo Handa <firstname.lastname@example.org>, dri-devel <email@example.com>, Linux Fbdev development list <firstname.lastname@example.org>, Linux Kernel Mailing List <email@example.com>, syzbot <firstname.lastname@example.org>, Bartlomiej Zolnierkiewicz <email@example.com>, Colin King <firstname.lastname@example.org>, Greg Kroah-Hartman <email@example.com>, Jani Nikula <firstname.lastname@example.org>, Jiri Slaby <email@example.com>, syzkaller-bugs <firstname.lastname@example.org>, "Antonino A. Daplas" <email@example.com> Subject: Re: [PATCH] video: fbdev: vga16fb: fix OOB write in vga16fb_imageblit() Date: Mon, 17 May 2021 15:10:19 +0200 [thread overview] Message-ID: <CAKMK7uFfuV1GH7rvTwLCovnWvd0hYXPGbAyYELoX9PqZn3u2gQ@mail.gmail.com> (raw) In-Reply-To: <CAKMK7uGLP2zn7LX4ATExA4DLo16shVivSd_W58X-rBZNPSb3_w@mail.gmail.com> On Mon, May 17, 2021 at 3:07 PM Daniel Vetter <firstname.lastname@example.org> wrote: > > On Fri, May 14, 2021 at 10:33 PM Linus Torvalds > <email@example.com> wrote: > > > > On Fri, May 14, 2021 at 1:25 PM Maciej W. Rozycki <firstname.lastname@example.org> wrote: > > > > > > Overall I think it does make sense to resize the text console at any > > > time, even if the visible console (VT) chosen is in the graphics mode, > > > > It might make sense, but only if we call the function to update the > > low-level data. > > > > Not calling it, and then starting to randomly use the (wrong) > > geometry, and just limiting it so that it's all within the buffer - > > THAT does not make sense. > > > > So I think your patch is fundamentally wrong. It basically says "let's > > use random stale incorrect data, but just make sure that the end > > result is still within the allocated buffer". > > > > My patch is at least conceptually sane. > > > > An alternative would be to just remove the "vcmode != KD_GRAPHICS" > > check entirely, and always call con_resize() to update the low-level > > data, but honestly, that seems very likelty to break something very > > fundamentally, since it's not how any of fbcon has ever been tested, > > Just an aside: I think with fbdev drivers this would go boom, because > you'd have fbcon interferring with a direct /dev/fb/* user. Boom here means a bit of screen corruption, because fbcon overdraws your X sessions. Fixed by the next redraw of X. > But if your fbdev driver is actually a drm modeset driver, then we > have additional limitations: If the userspace accesses the display > through /dev/dri/card0, then the kernel blocks all access through > /dev/fb/* (including fbcon) to the actual display (it only goes into > the buffer used for fbdev emulation). And everything would be fine. > > Also generally you'd get away with this even in problematic cases, > since usually you resize your console when looking at it, not when X > or something else is using your fbdev direct access. > > The one thing that's left out here a bit in the cold is userspace > modeset drivers in X. Those would get hosed. But also, we stopped > supporting those in at least i915/amd/radeon/nouveau drivers, > automatically falling back to the fbdev stuff in most cases (with or > without the drm drivers underneath that), and no one screamed. So > probably not many users left. This one could lead to incosistent hw state, which would be worse. > So I /think/ we could wager this, if it's the least intrusive fix from > the kernel pov. But it has some risks that we need to revert again if > we break some of the really old use-cases here. Cheers, Daniel > > Another alternative would be to just delay the resize to when vcmode > > is put back to text mode again. That sounds somewhat reasonable to me, > > but it's a pretty big thing. > > > > But no, your patch to just "knowingly use entirely wrong values, then > > add a limit check because we know the values are possibly garbage and > > not consistent with reality" is simply not acceptable. > > > > Linus > > > > -- > Daniel Vetter > Software Engineer, Intel Corporation > http://blog.ffwll.ch -- Daniel Vetter Software Engineer, Intel Corporation http://blog.ffwll.ch
next prev parent reply other threads:[~2021-05-17 13:10 UTC|newest] Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top 2013-02-19 17:33 BUG: unable to handle kernel paging request at ffffc90000669000, IP: [<ffffffff8139d84a>] bitfill_un Tommi Rantala 2019-12-10 16:38 ` BUG: unable to handle kernel paging request in sys_imageblit syzbot 2020-06-19 4:56 ` syzbot 2019-12-27 7:13 ` BUG: unable to handle kernel paging request in vga16fb_imageblit syzbot 2020-05-08 7:07 ` BUG: unable to handle kernel paging request in vga16fb_imageblit (2) syzbot 2021-05-01 20:31 ` [syzbot] " syzbot 2021-05-02 1:53 ` syzbot 2021-05-03 13:41 ` Tetsuo Handa 2021-05-07 11:09 ` Tetsuo Handa 2021-05-14 16:19 ` [PATCH] video: fbdev: vga16fb: fix OOB write in vga16fb_imageblit() Tetsuo Handa 2021-05-14 17:29 ` Linus Torvalds 2021-05-14 17:37 ` Linus Torvalds 2021-05-14 18:23 ` Linus Torvalds 2021-05-14 20:25 ` Maciej W. Rozycki 2021-05-14 20:32 ` Linus Torvalds 2021-05-14 21:10 ` Linus Torvalds 2021-05-15 7:43 ` [PATCH v2] tty: vt: always invoke vc->vc_sw->con_resize callback Tetsuo Handa 2021-05-15 16:21 ` Maciej W. Rozycki 2021-05-15 16:32 ` Maciej W. Rozycki 2021-05-15 16:41 ` Linus Torvalds 2021-05-17 13:13 ` Daniel Vetter 2021-05-15 16:11 ` [PATCH] video: fbdev: vga16fb: fix OOB write in vga16fb_imageblit() Maciej W. Rozycki 2021-05-17 13:07 ` Daniel Vetter 2021-05-17 13:10 ` Daniel Vetter [this message] 2021-05-15 0:45 ` Tetsuo Handa 2020-05-12 6:55 ` BUG: unable to handle kernel paging request in bitfill_aligned syzbot 2020-10-06 8:18 ` BUG: unable to handle kernel paging request in cfb_imageblit syzbot 2020-12-18 15:26 ` syzbot 2020-12-18 15:27 ` Dmitry Vyukov
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=CAKMK7uFfuV1GH7rvTwLCovnWvd0hYXPGbAyYELoX9PqZn3u2gQ@mail.gmail.com \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --subject='Re: [PATCH] video: fbdev: vga16fb: fix OOB write in vga16fb_imageblit()' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).