Re: drm/msm/dpu: fix stack smashing in dpu_hw_ctl_setup_blendstage

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 23.02.2023 12:53, Dmitry Baryshkov wrote:
> On Thu, 23 Feb 2023 at 12:57, Konrad Dybcio <konrad.dybcio@xxxxxxxxxx> wrote:
>>
>>
>>
>> On 23.02.2023 10:57, Dmitry Baryshkov wrote:
>>> The rewritten dpu_hw_ctl_setup_blendstage() can lightly smash the stack
>>> when setting the SSPP_NONE pipe. However it was unnoticed until the
>>> kernel was tested under AOSP (with some kind of stack protection/check).
>>>
>>> This fixes the following backtrace:
>>>
>>> Unexpected kernel BRK exception at EL1
>>> Internal error: BRK handler: 00000000f20003e8 [#1] PREEMPT SMP
>>> Hardware name: Thundercomm Dragonboard 845c (DT)
>>> pstate: a0400005 (NzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
>>> pc : dpu_hw_ctl_setup_blendstage+0x26c/0x278 [msm]
>>> lr : _dpu_crtc_blend_setup+0x4b4/0x5a0 [msm]
>>> sp : ffffffc00bdcb720
>>> x29: ffffffc00bdcb720 x28: ffffff8085debac0 x27: 0000000000000002
>>> x26: ffffffd74af18320 x25: ffffff8083af75a0 x24: ffffffc00bdcb878
>>> x23: 0000000000000001 x22: 0000000000000000 x21: ffffff8085a70000
>>> x20: ffffff8083012dc0 x19: 0000000000000001 x18: 0000000000000000
>>> x17: 000000040044ffff x16: 045000f4b5593519 x15: 0000000000000000
>>> x14: 000000000000000b x13: 0000000000000001 x12: 0000000000000000
>>> x11: 0000000000000001 x10: ffffffc00bdcb764 x9 : ffffffd74af06a08
>>> x8 : 0000000000000001 x7 : 0000000000000001 x6 : 0000000000000000
>>> x5 : ffffffc00bdcb878 x4 : 0000000000000002 x3 : ffffffffffffffff
>>> x2 : ffffffc00bdcb878 x1 : 0000000000000000 x0 : 0000000000000002
>>> Call trace:
>>>  dpu_hw_ctl_setup_blendstage+0x26c/0x278 [msm]
>>>  _dpu_crtc_blend_setup+0x4b4/0x5a0 [msm]
>>>  dpu_crtc_atomic_begin+0xd8/0x22c [msm]
>>>  drm_atomic_helper_commit_planes+0x80/0x208 [drm_kms_helper]
>>>  msm_atomic_commit_tail+0x134/0x6f0 [msm]
>>>  commit_tail+0xa4/0x1a4 [drm_kms_helper]
>>>  drm_atomic_helper_commit+0x170/0x184 [drm_kms_helper]
>>>  drm_atomic_commit+0xac/0xe8
>>>  drm_mode_atomic_ioctl+0xbf0/0xdac
>>>  drm_ioctl_kernel+0xc4/0x178
>>>  drm_ioctl+0x2c8/0x608
>>>  __arm64_sys_ioctl+0xa8/0xec
>>>  invoke_syscall+0x44/0x104
>>>  el0_svc_common.constprop.0+0x44/0xec
>>>  do_el0_svc+0x38/0x98
>>>  el0_svc+0x2c/0xb4
>>>  el0t_64_sync_handler+0xb8/0xbc
>>>  el0t_64_sync+0x1a0/0x1a4
>>> Code: 52800016 52800017 52800018 17ffffc7 (d4207d00)
>>>
>>> Fixes: 4488f71f6373 ("drm/msm/dpu: simplify blend configuration")
>>> Reported-by: Amit Pundir <amit.pundir@xxxxxxxxxx>
>>> Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@xxxxxxxxxx>
>>> ---
>>>  drivers/gpu/drm/msm/disp/dpu1/dpu_hw_ctl.c | 4 +++-
>>>  1 file changed, 3 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_ctl.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_ctl.c
>>> index b88a2f3724e6..6c53ea560ffa 100644
>>> --- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_ctl.c
>>> +++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_ctl.c
>>> @@ -446,7 +446,9 @@ static void dpu_hw_ctl_setup_blendstage(struct dpu_hw_ctl *ctx,
>>>                        * CTL_LAYER has 3-bit field (and extra bits in EXT register),
>>>                        * all EXT registers has 4-bit fields.
>>>                        */
>>> -                     if (cfg->idx == 0) {
>>> +                     if (cfg->idx == -1) {
>> if (cfg->idx == ctl_blend_config[SSPP_NONE][0].idx)?
> 
> Why? -1 is simpler and more obvious (and doesn't bind it only to SSPP_NONE).
Obvious enough to the point of requiring a Fixes? :P

But I see your point, it's probably better to leave it as -1
due to its ambiguity.

Konrad
> 
>>
>> Konrad
>>> +                             continue;
>>> +                     } else if (cfg->idx == 0) {
>>>                               mixercfg[0] |= mix << cfg->shift;
>>>                               mixercfg[1] |= ext << cfg->ext_shift;
>>>                       } else {
>>>
> 
> 
> 



[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [Linux for Sparc]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux