From patchwork Wed Jul 12 10:09:22 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marek Szyprowski X-Patchwork-Id: 107473 Delivered-To: patch@linaro.org Received: by 10.182.45.195 with SMTP id p3csp705967obm; Wed, 12 Jul 2017 03:09:43 -0700 (PDT) X-Received: by 10.84.217.219 with SMTP id d27mr3272483plj.180.1499854183208; Wed, 12 Jul 2017 03:09:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1499854183; cv=none; d=google.com; s=arc-20160816; b=qqRADxwbpwDk5vJ9/5fYDSdBfN8nEzbVVbQl4G5D+H3A6YHzbQWcNSXonkW1UPw7Z7 HhirEKPHZQStPLU64x7u8VjWe0uCMBROazpa55BQbnJ/uzKQtLaHmiR28aSHVj79rK/j SzWihPJ5uISo7VRkoT5v94hnAkGe5V67EgtJ6tv8iJF6r44Ls/JgdsRJUBGKSWOAZnWD OuJwYp9Pm1mKqyp4RVq/O+82iVFC1RaiQLxyaSts8DbLSaz39ELa+NxcHfwuT36VRj2y GnrWjnRSvO1mk4W9yQsvC4Se4B/D5KiRNDx66vT5672y5psVs9aHee0dX26Ii/NpNwn6 baZQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:cc:references:cms-type:message-id:date:subject :to:from:delivered-to:arc-authentication-results; bh=6Ni3/QcVpCBXlziQ48FLW1Fs5EZ/InZJpGSLxEtwG90=; b=ubv2c7iH9a5wT5ant5SI5gkJyew6uUncu6JmjkNTKM33ivTfUBqHdT+X0QuMF9MC4Z AjMAmo7iaJCpo9asJNDQKl9Bwci8Vokx3Mq4zCId3OgL8MhwammaNflOFQ5qo+15SPgY b/fcLH784Wvyhm4ZF6+w8IfR9TvtBvQAM8C0qFumgcfJOaM/0daip9vIlmSCmdU+8iyJ CcSrMunjbCWt1qPV1BINZs1hcBe7FXz+PLrZ62sMA406mb5vW6JtAVQuYgBMYPBFHdl0 WcQvkPTTwWB7UKSZ8u+rkSHLpONxvAVKPvowo4MI80BeDQW7PMLa63HnFbDwVJKKEL/t hC+Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of dri-devel-bounces@lists.freedesktop.org designates 131.252.210.177 as permitted sender) smtp.mailfrom=dri-devel-bounces@lists.freedesktop.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=samsung.com Return-Path: Received: from gabe.freedesktop.org (gabe.freedesktop.org. [131.252.210.177]) by mx.google.com with ESMTPS id p8si1662678pli.608.2017.07.12.03.09.42 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 12 Jul 2017 03:09:43 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of dri-devel-bounces@lists.freedesktop.org designates 131.252.210.177 as permitted sender) client-ip=131.252.210.177; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of dri-devel-bounces@lists.freedesktop.org designates 131.252.210.177 as permitted sender) smtp.mailfrom=dri-devel-bounces@lists.freedesktop.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=samsung.com Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 489A889BBE; Wed, 12 Jul 2017 10:09:42 +0000 (UTC) X-Original-To: dri-devel@lists.freedesktop.org Delivered-To: dri-devel@lists.freedesktop.org Received: from mailout3.w1.samsung.com (mailout3.w1.samsung.com [210.118.77.13]) by gabe.freedesktop.org (Postfix) with ESMTPS id BB7B889BBE for ; Wed, 12 Jul 2017 10:09:40 +0000 (UTC) Received: from eucas1p1.samsung.com (unknown [182.198.249.206]) by mailout3.w1.samsung.com (Oracle Communications Messaging Server 7.0.5.31.0 64bit (built May 5 2014)) with ESMTP id <0OSZ00DL32VXDT00@mailout3.w1.samsung.com> for dri-devel@lists.freedesktop.org; Wed, 12 Jul 2017 11:09:33 +0100 (BST) Received: from eusmges2.samsung.com (unknown [203.254.199.241]) by eucas1p2.samsung.com (KnoxPortal) with ESMTP id 20170712100932eucas1p29014090caece575c4acb57d35711b555~QjWxpFgXe2275022750eucas1p2s; Wed, 12 Jul 2017 10:09:32 +0000 (GMT) Received: from eucas1p2.samsung.com ( [182.198.249.207]) by eusmges2.samsung.com (EUCPMTA) with SMTP id D5.DF.04459.C55F5695; Wed, 12 Jul 2017 11:09:32 +0100 (BST) Received: from eusmgms2.samsung.com (unknown [182.198.249.180]) by eucas1p1.samsung.com (KnoxPortal) with ESMTP id 20170712100931eucas1p1bcc4da93969ed34797c984284d595b21~QjWw9fUWK1891118911eucas1p1M; Wed, 12 Jul 2017 10:09:31 +0000 (GMT) X-AuditID: cbfec7f1-f796e6d00000116b-26-5965f55cd7e3 Received: from eusync4.samsung.com ( [203.254.199.214]) by eusmgms2.samsung.com (EUCPMTA) with SMTP id AA.78.20206.B55F5695; Wed, 12 Jul 2017 11:09:31 +0100 (BST) Received: from AMDC2765.digital.local ([106.116.147.25]) by eusync4.samsung.com (Oracle Communications Messaging Server 7.0.5.31.0 64bit (built May 5 2014)) with ESMTPA id <0OSZ00B1R2VS4NC0@eusync4.samsung.com>; Wed, 12 Jul 2017 11:09:31 +0100 (BST) From: Marek Szyprowski To: dri-devel@lists.freedesktop.org, linux-samsung-soc@vger.kernel.org Subject: [PATCH] drm/exynos: forbid creating framebuffers from too small GEM buffers Date: Wed, 12 Jul 2017 12:09:22 +0200 Message-id: <1499854165-10902-1-git-send-email-m.szyprowski@samsung.com> X-Mailer: git-send-email 1.9.1 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrCIsWRmVeSWpSXmKPExsWy7djP87oxX1MjDfYskLS4te4cq8XGGetZ La58fc9mMen+BBaLF/cuslicP7+B3WLG+X1MFmuP3GW3WLDxEaPFjMkv2Ry4PDat6mTzuN99 nMmjb8sqRo/Pm+QCWKK4bFJSczLLUov07RK4Mq41P2UteMhf0XyznaWB8RVPFyMnh4SAicTL 5++YIGwxiQv31rN1MXJxCAksZZSY9mIXK4TzmVFi0flmoAwHRMctRYj4MkaJY0vvQxU1MEn8 PbmIEWQUm4ChRNfbLjYQW0TATaLp8EywImaBI0wSh882s4AkhAXCJL4sOQvWwCKgKvHm3Akw m1fAQ2LzuessEDfJSZw8NhmsWULgNZvE4Rm/2SHOkJXYdIAZosZFovvte3YIW1ji1fEtULaM xOXJ3VBz+hklmlq1IewZjBLn3vJC2NYSh49fZAWxmQX4JCZtm84MMZ5XoqNNCML0kHj1lQvC dJT4254PUiwkECuxu+cb8wRG6QWMDKsYRVJLi3PTU4uN9IoTc4tL89L1kvNzNzEC4/b0v+Mf dzC+P2F1iFGAg1GJhzdhamqkEGtiWXFl7iFGCQ5mJRHeq2+BQrwpiZVVqUX58UWlOanFhxil OViUxHm5Tl2LEBJITyxJzU5NLUgtgskycXBKNTB6PVGNDCvLeN5tEnWsl+H+wjOFmbfvHXVt OF6w6pnLqbfTBO8euWQz/6r0qfU1BqadPDPOKeybu/Ho9wtNv24x/j+h7B+zvyCY5T+vXWnE hl1L7Hin+/87+2ha1MzZd5hfrt7y6m6WwbH6WRwlx/bef9OyWuNpb5T8iso0xtVHFNb2BHcd Cp+gp8RSnJFoqMVcVJwIANdDsYDXAgAA X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrNLMWRmVeSWpSXmKPExsVy+t/xa7rRX1MjDXrma1ncWneO1WLjjPWs Fle+vmezmHR/AovFi3sXWSzOn9/AbjHj/D4mi7VH7rJbLNj4iNFixuSXbA5cHptWdbJ53O8+ zuTRt2UVo8fnTXIBLFFuNhmpiSmpRQqpecn5KZl56bZKoSFuuhZKCnmJuam2ShG6viFBSgpl iTmlQJ6RARpwcA5wD1bSt0twy7jW/JS14CF/RfPNdpYGxlc8XYwcHBICJhIvbyl2MXICmWIS F+6tZ+ti5OIQEljCKDHx8jN2CKeJSWLL2UXsIFVsAoYSXW+72EBsEQE3iabDM1lBipgFjjBJ LLr6lgUkISwQJvFlyVlGEJtFQFXizbkTYDavgIfE5nPXWSDWyUmcPDaZdQIj9wJGhlWMIqml xbnpucVGesWJucWleel6yfm5mxiBAbvt2M8tOxi73gUfYhTgYFTi4W24kBIpxJpYVlyZe4hR goNZSYT36tvUSCHelMTKqtSi/Pii0pzU4kOMpkDLJzJLiSbnA6MpryTe0MTQ3NLQyNjCwtzI SEmcd+qHK+FCAumJJanZqakFqUUwfUwcnFINjMd/+G7dmZ6zWz9Nw8/y1huOXMut7e27C67O Tkp99qxnw9rTy548SFFI1ojdIMP7qMp3Vn5Pww6RGq+mOxdDnu4T4mhJm7txyxuBv7kixsu8 2ep4lTee4uBXXBlcLcxoHfuVrfajZOTdC1X7DXffTL0kufHg1zNWNUo3vP4+lb0RWiKdzvZd TomlOCPRUIu5qDgRAHOTEQ9uAgAA X-MTR: 20000000000000000@CPGS X-CMS-MailID: 20170712100931eucas1p1bcc4da93969ed34797c984284d595b21 X-Msg-Generator: CA X-Sender-IP: 182.198.249.180 X-Local-Sender: =?utf-8?q?Marek_Szyprowski=1BSRPOL-Kernel_=28TP=29=1B?= =?utf-8?b?7IK87ISx7KCE7J6QG1NlbmlvciBTb2Z0d2FyZSBFbmdpbmVlcg==?= X-Global-Sender: =?utf-8?q?Marek_Szyprowski=1BSRPOL-Kernel_=28TP=29=1BSam?= =?utf-8?q?sung_Electronics=1BSenior_Software_Engineer?= X-Sender-Code: =?utf-8?q?C10=1BEHQ=1BC10CD02CD027392?= CMS-TYPE: 201P X-HopCount: 7 X-CMS-RootMailID: 20170712100931eucas1p1bcc4da93969ed34797c984284d595b21 X-RootMTR: 20170712100931eucas1p1bcc4da93969ed34797c984284d595b21 References: Cc: Bartlomiej Zolnierkiewicz , Seung-Woo Kim , Krzysztof Kozlowski , stable@vger.kernel.org, Marek Szyprowski X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" Add a check if the framebuffer described by the provided drm_mode_fb_cmd2 structure fits into provided GEM buffers. Without this check it is possible to create a framebuffer object from a small buffer and set it to the hardware, what results in displaying system memory outside the allocated GEM buffer. Signed-off-by: Marek Szyprowski CC: stable@vger.kernel.org # v4.7+ --- This issue was there from the beggining, but the provided patch applies only to v4.7+ kernels due to other changes in the fixed code. --- drivers/gpu/drm/exynos/exynos_drm_fb.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/exynos/exynos_drm_fb.c b/drivers/gpu/drm/exynos/exynos_drm_fb.c index d48fd7c918f8..73217c281c9a 100644 --- a/drivers/gpu/drm/exynos/exynos_drm_fb.c +++ b/drivers/gpu/drm/exynos/exynos_drm_fb.c @@ -145,13 +145,19 @@ struct drm_framebuffer * exynos_user_fb_create(struct drm_device *dev, struct drm_file *file_priv, const struct drm_mode_fb_cmd2 *mode_cmd) { + const struct drm_format_info *info = drm_get_format_info(dev, mode_cmd); struct exynos_drm_gem *exynos_gem[MAX_FB_BUFFER]; struct drm_gem_object *obj; struct drm_framebuffer *fb; int i; int ret; - for (i = 0; i < drm_format_num_planes(mode_cmd->pixel_format); i++) { + for (i = 0; i < info->num_planes; i++) { + unsigned int height = (i == 0) ? mode_cmd->height : + DIV_ROUND_UP(mode_cmd->height, info->vsub); + unsigned long size = height * mode_cmd->pitches[i] + + mode_cmd->offsets[i]; + obj = drm_gem_object_lookup(file_priv, mode_cmd->handles[i]); if (!obj) { DRM_ERROR("failed to lookup gem object\n"); @@ -160,6 +166,12 @@ struct drm_framebuffer * } exynos_gem[i] = to_exynos_gem(obj); + + if (size > exynos_gem[i]->size) { + i++; + ret = -EINVAL; + goto err; + } } fb = exynos_drm_framebuffer_init(dev, mode_cmd, exynos_gem, i);