[v2,5/8] drm/omap: gem: dumb: pitch is an output

Message ID	1415288961-14464-6-git-send-email-thierry.reding@gmail.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <dri-devel-bounces@lists.freedesktop.org> From: Thierry Reding <thierry.reding@gmail.com> To: Dave Airlie <airlied@redhat.com> Subject: [PATCH v2 5/8] drm/omap: gem: dumb: pitch is an output Date: Thu, 6 Nov 2014 16:49:18 +0100 Message-Id: <1415288961-14464-6-git-send-email-thierry.reding@gmail.com> In-Reply-To: <1415288961-14464-1-git-send-email-thierry.reding@gmail.com> References: <1415193919-1687-1-git-send-email-thierry.reding@gmail.com> <1415288961-14464-1-git-send-email-thierry.reding@gmail.com> Cc: Benjamin Gaignard <benjamin.gaignard@linaro.org>, Daniel Vetter <daniel.vetter@ffwll.ch>, dri-devel@lists.freedesktop.org, Tomi Valkeinen <tomi.valkeinen@ti.com>, Laurent Pinchart <laurent.pinchart@ideasonboard.com>, Russell King <rmk+kernel@arm.linux.org.uk> Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>

Message ID

1415288961-14464-6-git-send-email-thierry.reding@gmail.com (mailing list archive)

State

New, archived

Headers

From: Thierry Reding <thierry.reding@gmail.com>
To: Dave Airlie <airlied@redhat.com>
Subject: [PATCH v2 5/8] drm/omap: gem: dumb: pitch is an output
Date: Thu,  6 Nov 2014 16:49:18 +0100
Message-Id: <1415288961-14464-6-git-send-email-thierry.reding@gmail.com>
In-Reply-To: <1415288961-14464-1-git-send-email-thierry.reding@gmail.com>
References: <1415193919-1687-1-git-send-email-thierry.reding@gmail.com>
	<1415288961-14464-1-git-send-email-thierry.reding@gmail.com>
Cc: Benjamin Gaignard <benjamin.gaignard@linaro.org>,
	Daniel Vetter <daniel.vetter@ffwll.ch>, dri-devel@lists.freedesktop.org, 
	Tomi Valkeinen <tomi.valkeinen@ti.com>,
	Laurent Pinchart <laurent.pinchart@ideasonboard.com>,
	Russell King <rmk+kernel@arm.linux.org.uk>
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>

Commit Message

Thierry Reding Nov. 6, 2014, 3:49 p.m. UTC

From: Thierry Reding <treding@nvidia.com>

When creating a dumb buffer object using the DRM_IOCTL_MODE_CREATE_DUMB
IOCTL, only the width, height, bpp and flags fields are inputs. The
caller is not guaranteed to zero out or set handle, pitch and size.
Drivers must not treat these values as possible inputs, otherwise they
may use uninitialized memory during the computation of the framebuffer
size.

The OMAP driver uses the pitch field passed in by userspace as a minimum
and only override it if the driver-computed pitch is larger than what
userspace provided. To prevent this from causing overallocation, fix the
minimum pitch to 0 to enforce the driver-computed pitch.

Cc: Tomi Valkeinen <tomi.valkeinen@ti.com>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Thierry Reding <treding@nvidia.com>
---
 drivers/gpu/drm/omapdrm/omap_gem.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Rob Clark Nov. 6, 2014, 10:23 p.m. UTC | #1

On Thu, Nov 6, 2014 at 10:49 AM, Thierry Reding
<thierry.reding@gmail.com> wrote:
> From: Thierry Reding <treding@nvidia.com>
>
> When creating a dumb buffer object using the DRM_IOCTL_MODE_CREATE_DUMB
> IOCTL, only the width, height, bpp and flags fields are inputs. The
> caller is not guaranteed to zero out or set handle, pitch and size.
> Drivers must not treat these values as possible inputs, otherwise they
> may use uninitialized memory during the computation of the framebuffer
> size.
>
> The OMAP driver uses the pitch field passed in by userspace as a minimum
> and only override it if the driver-computed pitch is larger than what
> userspace provided. To prevent this from causing overallocation, fix the
> minimum pitch to 0 to enforce the driver-computed pitch.
>
> Cc: Tomi Valkeinen <tomi.valkeinen@ti.com>
> Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
> Signed-off-by: Thierry Reding <treding@nvidia.com>

Reviewed-by: Rob Clark <robdclark@gmail.com>

> ---
>  drivers/gpu/drm/omapdrm/omap_gem.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/omapdrm/omap_gem.c b/drivers/gpu/drm/omapdrm/omap_gem.c
> index e4849413ee80..bff60b73995b 100644
> --- a/drivers/gpu/drm/omapdrm/omap_gem.c
> +++ b/drivers/gpu/drm/omapdrm/omap_gem.c
> @@ -613,7 +613,7 @@ int omap_gem_dumb_create(struct drm_file *file, struct drm_device *dev,
>         union omap_gem_size gsize;
>
>         /* in case someone tries to feed us a completely bogus stride: */
> -       args->pitch = align_pitch(args->pitch, args->width, args->bpp);
> +       args->pitch = align_pitch(0, args->width, args->bpp);
>         args->size = PAGE_ALIGN(args->pitch * args->height);
>
>         gsize = (union omap_gem_size){
> --
> 2.1.3
>

Tomi Valkeinen Nov. 7, 2014, 8:02 a.m. UTC | #2

On 06/11/14 17:49, Thierry Reding wrote:
> From: Thierry Reding <treding@nvidia.com>
> 
> When creating a dumb buffer object using the DRM_IOCTL_MODE_CREATE_DUMB
> IOCTL, only the width, height, bpp and flags fields are inputs. The
> caller is not guaranteed to zero out or set handle, pitch and size.
> Drivers must not treat these values as possible inputs, otherwise they
> may use uninitialized memory during the computation of the framebuffer
> size.
> 
> The OMAP driver uses the pitch field passed in by userspace as a minimum
> and only override it if the driver-computed pitch is larger than what
> userspace provided. To prevent this from causing overallocation, fix the
> minimum pitch to 0 to enforce the driver-computed pitch.
> 
> Cc: Tomi Valkeinen <tomi.valkeinen@ti.com>
> Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
> Signed-off-by: Thierry Reding <treding@nvidia.com>
> ---
>  drivers/gpu/drm/omapdrm/omap_gem.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/omapdrm/omap_gem.c b/drivers/gpu/drm/omapdrm/omap_gem.c
> index e4849413ee80..bff60b73995b 100644
> --- a/drivers/gpu/drm/omapdrm/omap_gem.c
> +++ b/drivers/gpu/drm/omapdrm/omap_gem.c
> @@ -613,7 +613,7 @@ int omap_gem_dumb_create(struct drm_file *file, struct drm_device *dev,
>  	union omap_gem_size gsize;
>  
>  	/* in case someone tries to feed us a completely bogus stride: */

This comment could also be removed, as it doesn't make sense after this
change.

> -	args->pitch = align_pitch(args->pitch, args->width, args->bpp);
> +	args->pitch = align_pitch(0, args->width, args->bpp);
>  	args->size = PAGE_ALIGN(args->pitch * args->height);
>  
>  	gsize = (union omap_gem_size){

Acked-by: Tomi Valkeinen <tomi.valkeinen@ti.com>

 Tomi

diff --git a/drivers/gpu/drm/omapdrm/omap_gem.c b/drivers/gpu/drm/omapdrm/omap_gem.c
index e4849413ee80..bff60b73995b 100644
--- a/drivers/gpu/drm/omapdrm/omap_gem.c
+++ b/drivers/gpu/drm/omapdrm/omap_gem.c
@@ -613,7 +613,7 @@  int omap_gem_dumb_create(struct drm_file *file, struct drm_device *dev,
 	union omap_gem_size gsize;
 
 	/* in case someone tries to feed us a completely bogus stride: */
-	args->pitch = align_pitch(args->pitch, args->width, args->bpp);
+	args->pitch = align_pitch(0, args->width, args->bpp);
 	args->size = PAGE_ALIGN(args->pitch * args->height);
 
 	gsize = (union omap_gem_size){

[v2,5/8] drm/omap: gem: dumb: pitch is an output

Commit Message

Comments

Patch