diff mbox series

drm/mediatek: Check GEM buffer size

Message ID 20230925092249.2228743-1-hmazur@chromium.org (mailing list archive)
State New, archived
Headers show
Series drm/mediatek: Check GEM buffer size | expand

Commit Message

Hubert Mazur Sept. 25, 2023, 9:22 a.m. UTC
The buffer size is derived from parameters supplied by the userspace.
Having the size equal 0 causes allocation failure leading to kernel
panic.

Fix this by checking if size equals 0.

Fixes: 119f5173628a ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.")

Signed-off-by: Hubert Mazur <hmazur@chromium.org>
---
 drivers/gpu/drm/mediatek/mtk_drm_gem.c | 5 +++++
 1 file changed, 5 insertions(+)

Comments

Michał Krawczyk Sept. 25, 2023, 9:25 a.m. UTC | #1
On Mon, Sep 25, 2023 at 11:23 AM Hubert Mazur <hmazur@chromium.org> wrote:
>
> The buffer size is derived from parameters supplied by the userspace.
> Having the size equal 0 causes allocation failure leading to kernel
> panic.
>
> Fix this by checking if size equals 0.
>
> Fixes: 119f5173628a ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.")
>
> Signed-off-by: Hubert Mazur <hmazur@chromium.org>
Reviewed-by: Michal Krawczyk <mikrawczyk@google.com>
> ---
>  drivers/gpu/drm/mediatek/mtk_drm_gem.c | 5 +++++
>  1 file changed, 5 insertions(+)
>
> diff --git a/drivers/gpu/drm/mediatek/mtk_drm_gem.c b/drivers/gpu/drm/mediatek/mtk_drm_gem.c
> index 9f364df52478..3b985b99d5c6 100644
> --- a/drivers/gpu/drm/mediatek/mtk_drm_gem.c
> +++ b/drivers/gpu/drm/mediatek/mtk_drm_gem.c
> @@ -62,6 +62,11 @@ struct mtk_drm_gem_obj *mtk_drm_gem_create(struct drm_device *dev,
>         struct drm_gem_object *obj;
>         int ret;
>
> +       if (size == 0) {
> +               DRM_ERROR("Invalid allocation size: %zu", size);
> +               return ERR_PTR(-EINVAL);
> +       }
> +
>         mtk_gem = mtk_drm_gem_init(dev, size);
>         if (IS_ERR(mtk_gem))
>                 return ERR_CAST(mtk_gem);
> --
> 2.42.0.515.g380fc7ccd1-goog
>
CK Hu (胡俊光) Sept. 25, 2023, 9:40 a.m. UTC | #2
Hi, Hubert:

On Mon, 2023-09-25 at 09:22 +0000, Hubert Mazur wrote:
>  	 
> External email : Please do not click links or open attachments until
> you have verified the sender or the content.
>  The buffer size is derived from parameters supplied by the
> userspace.
> Having the size equal 0 causes allocation failure leading to kernel
> panic.

The size is calculated by width and height, and drm_mode_create_dumb()
has checked the width and height, so the size would not be 0. So this
patch is redundant.

Regards,
CK

> 
> Fix this by checking if size equals 0.
> 
> Fixes: 119f5173628a ("drm/mediatek: Add DRM Driver for Mediatek SoC
> MT8173.")
> 
> Signed-off-by: Hubert Mazur <hmazur@chromium.org>
> ---
>  drivers/gpu/drm/mediatek/mtk_drm_gem.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/drivers/gpu/drm/mediatek/mtk_drm_gem.c
> b/drivers/gpu/drm/mediatek/mtk_drm_gem.c
> index 9f364df52478..3b985b99d5c6 100644
> --- a/drivers/gpu/drm/mediatek/mtk_drm_gem.c
> +++ b/drivers/gpu/drm/mediatek/mtk_drm_gem.c
> @@ -62,6 +62,11 @@ struct mtk_drm_gem_obj *mtk_drm_gem_create(struct
> drm_device *dev,
>  	struct drm_gem_object *obj;
>  	int ret;
>  
> +	if (size == 0) {
> +		DRM_ERROR("Invalid allocation size: %zu", size);
> +		return ERR_PTR(-EINVAL);
> +	}
> +
>  	mtk_gem = mtk_drm_gem_init(dev, size);
>  	if (IS_ERR(mtk_gem))
>  		return ERR_CAST(mtk_gem);
> -- 
> 2.42.0.515.g380fc7ccd1-goog
diff mbox series

Patch

diff --git a/drivers/gpu/drm/mediatek/mtk_drm_gem.c b/drivers/gpu/drm/mediatek/mtk_drm_gem.c
index 9f364df52478..3b985b99d5c6 100644
--- a/drivers/gpu/drm/mediatek/mtk_drm_gem.c
+++ b/drivers/gpu/drm/mediatek/mtk_drm_gem.c
@@ -62,6 +62,11 @@  struct mtk_drm_gem_obj *mtk_drm_gem_create(struct drm_device *dev,
 	struct drm_gem_object *obj;
 	int ret;
 
+	if (size == 0) {
+		DRM_ERROR("Invalid allocation size: %zu", size);
+		return ERR_PTR(-EINVAL);
+	}
+
 	mtk_gem = mtk_drm_gem_init(dev, size);
 	if (IS_ERR(mtk_gem))
 		return ERR_CAST(mtk_gem);