From patchwork Wed Jul 12 10:09:22 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marek Szyprowski X-Patchwork-Id: 9836437 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 9CC8D60393 for ; Wed, 12 Jul 2017 10:09:47 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8E79227F97 for ; Wed, 12 Jul 2017 10:09:47 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 829362856C; Wed, 12 Jul 2017 10:09:47 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 18FA827F97 for ; Wed, 12 Jul 2017 10:09:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756187AbdGLKJp (ORCPT ); Wed, 12 Jul 2017 06:09:45 -0400 Received: from mailout3.w1.samsung.com ([210.118.77.13]:32589 "EHLO mailout3.w1.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756180AbdGLKJm (ORCPT ); Wed, 12 Jul 2017 06:09:42 -0400 Received: from eucas1p1.samsung.com (unknown [182.198.249.206]) by mailout3.w1.samsung.com (Oracle Communications Messaging Server 7.0.5.31.0 64bit (built May 5 2014)) with ESMTP id <0OSZ00DL32VXDT00@mailout3.w1.samsung.com>; Wed, 12 Jul 2017 11:09:33 +0100 (BST) Received: from eusmges2.samsung.com (unknown [203.254.199.241]) by eucas1p2.samsung.com (KnoxPortal) with ESMTP id 20170712100932eucas1p29014090caece575c4acb57d35711b555~QjWxpFgXe2275022750eucas1p2s; Wed, 12 Jul 2017 10:09:32 +0000 (GMT) Received: from eucas1p2.samsung.com ( [182.198.249.207]) by eusmges2.samsung.com (EUCPMTA) with SMTP id D5.DF.04459.C55F5695; Wed, 12 Jul 2017 11:09:32 +0100 (BST) Received: from eusmgms2.samsung.com (unknown [182.198.249.180]) by eucas1p1.samsung.com (KnoxPortal) with ESMTP id 20170712100931eucas1p1bcc4da93969ed34797c984284d595b21~QjWw9fUWK1891118911eucas1p1M; Wed, 12 Jul 2017 10:09:31 +0000 (GMT) X-AuditID: cbfec7f1-f796e6d00000116b-26-5965f55cd7e3 Received: from eusync4.samsung.com ( [203.254.199.214]) by eusmgms2.samsung.com (EUCPMTA) with SMTP id AA.78.20206.B55F5695; Wed, 12 Jul 2017 11:09:31 +0100 (BST) Received: from AMDC2765.digital.local ([106.116.147.25]) by eusync4.samsung.com (Oracle Communications Messaging Server 7.0.5.31.0 64bit (built May 5 2014)) with ESMTPA id <0OSZ00B1R2VS4NC0@eusync4.samsung.com>; Wed, 12 Jul 2017 11:09:31 +0100 (BST) From: Marek Szyprowski To: dri-devel@lists.freedesktop.org, linux-samsung-soc@vger.kernel.org Cc: Marek Szyprowski , Inki Dae , Joonyoung Shim , Seung-Woo Kim , Andrzej Hajda , Krzysztof Kozlowski , Bartlomiej Zolnierkiewicz , stable@vger.kernel.org Subject: [PATCH] drm/exynos: forbid creating framebuffers from too small GEM buffers Date: Wed, 12 Jul 2017 12:09:22 +0200 Message-id: <1499854165-10902-1-git-send-email-m.szyprowski@samsung.com> X-Mailer: git-send-email 1.9.1 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrCIsWRmVeSWpSXmKPExsWy7djP87oxX1MjDfYskLS4te4cq8XGGetZ La58fc9mMen+BBaLF/cuslicP7+B3WLG+X1MFmuP3GW3WLDxEaPFjMkv2Ry4PDat6mTzuN99 nMmjb8sqRo/Pm+QCWKK4bFJSczLLUov07RK4Mq41P2UteMhf0XyznaWB8RVPFyMnh4SAicTL 5++YIGwxiQv31rN1MXJxCAksZZSY9mIXK4TzmVFi0flmoAwHRMctRYj4MkaJY0vvQxU1MEn8 PbmIEWQUm4ChRNfbLjYQW0TATaLp8EywImaBI0wSh882s4AkhAXCJL4sOQvWwCKgKvHm3Akw m1fAQ2LzuessEDfJSZw8NhmsWULgNZvE4Rm/2SHOkJXYdIAZosZFovvte3YIW1ji1fEtULaM xOXJ3VBz+hklmlq1IewZjBLn3vJC2NYSh49fZAWxmQX4JCZtm84MMZ5XoqNNCML0kHj1lQvC dJT4254PUiwkECuxu+cb8wRG6QWMDKsYRVJLi3PTU4uN9IoTc4tL89L1kvNzNzEC4/b0v+Mf dzC+P2F1iFGAg1GJhzdhamqkEGtiWXFl7iFGCQ5mJRHeq2+BQrwpiZVVqUX58UWlOanFhxil OViUxHm5Tl2LEBJITyxJzU5NLUgtgskycXBKNTB6PVGNDCvLeN5tEnWsl+H+wjOFmbfvHXVt OF6w6pnLqbfTBO8euWQz/6r0qfU1BqadPDPOKeybu/Ho9wtNv24x/j+h7B+zvyCY5T+vXWnE hl1L7Hin+/87+2ha1MzZd5hfrt7y6m6WwbH6WRwlx/bef9OyWuNpb5T8iso0xtVHFNb2BHcd Cp+gp8RSnJFoqMVcVJwIANdDsYDXAgAA X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrNLMWRmVeSWpSXmKPExsVy+t/xa7rRX1MjDXrma1ncWneO1WLjjPWs Fle+vmezmHR/AovFi3sXWSzOn9/AbjHj/D4mi7VH7rJbLNj4iNFixuSXbA5cHptWdbJ53O8+ zuTRt2UVo8fnTXIBLFFuNhmpiSmpRQqpecn5KZl56bZKoSFuuhZKCnmJuam2ShG6viFBSgpl iTmlQJ6RARpwcA5wD1bSt0twy7jW/JS14CF/RfPNdpYGxlc8XYwcHBICJhIvbyl2MXICmWIS F+6tZ+ti5OIQEljCKDHx8jN2CKeJSWLL2UXsIFVsAoYSXW+72EBsEQE3iabDM1lBipgFjjBJ LLr6lgUkISwQJvFlyVlGEJtFQFXizbkTYDavgIfE5nPXWSDWyUmcPDaZdQIj9wJGhlWMIqml xbnpucVGesWJucWleel6yfm5mxiBAbvt2M8tOxi73gUfYhTgYFTi4W24kBIpxJpYVlyZe4hR goNZSYT36tvUSCHelMTKqtSi/Pii0pzU4kOMpkDLJzJLiSbnA6MpryTe0MTQ3NLQyNjCwtzI SEmcd+qHK+FCAumJJanZqakFqUUwfUwcnFINjMd/+G7dmZ6zWz9Nw8/y1huOXMut7e27C67O Tkp99qxnw9rTy548SFFI1ojdIMP7qMp3Vn5Pww6RGq+mOxdDnu4T4mhJm7txyxuBv7kixsu8 2ep4lTee4uBXXBlcLcxoHfuVrfajZOTdC1X7DXffTL0kufHg1zNWNUo3vP4+lb0RWiKdzvZd TomlOCPRUIu5qDgRAHOTEQ9uAgAA X-MTR: 20000000000000000@CPGS X-CMS-MailID: 20170712100931eucas1p1bcc4da93969ed34797c984284d595b21 X-Msg-Generator: CA X-Sender-IP: 182.198.249.180 X-Local-Sender: =?UTF-8?B?TWFyZWsgU3p5cHJvd3NraRtTUlBPTC1LZXJuZWwgKFRQKRs=?= =?UTF-8?B?7IK87ISx7KCE7J6QG1NlbmlvciBTb2Z0d2FyZSBFbmdpbmVlcg==?= X-Global-Sender: =?UTF-8?B?TWFyZWsgU3p5cHJvd3NraRtTUlBPTC1LZXJuZWwgKFRQKRtT?= =?UTF-8?B?YW1zdW5nIEVsZWN0cm9uaWNzG1NlbmlvciBTb2Z0d2FyZSBFbmdpbmVlcg==?= X-Sender-Code: =?UTF-8?B?QzEwG0VIURtDMTBDRDAyQ0QwMjczOTI=?= CMS-TYPE: 201P X-HopCount: 7 X-CMS-RootMailID: 20170712100931eucas1p1bcc4da93969ed34797c984284d595b21 X-RootMTR: 20170712100931eucas1p1bcc4da93969ed34797c984284d595b21 References: Sender: linux-samsung-soc-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-samsung-soc@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Add a check if the framebuffer described by the provided drm_mode_fb_cmd2 structure fits into provided GEM buffers. Without this check it is possible to create a framebuffer object from a small buffer and set it to the hardware, what results in displaying system memory outside the allocated GEM buffer. Signed-off-by: Marek Szyprowski CC: stable@vger.kernel.org # v4.7+ Reviewed-by: Tobias Jakobi --- This issue was there from the beggining, but the provided patch applies only to v4.7+ kernels due to other changes in the fixed code. --- drivers/gpu/drm/exynos/exynos_drm_fb.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/exynos/exynos_drm_fb.c b/drivers/gpu/drm/exynos/exynos_drm_fb.c index d48fd7c918f8..73217c281c9a 100644 --- a/drivers/gpu/drm/exynos/exynos_drm_fb.c +++ b/drivers/gpu/drm/exynos/exynos_drm_fb.c @@ -145,13 +145,19 @@ struct drm_framebuffer * exynos_user_fb_create(struct drm_device *dev, struct drm_file *file_priv, const struct drm_mode_fb_cmd2 *mode_cmd) { + const struct drm_format_info *info = drm_get_format_info(dev, mode_cmd); struct exynos_drm_gem *exynos_gem[MAX_FB_BUFFER]; struct drm_gem_object *obj; struct drm_framebuffer *fb; int i; int ret; - for (i = 0; i < drm_format_num_planes(mode_cmd->pixel_format); i++) { + for (i = 0; i < info->num_planes; i++) { + unsigned int height = (i == 0) ? mode_cmd->height : + DIV_ROUND_UP(mode_cmd->height, info->vsub); + unsigned long size = height * mode_cmd->pitches[i] + + mode_cmd->offsets[i]; + obj = drm_gem_object_lookup(file_priv, mode_cmd->handles[i]); if (!obj) { DRM_ERROR("failed to lookup gem object\n"); @@ -160,6 +166,12 @@ struct drm_framebuffer * } exynos_gem[i] = to_exynos_gem(obj); + + if (size > exynos_gem[i]->size) { + i++; + ret = -EINVAL; + goto err; + } } fb = exynos_drm_framebuffer_init(dev, mode_cmd, exynos_gem, i);