From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Ian Forbes <ian.forbes@broadcom.com>,
Zack Rusin <zack.rusin@broadcom.com>,
Martin Krastev <martin.krastev@broadcom.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.15 09/22] drm/vmwgfx: Limit display layout ioctl array size to VMWGFX_NUM_DISPLAY_UNITS
Date: Fri, 15 Nov 2024 07:38:55 +0100 [thread overview]
Message-ID: <20241115063721.511159187@linuxfoundation.org> (raw)
In-Reply-To: <20241115063721.172791419@linuxfoundation.org>
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Forbes <ian.forbes@broadcom.com>
[ Upstream commit 28a5dfd4f615539fb22fb6d5c219c199c14e6eb6 ]
Currently the array size is only limited by the largest kmalloc size which
is incorrect. This change will also return a more specific error message
than ENOMEM to userspace.
Signed-off-by: Ian Forbes <ian.forbes@broadcom.com>
Reviewed-by: Zack Rusin <zack.rusin@broadcom.com>
Reviewed-by: Martin Krastev <martin.krastev@broadcom.com>
Signed-off-by: Zack Rusin <zack.rusin@broadcom.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20240808200634.1074083-1-ian.forbes@broadcom.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 4 ++--
drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 4 +++-
drivers/gpu/drm/vmwgfx/vmwgfx_kms.h | 3 ---
3 files changed, 5 insertions(+), 6 deletions(-)
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h
index 7bb7a69321d30..9c60bb2aefe1f 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h
@@ -59,7 +59,7 @@
#define VMWGFX_DRIVER_MINOR 19
#define VMWGFX_DRIVER_PATCHLEVEL 0
#define VMWGFX_FIFO_STATIC_SIZE (1024*1024)
-#define VMWGFX_MAX_DISPLAYS 16
+#define VMWGFX_NUM_DISPLAY_UNITS 8
#define VMWGFX_CMD_BOUNCE_INIT_SIZE 32768
#define VMWGFX_PCI_ID_SVGA2 0x0405
@@ -71,7 +71,7 @@
#define VMWGFX_NUM_GB_CONTEXT 256
#define VMWGFX_NUM_GB_SHADER 20000
#define VMWGFX_NUM_GB_SURFACE 32768
-#define VMWGFX_NUM_GB_SCREEN_TARGET VMWGFX_MAX_DISPLAYS
+#define VMWGFX_NUM_GB_SCREEN_TARGET VMWGFX_NUM_DISPLAY_UNITS
#define VMWGFX_NUM_DXCONTEXT 256
#define VMWGFX_NUM_DXQUERY 512
#define VMWGFX_NUM_MOB (VMWGFX_NUM_GB_CONTEXT +\
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
index 23010d60edfe4..8a9b61920496a 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
@@ -2295,7 +2295,7 @@ int vmw_kms_update_layout_ioctl(struct drm_device *dev, void *data,
struct drm_mode_config *mode_config = &dev->mode_config;
struct drm_vmw_update_layout_arg *arg =
(struct drm_vmw_update_layout_arg *)data;
- void __user *user_rects;
+ const void __user *user_rects;
struct drm_vmw_rect *rects;
struct drm_rect *drm_rects;
unsigned rects_size;
@@ -2308,6 +2308,8 @@ int vmw_kms_update_layout_ioctl(struct drm_device *dev, void *data,
def_rect.x2, def_rect.y2);
vmw_du_update_layout(dev_priv, 1, &def_rect);
return 0;
+ } else if (arg->num_outputs > VMWGFX_NUM_DISPLAY_UNITS) {
+ return -E2BIG;
}
rects_size = arg->num_outputs * sizeof(struct drm_vmw_rect);
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.h b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.h
index 23c2dc943caf0..85595d0bcfcec 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.h
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.h
@@ -198,9 +198,6 @@ struct vmw_kms_dirty {
s32 unit_y2;
};
-#define VMWGFX_NUM_DISPLAY_UNITS 8
-
-
#define vmw_framebuffer_to_vfb(x) \
container_of(x, struct vmw_framebuffer, base)
#define vmw_framebuffer_to_vfbs(x) \
--
2.43.0
next prev parent reply other threads:[~2024-11-15 7:00 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-15 6:38 [PATCH 5.15 00/22] 5.15.173-rc1 review Greg Kroah-Hartman
2024-11-15 6:38 ` [PATCH 5.15 01/22] 9p: Avoid creating multiple slab caches with the same name Greg Kroah-Hartman
2024-11-15 6:38 ` [PATCH 5.15 02/22] irqchip/ocelot: Fix trigger register address Greg Kroah-Hartman
2024-11-15 6:38 ` [PATCH 5.15 03/22] block: Fix elevator_get_default() checking for NULL q->tag_set Greg Kroah-Hartman
2024-11-15 6:38 ` [PATCH 5.15 04/22] HID: multitouch: Add support for B2402FVA track point Greg Kroah-Hartman
2024-11-15 6:38 ` [PATCH 5.15 05/22] HID: multitouch: Add quirk for HONOR MagicBook Art 14 touchpad Greg Kroah-Hartman
2024-11-15 6:38 ` [PATCH 5.15 06/22] bpf: use kvzmalloc to allocate BPF verifier environment Greg Kroah-Hartman
2024-11-15 6:38 ` [PATCH 5.15 07/22] crypto: marvell/cesa - Disable hash algorithms Greg Kroah-Hartman
2024-11-15 6:38 ` [PATCH 5.15 08/22] sound: Make CONFIG_SND depend on INDIRECT_IOMEM instead of UML Greg Kroah-Hartman
2024-11-15 6:38 ` Greg Kroah-Hartman [this message]
2024-11-15 6:38 ` [PATCH 5.15 10/22] powerpc/powernv: Free name on error in opal_event_init() Greg Kroah-Hartman
2024-11-15 6:38 ` [PATCH 5.15 11/22] vDPA/ifcvf: Fix pci_read_config_byte() return code handling Greg Kroah-Hartman
2024-11-15 6:38 ` [PATCH 5.15 12/22] fs: Fix uninitialized value issue in from_kuid and from_kgid Greg Kroah-Hartman
2024-11-15 6:38 ` [PATCH 5.15 13/22] HID: multitouch: Add quirk for Logitech Bolt receiver w/ Casa touchpad Greg Kroah-Hartman
2024-11-15 6:39 ` [PATCH 5.15 14/22] HID: lenovo: Add support for Thinkpad X1 Tablet Gen 3 keyboard Greg Kroah-Hartman
2024-11-15 6:39 ` [PATCH 5.15 15/22] net: usb: qmi_wwan: add Fibocom FG132 0x0112 composition Greg Kroah-Hartman
2024-11-15 6:39 ` [PATCH 5.15 16/22] md/raid10: improve code of mrdev in raid10_sync_request Greg Kroah-Hartman
2024-11-15 6:39 ` [PATCH 5.15 17/22] io_uring: fix possible deadlock in io_register_iowq_max_workers() Greg Kroah-Hartman
2024-11-15 6:39 ` [PATCH 5.15 18/22] mm: krealloc: Fix MTE false alarm in __do_krealloc Greg Kroah-Hartman
2024-11-15 6:39 ` [PATCH 5.15 19/22] mm/memory: add non-anonymous page check in the copy_present_page() Greg Kroah-Hartman
2024-11-15 6:39 ` [PATCH 5.15 20/22] udf: Allocate name buffer in directory iterator on heap Greg Kroah-Hartman
2024-11-15 6:39 ` [PATCH 5.15 21/22] udf: Avoid directory type conversion failure due to ENOMEM Greg Kroah-Hartman
2024-11-15 6:39 ` [PATCH 5.15 22/22] 9p: fix slab cache name creation for real Greg Kroah-Hartman
2024-11-15 16:00 ` [PATCH 5.15 00/22] 5.15.173-rc1 review Harshit Mogalapalli
2024-11-15 18:10 ` Jon Hunter
2024-11-15 18:25 ` SeongJae Park
2024-11-15 18:59 ` Florian Fainelli
2024-11-15 21:27 ` Mark Brown
2024-11-16 0:12 ` Ron Economos
2024-11-16 12:27 ` Naresh Kamboju
2024-11-16 17:18 ` [PATCH 5.15] " Hardik Garg
2024-11-16 21:13 ` [PATCH 5.15 00/22] " Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241115063721.511159187@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ian.forbes@broadcom.com \
--cc=martin.krastev@broadcom.com \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=zack.rusin@broadcom.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.