From: sashiko-bot@kernel.org
To: "Thomas Zimmermann" <tzimmermann@suse.de>
Cc: dri-devel@lists.freedesktop.org
Subject: Re: [PATCH 1/2] drm/sysfb: Do not page-align visible size of the framebuffer
Date: Wed, 17 Jun 2026 11:40:26 +0000 [thread overview]
Message-ID: <20260617114027.1F2A71F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260617112932.511657-2-tzimmermann@suse.de>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] 32-bit integer overflow in `height * stride` calculation causes truncated visible size for framebuffers >4GB, leading to out-of-bounds kernel memory accesses.
--
commit e0fef2d92fd416a597acb169f1514b97e1eff546
Author: Thomas Zimmermann <tzimmermann@suse.de>
drm/sysfb: Do not page-align visible size of the framebuffer
This commit stops page-aligning the visible size of the system
framebuffer in drm_sysfb_get_visible_size_si(). Drivers use this size
value for reserving access to framebuffer memory, and increasing the
value can make later attempts to reserve memory fail.
> diff --git a/drivers/gpu/drm/sysfb/drm_sysfb_screen_info.c b/drivers/gpu/drm/sysfb/drm_sysfb_screen_info.c
> --- a/drivers/gpu/drm/sysfb/drm_sysfb_screen_info.c
> +++ b/drivers/gpu/drm/sysfb/drm_sysfb_screen_info.c
> @@ -67,7 +67,7 @@ EXPORT_SYMBOL(drm_sysfb_get_stride_si);
> u64 drm_sysfb_get_visible_size_si(struct drm_device *dev, const struct screen_info *si,
> unsigned int height, unsigned int stride, u64 size)
> {
> - u64 vsize = PAGE_ALIGN(height * stride);
> + u64 vsize = height * stride;
[Severity: High]
This is a pre-existing issue, but does this calculation overflow on 32-bit
arithmetic before assignment?
Both height and stride are passed as unsigned int. If the system provides a
framebuffer resource larger than 4GB, the height * stride product could
overflow and truncate before being zero-extended to u64 vsize.
This truncated value could pass validation against the resource bounds
and lead to an undersized devm_ioremap_wc(). Could this cause out-of-bounds
kernel memory accesses during subsequent DRM operations, such as
drm_fb_memcpy(), if they iterate using the original non-truncated dimensions?
>
> return drm_sysfb_get_validated_size0(dev, "visible size", vsize, size);
> }
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260617112932.511657-1-tzimmermann@suse.de?part=1
next prev parent reply other threads:[~2026-06-17 11:40 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-17 11:27 [PATCH 0/2] drm/sysfb: Fix visible size and related checks Thomas Zimmermann
2026-06-17 11:27 ` [PATCH 1/2] drm/sysfb: Do not page-align visible size of the framebuffer Thomas Zimmermann
2026-06-17 11:40 ` sashiko-bot [this message]
2026-06-17 11:44 ` Javier Martinez Canillas
2026-06-17 12:36 ` Thomas Zimmermann
2026-06-17 11:27 ` [PATCH 2/2] drm/sysfb: Return errno code from drm_sysfb_get_visible_size() Thomas Zimmermann
2026-06-17 11:40 ` sashiko-bot
2026-06-17 11:45 ` Javier Martinez Canillas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260617114027.1F2A71F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=tzimmermann@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.