From: sashiko-bot@kernel.org
To: "Thomas Zimmermann" <tzimmermann@suse.de>
Cc: dri-devel@lists.freedesktop.org
Subject: Re: [PATCH v2 1/6] drm/sysfb: simpledrm: Improve framebuffer-size validation
Date: Mon, 22 Jun 2026 13:39:47 +0000 [thread overview]
Message-ID: <20260622133948.46EE91F00A3A@smtp.kernel.org> (raw)
In-Reply-To: <20260622132433.722823-2-tzimmermann@suse.de>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] The simpledrm driver fails to correctly validate that the framebuffer dimensions fit within the mapped memory resource size due to an inverted condition.
--
commit 1c3adcb617c4a3add398f3f24ada5131889b5d6a
Author: Thomas Zimmermann <tzimmermann@suse.de>
drm/sysfb: simpledrm: Improve framebuffer-size validation
Validate the framebuffer size from the firmware against the
limitations of struct drm_display_mode. The type only stores sizes
in 16-bit fields. Fail probing on errors.
Cc: <stable@vger.kernel.org> # v5.14+
> diff --git a/drivers/gpu/drm/sysfb/simpledrm.c b/drivers/gpu/drm/sysfb/simpledrm.c
> index fc168920f2c64..15dcafa9d524a 100644
> --- a/drivers/gpu/drm/sysfb/simpledrm.c
> +++ b/drivers/gpu/drm/sysfb/simpledrm.c
[ ... ]
> @@ -155,7 +148,7 @@ simplefb_get_height_of(struct drm_device *dev, struct device_node *of_node)
>
> if (ret)
> return ret;
> - return simplefb_get_validated_int0(dev, "height", height);
> + return drm_sysfb_get_validated_int0(dev, "height", height, U16_MAX);
> }
>
> static int
[Severity: High]
This isn't a bug introduced by this patch, but commit 'drm/sysfb:
simpledrm: Validate mmap size against framebuffer size' in this series
attempted to fix the missing validation and failed due to an inverted
condition.
Does simpledrm_device_create() fail to correctly validate that the
framebuffer dimensions fit within the mapped memory resource size?
Looking at simpledrm_device_create(), the check appears to be inverted in
both the system memory and I/O memory fallback paths:
drivers/gpu/drm/sysfb/simpledrm.c:simpledrm_device_create() {
...
if (resource_size(mem) > size) {
drm_err(dev,
"framebuffer size of %llu exceeds memory range %pr\n",
size, mem);
return ERR_PTR(-EINVAL);
}
...
}
Because this check returns -EINVAL when resource_size(mem) > size, it
incorrectly rejects valid configurations where the physical memory region
is larger than the required framebuffer.
More importantly, it allows invalid configurations where size >
resource_size(mem). In this case, devm_memremap() maps the smaller
resource_size(mem), but drm_fb_memcpy() will access size bytes during
plane updates, leading to an out-of-bounds kernel memory access past the
mapped area.
Should this check be size > resource_size(mem) instead?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260622132433.722823-1-tzimmermann@suse.de?part=1
next prev parent reply other threads:[~2026-06-22 13:39 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-22 13:19 [PATCH v2 0/6] drm/sysfb: simpledrm: Various improvements Thomas Zimmermann
2026-06-22 13:19 ` [PATCH v2 1/6] drm/sysfb: simpledrm: Improve framebuffer-size validation Thomas Zimmermann
2026-06-22 13:39 ` sashiko-bot [this message]
2026-06-22 15:36 ` Thierry Reding
2026-06-22 13:19 ` [PATCH v2 2/6] drm/sysfb: simpledrm: Improve panel-size validation Thomas Zimmermann
2026-06-22 16:05 ` Thierry Reding
2026-06-22 13:19 ` [PATCH v2 3/6] drm/sysfb: simpledrm: Inline simplefb_get_validated_int() Thomas Zimmermann
2026-06-22 16:06 ` Thierry Reding
2026-06-22 13:19 ` [PATCH v2 4/6] drm/sysfb: simpledrm: Improve stride validation Thomas Zimmermann
2026-06-22 16:10 ` Thierry Reding
2026-06-22 13:19 ` [PATCH v2 5/6] drm/sysfb: simpledrm: Validate mmap size against framebuffer size Thomas Zimmermann
2026-06-22 13:33 ` sashiko-bot
2026-06-22 13:47 ` Thomas Zimmermann
2026-06-22 16:13 ` Thierry Reding
2026-06-22 13:19 ` [PATCH v2 6/6] drm/sysfb: simpledrm: Read panel orientation from DT node Thomas Zimmermann
2026-06-22 13:34 ` sashiko-bot
2026-06-22 16:17 ` Thierry Reding
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260622133948.46EE91F00A3A@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=tzimmermann@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.