From: sashiko-bot@kernel.org
To: "Louis Chauvet" <louis.chauvet@bootlin.com>
Cc: dri-devel@lists.freedesktop.org
Subject: Re: [PATCH v5 26/38] drm/vkms: Introduce configfs for plane zpos property
Date: Sat, 27 Jun 2026 03:46:55 +0000 [thread overview]
Message-ID: <20260627034655.7146B1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260627-vkms-all-config-v5-26-854aa0840926@bootlin.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
Pre-existing issues:
- [Critical] Heap buffer overflow in `vkms_crtc_atomic_check` due to array indexing with `normalized_zpos` exceeding allocated size based on visible planes.
- [High] Memory leak and ghost object creation in `make_plane_group` if `vkms_config_plane_set_name` fails.
- [High] Unaligned memory access when parsing fourcc formats in `plane_supported_formats_store`.
--
commit 05c48fc3bf3ce414a2c90cff7116e67058f16eb1
Author: Louis Chauvet <louis.chauvet@bootlin.com>
drm/vkms: Introduce configfs for plane zpos property
This commit introduces configfs attributes for managing the zpos property
of VKMS planes. It adds attributes to configure whether zpos is enabled,
mutable, its initial value, and its min/max boundaries.
> diff --git a/drivers/gpu/drm/vkms/vkms_configfs.c b/drivers/gpu/drm/vkms/vkms_configfs.c
> index e6cb245b8582d..95f4594fb683d 100644
> --- a/drivers/gpu/drm/vkms/vkms_configfs.c
> +++ b/drivers/gpu/drm/vkms/vkms_configfs.c
> @@ -687,6 +687,176 @@ static ssize_t plane_supported_formats_store(struct config_item *item,
> return count;
> }
>
[Severity: High]
This isn't a bug introduced by this patch, but can this unaligned memory
access in plane_supported_formats_store() cause a kernel panic on strict
alignment architectures?
When userspace writes a new format string, the input is copied into a
4-byte char array on the stack, which is then cast to an int pointer and
dereferenced:
drivers/gpu/drm/vkms/vkms_configfs.c:plane_supported_formats_store() {
...
scoped_guard(mutex, &plane->dev->lock) {
char fmt[4] = {' ', ' ', ' ', ' '};
memcpy(fmt, &page[1], min(count - 1, 4));
...
else if (page[0] == '+')
ret = vkms_config_plane_add_format(plane->config, *(int *)fmt);
...
}
Since a char array only guarantees 1-byte alignment, the 32-bit dereference
can trigger an unaligned access exception.
[Severity: Critical]
This is a pre-existing issue, but does this array indexing overflow the
active_planes array in vkms_crtc_atomic_check()?
The active_planes array is allocated with a size equal to the number of
strictly visible planes:
drivers/gpu/drm/vkms/vkms_crtc.c:vkms_crtc_atomic_check() {
...
drm_for_each_plane_mask(plane, crtc->dev, crtc_state->plane_mask) {
plane_state = drm_atomic_get_new_plane_state(crtc_state->state, plane);
WARN_ON(!plane_state);
if (!plane_state->visible)
continue;
i++;
}
vkms_state->active_planes = kzalloc_objs(*vkms_state->active_planes, i);
...
However, the array is populated using normalized_zpos as the index:
...
drm_for_each_plane_mask(plane, crtc->dev, crtc_state->plane_mask) {
plane_state = drm_atomic_get_new_plane_state(crtc_state->state, plane);
if (!plane_state->visible)
continue;
// Order planes according to their normalized_zpos
// After drm_atomic_normalize_zpos, the possible values are 0..n_planes-1
// so store them using this index
vkms_state->active_planes[plane_state->normalized_zpos] =
to_vkms_plane_state(plane_state);
}
...
}
If a user configures some planes as invisible but gives a visible plane a
higher zpos than the invisible ones, drm_atomic_normalize_zpos() will assign
the visible plane a normalized_zpos value greater than or equal to the total
number of strictly visible planes, resulting in an out-of-bounds write.
[Severity: High]
This is a pre-existing issue, but does make_plane_group() leak the
internal vkms_config_plane object and create a ghost plane if setting
the name fails?
drivers/gpu/drm/vkms/vkms_configfs.c:make_plane_group() {
...
plane->config = vkms_config_create_plane(dev->config);
if (IS_ERR(plane->config)) {
ret = PTR_ERR(plane->config);
kfree(plane);
return ERR_PTR(ret);
}
ret = vkms_config_plane_set_name(plane->config, name, strlen(name));
if (ret) {
kfree(plane);
return ERR_PTR(ret);
}
...
}
If vkms_config_plane_set_name() returns an error, the configfs wrapper
is freed, but vkms_config_destroy_plane(plane->config) is not called.
The internal object remains in dev->config->planes. Because it will never
have a CRTC attached, vkms_config_is_valid() will always fail, permanently
preventing the device from being enabled.
[ ... ]
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260627-vkms-all-config-v5-0-854aa0840926@bootlin.com?part=26
next prev parent reply other threads:[~2026-06-27 3:46 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-27 3:30 [PATCH v5 00/38] VKMS: Introduce multiple configFS attributes Louis Chauvet
2026-06-27 3:30 ` [PATCH v5 01/38] drm/drm_mode_config: Add helper to get plane type name Louis Chauvet
2026-06-27 3:30 ` [PATCH v5 02/38] drm/blend: Get a rotation name from it's bitfield Louis Chauvet
2026-06-27 3:41 ` sashiko-bot
2026-06-27 3:30 ` [PATCH v5 03/38] drm/drm_color_mgmt: Expose drm_get_color_encoding_name Louis Chauvet
2026-06-27 3:30 ` [PATCH v5 04/38] drm/drm_color_mgmt: Expose drm_get_color_range_name Louis Chauvet
2026-06-27 3:30 ` [PATCH v5 05/38] drm/connector: Export drm_get_colorspace_name Louis Chauvet
2026-06-27 3:30 ` [PATCH v5 06/38] drm/drm_atomic_state_helper: Properly load default value for rotation Louis Chauvet
2026-06-27 3:30 ` [PATCH v5 07/38] Documentation: ABI: vkms: Add current VKMS ABI documentation Louis Chauvet
2026-06-27 3:30 ` [PATCH v5 08/38] drm/vkms: Add error handling in plane config creation Louis Chauvet
2026-06-27 3:41 ` sashiko-bot
2026-06-27 3:30 ` [PATCH v5 09/38] drm/vkms: Simplify plane_release code Louis Chauvet
2026-06-27 3:30 ` [PATCH v5 10/38] drm/vkms: Explicitly display plane type Louis Chauvet
2026-06-27 3:30 ` [PATCH v5 11/38] drm/vkms: Use enabled/disabled instead of 1/0 for debug Louis Chauvet
2026-06-27 3:30 ` [PATCH v5 12/38] drm/vkms: Explicitly display connector status Louis Chauvet
2026-06-27 3:30 ` [PATCH v5 13/38] drm/vkms: Introduce config for plane name Louis Chauvet
2026-06-27 3:46 ` sashiko-bot
2026-06-27 3:30 ` [PATCH v5 14/38] drm/vkms: Use plane folder name as " Louis Chauvet
2026-06-27 3:43 ` sashiko-bot
2026-06-27 3:30 ` [PATCH v5 15/38] drm/vkms: Introduce config for plane rotation Louis Chauvet
2026-06-27 3:42 ` sashiko-bot
2026-06-27 3:30 ` [PATCH v5 16/38] drm/vkms: Use DRM_ROTATION_FMT macros for rotation display Louis Chauvet
2026-06-27 3:39 ` sashiko-bot
2026-06-27 3:30 ` [PATCH v5 17/38] drm/vkms: Introduce configfs for plane rotation Louis Chauvet
2026-06-27 3:46 ` sashiko-bot
2026-06-27 3:30 ` [PATCH v5 18/38] drm/vkms: Introduce config for plane color encoding Louis Chauvet
2026-06-27 3:43 ` sashiko-bot
2026-06-27 3:30 ` [PATCH v5 19/38] drm/vkms: Introduce configfs " Louis Chauvet
2026-06-27 3:49 ` sashiko-bot
2026-06-27 3:30 ` [PATCH v5 20/38] drm/vkms: Introduce config for plane color range Louis Chauvet
2026-06-27 3:30 ` [PATCH v5 21/38] drm/vkms: Introduce configfs " Louis Chauvet
2026-06-27 3:45 ` sashiko-bot
2026-06-27 3:30 ` [PATCH v5 22/38] drm/vkms: Introduce config for plane format Louis Chauvet
2026-06-27 3:46 ` sashiko-bot
2026-06-27 3:30 ` [PATCH v5 23/38] drm/vkms: Introduce configfs " Louis Chauvet
2026-06-27 3:45 ` sashiko-bot
2026-06-27 3:30 ` [PATCH v5 24/38] drm/vkms: Properly render plane using their zpos Louis Chauvet
2026-06-27 3:44 ` sashiko-bot
2026-06-27 3:30 ` [PATCH v5 25/38] drm/vkms: Introduce config for plane zpos property Louis Chauvet
2026-06-27 3:41 ` sashiko-bot
2026-06-27 3:30 ` [PATCH v5 26/38] drm/vkms: Introduce configfs " Louis Chauvet
2026-06-27 3:46 ` sashiko-bot [this message]
2026-06-27 3:30 ` [PATCH v5 27/38] drm/vkms: Introduce config for connector type Louis Chauvet
2026-06-27 3:45 ` sashiko-bot
2026-06-27 3:30 ` [PATCH v5 28/38] drm/vkms: Introduce configfs " Louis Chauvet
2026-06-27 3:45 ` sashiko-bot
2026-06-27 3:30 ` [PATCH v5 29/38] drm/vkms: Rename vkms_connector_init to vkms_connector_init_static Louis Chauvet
2026-06-27 3:30 ` [PATCH v5 30/38] drm/vkms: Introduce config for connector supported colorspace Louis Chauvet
2026-06-27 3:58 ` sashiko-bot
2026-06-27 3:30 ` [PATCH v5 31/38] drm/vkms: Introduce configfs " Louis Chauvet
2026-06-27 3:48 ` sashiko-bot
2026-06-27 3:30 ` [PATCH v5 32/38] drm/vkms: Introduce config for connector EDID Louis Chauvet
2026-06-27 3:48 ` sashiko-bot
2026-06-27 3:30 ` [PATCH v5 33/38] drm/vkms: Introduce configfs " Louis Chauvet
2026-06-27 3:50 ` sashiko-bot
2026-06-27 3:30 ` [PATCH v5 34/38] drm/vkms: Store the enabled/disabled status for connector Louis Chauvet
2026-06-27 3:48 ` sashiko-bot
2026-06-27 3:30 ` [PATCH v5 35/38] drm/vkms: Allow to hot-add connectors Louis Chauvet
2026-06-27 3:50 ` sashiko-bot
2026-06-27 3:30 ` [PATCH v5 36/38] drm/vkms: Introduce configfs for dynamic connector creation Louis Chauvet
2026-06-27 3:55 ` sashiko-bot
2026-06-27 3:30 ` [PATCH v5 37/38] drm/vkms: Add connector parent configuration in vkms_config Louis Chauvet
2026-06-27 3:57 ` sashiko-bot
2026-06-27 3:30 ` [PATCH v5 38/38] drm/vkms: Add ConfigFS interface for connector parent and port_id Louis Chauvet
2026-06-27 3:45 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260627034655.7146B1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=louis.chauvet@bootlin.com \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.