Re: [PATCH] drm/exynos: forbid creating framebuffers from too small GEM buffers

From: Inki Dae <inki.dae@samsung.com>
To: Marek Szyprowski <m.szyprowski@samsung.com>,
	dri-devel@lists.freedesktop.org,
	linux-samsung-soc@vger.kernel.org
Cc: Seung-Woo Kim <sw0312.kim@samsung.com>,
	Krzysztof Kozlowski <krzk@kernel.org>,
	Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Subject: Re: [PATCH] drm/exynos: forbid creating framebuffers from too small GEM buffers
Date: Wed, 09 Aug 2017 07:57:41 +0900	[thread overview]
Message-ID: <598A41E5.5070805@samsung.com> (raw)
In-Reply-To: <fe8998f4-45ff-7ee8-a35b-98d07e3f0645@samsung.com>

2017년 08월 08일 22:33에 Marek Szyprowski 이(가) 쓴 글:
> Hi all,
> 
> On 2017-07-12 12:09, Marek Szyprowski wrote:
>> Add a check if the framebuffer described by the provided drm_mode_fb_cmd2
>> structure fits into provided GEM buffers. Without this check it is
>> possible to create a framebuffer object from a small buffer and set it to
>> the hardware, what results in displaying system memory outside the
>> allocated GEM buffer.
>>
>> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
>> CC: stable@vger.kernel.org # v4.7+
> 
> Gentle ping.

Applied.

Thanks,
Inki Dae

> 
>> ---
>> This issue was there from the beggining, but the provided patch applies only
>> to v4.7+ kernels due to other changes in the fixed code.
>> ---
>>   drivers/gpu/drm/exynos/exynos_drm_fb.c | 14 +++++++++++++-
>>   1 file changed, 13 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/gpu/drm/exynos/exynos_drm_fb.c b/drivers/gpu/drm/exynos/exynos_drm_fb.c
>> index d48fd7c918f8..73217c281c9a 100644
>> --- a/drivers/gpu/drm/exynos/exynos_drm_fb.c
>> +++ b/drivers/gpu/drm/exynos/exynos_drm_fb.c
>> @@ -145,13 +145,19 @@ struct drm_framebuffer *
>>   exynos_user_fb_create(struct drm_device *dev, struct drm_file *file_priv,
>>                 const struct drm_mode_fb_cmd2 *mode_cmd)
>>   {
>> +    const struct drm_format_info *info = drm_get_format_info(dev, mode_cmd);
>>       struct exynos_drm_gem *exynos_gem[MAX_FB_BUFFER];
>>       struct drm_gem_object *obj;
>>       struct drm_framebuffer *fb;
>>       int i;
>>       int ret;
>>   -    for (i = 0; i < drm_format_num_planes(mode_cmd->pixel_format); i++) {
>> +    for (i = 0; i < info->num_planes; i++) {
>> +        unsigned int height = (i == 0) ? mode_cmd->height :
>> +                     DIV_ROUND_UP(mode_cmd->height, info->vsub);
>> +        unsigned long size = height * mode_cmd->pitches[i] +
>> +                     mode_cmd->offsets[i];
>> +
>>           obj = drm_gem_object_lookup(file_priv, mode_cmd->handles[i]);
>>           if (!obj) {
>>               DRM_ERROR("failed to lookup gem object\n");
>> @@ -160,6 +166,12 @@ struct drm_framebuffer *
>>           }
>>             exynos_gem[i] = to_exynos_gem(obj);
>> +
>> +        if (size > exynos_gem[i]->size) {
>> +            i++;
>> +            ret = -EINVAL;
>> +            goto err;
>> +        }
>>       }
>>         fb = exynos_drm_framebuffer_init(dev, mode_cmd, exynos_gem, i);
> 
> Best regards
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel