On 2018-12-21 4:10 a.m., Yu Zhao wrote:
When creating frame buffer, userspace may request to attach to a previously allocated GEM object that is smaller than what GPU requires. Validation must be done to prevent out-of-bound DMA, which could not only corrupt memory but also reveal sensitive data.
This fix is not done in a common code path because individual driver might have different requirement.
Signed-off-by: Yu Zhao yuzhao@google.com
drivers/gpu/drm/amd/amdgpu/amdgpu_display.c | 8 ++++++++ 1 file changed, 8 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c index 755daa332f8a..bb48b016cc68 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c @@ -527,6 +527,7 @@ amdgpu_display_user_framebuffer_create(struct drm_device *dev, struct drm_gem_object *obj; struct amdgpu_framebuffer *amdgpu_fb; int ret;
- int height; struct amdgpu_device *adev = dev->dev_private; int cpp = drm_format_plane_cpp(mode_cmd->pixel_format, 0); int pitch = amdgpu_align_pitch(adev, mode_cmd->width, cpp, false);
@@ -550,6 +551,13 @@ amdgpu_display_user_framebuffer_create(struct drm_device *dev, return ERR_PTR(-EINVAL); }
- height = ALIGN(mode_cmd->height, 8);
- if (obj->size < pitch * height) {
dev_err(&dev->pdev->dev, "Invalid GEM size: expecting %d but got %d\n",pitch * height, obj->size);
Same comment as patch 2, and maybe write "expecting >= %d but got %d" for clarity.