On Mon, Nov 03, 2014 at 10:51:42AM +0100, Daniel Vetter wrote:
On Mon, Nov 03, 2014 at 10:27:47AM +0100, Thierry Reding wrote:
From: Thierry Reding treding@nvidia.com
When creating a dumb buffer object using the DRM_IOCTL_MODE_CREATE_DUMB IOCTL, only the width, height, bpp and flags parameters are inputs. The caller is not guaranteed to zero out or set handle, pitch and size, so the driver must not treat these values as possible inputs.
Fixes a bug where running the Weston compositor on Tegra DRM would cause an attempt to allocate a 3 GiB framebuffer to be allocated.
Fixes: de2ba664c30f ("gpu: host1x: drm: Add memory manager and fb") Cc: stable@vger.kernel.org Signed-off-by: Thierry Reding treding@nvidia.com
Shouldn't we also clear these fields in the drm core ioctl code? This is indeed surprising (yay for lacking input validation!), doing this mistake in each driver won't scale ...
They are clearly documented as being outputs in the drm_mode_create_dumb struct (include/uapi/drm/drm_mode.h), so this was really just me being stupid a couple of year ago.
But yes, validating the input in the core sounds like a good idea to avoid this in other drivers in the future.
Thierry