On Mon, Mar 26, 2012 at 09:15:53PM +0100, Chris Wilson wrote:
mplayer -vo fbdev tries to create a screen that is twice as tall as the allocated framebuffer for "doublebuffering". By default, and all in-tree users, only sufficient memory is allocated and mapped to satisfy the smallest framebuffer and the virtual size is no larger than the actual. For these users, we should therefore reject any userspace request to create a screen that requires a buffer larger than the framebuffer originally allocated.
References: https://bugs.freedesktop.org/show_bug.cgi?id=38138 Signed-off-by: Chris Wilson chris@chris-wilson.co.uk
Reviewed-by: Daniel Vetter daniel.vetter@ffwll.ch Cc: stable@kernel.org
Given that this is user-exploitable (at least for userspace that tries to do stupid tricks with fbdev), I think this should go in through drm-fixes. Dave? -Daniel
drivers/gpu/drm/drm_fb_helper.c | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c index 7740dd2..a0d6e89 100644 --- a/drivers/gpu/drm/drm_fb_helper.c +++ b/drivers/gpu/drm/drm_fb_helper.c @@ -559,9 +559,13 @@ int drm_fb_helper_check_var(struct fb_var_screeninfo *var, return -EINVAL;
/* Need to resize the fb object !!! */
- if (var->bits_per_pixel > fb->bits_per_pixel || var->xres > fb->width || var->yres > fb->height) {
- if (var->bits_per_pixel > fb->bits_per_pixel ||
var->xres > fb->width || var->yres > fb->height ||var->xres_virtual > fb->width || var->yres_virtual > fb->height) {
"object %dx%d-%d > %dx%d-%d\n", var->xres, var->yres, var->bits_per_pixel,
"request %dx%d-%d (virtual %dx%d) > %dx%d-%d\n",var->xres, var->yres, var->bits_per_pixel,var->xres_virtual, var->yres_virtual, fb->width, fb->height, fb->bits_per_pixel);-- 1.7.9.1
dri-devel mailing list dri-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/dri-devel