The previous commit didn't correctly fix the integer overflow issue.
http://git.kernel.org/linus/e133e737
- unsigned int required_size; + u64 required_size; ... required_size = mode_cmd->pitch * mode_cmd->height; - if (unlikely(required_size > dev_priv->vram_size)) { + if (unlikely(required_size > (u64) dev_priv->vram_size)) {
Note that both pitch and height are u32, their product is still u32 and would overflow before being assigned to required_size. A correct way is to convert pitch and height to u64 before the multiplication.
required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height;
This patch calls an existing function vmw_kms_validate_mode_vram() for validation.
Signed-off-by: Xi Wang xi.wang@gmail.com --- vmwgfx_kms.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/vmwgfx_kms.c b/vmwgfx_kms.c index b87afdf..6b8857e 100644 --- a/vmwgfx_kms.c +++ b/vmwgfx_kms.c @@ -1101,7 +1101,6 @@ static struct drm_framebuffer *vmw_kms_fb_create(struct drm_device *dev, struct vmw_surface *surface = NULL; struct vmw_dma_buffer *bo = NULL; struct ttm_base_object *user_obj; - u64 required_size; int ret;
/** @@ -1110,8 +1109,9 @@ static struct drm_framebuffer *vmw_kms_fb_create(struct drm_device *dev, * requested framebuffer. */
- required_size = mode_cmd->pitch * mode_cmd->height; - if (unlikely(required_size > (u64) dev_priv->vram_size)) { + if (!vmw_kms_validate_mode_vram(dev_priv, + mode_cmd->pitch, + mode_cmd->height)) { DRM_ERROR("VRAM size is too small for requested mode.\n"); return ERR_PTR(-ENOMEM); }
----- Original Message -----
From: "Xi Wang" xi.wang@gmail.com To: "Jakob Bornecrantz" jakob@vmware.com, "Thomas Hellstrom" thellstrom@vmware.com Cc: dri-devel@lists.freedesktop.org, "Dave Airlie" airlied@redhat.com Sent: Tuesday, 20 December, 2011 9:08:32 PM Subject: [PATCH RESEND] vmwgfx: fix incorrect vram size check in vmw_kms_fb_create()
This patch doesn't apply with git am, please regenerate it,
Thomas, can you ack as well please?
Is this for -fixes or -next?
Dave.
Commit e133e737 didn't correctly fix the integer overflow issue.
- unsigned int required_size; + u64 required_size; ... required_size = mode_cmd->pitch * mode_cmd->height; - if (unlikely(required_size > dev_priv->vram_size)) { + if (unlikely(required_size > (u64) dev_priv->vram_size)) {
Note that both pitch and height are u32. Their product is still u32 and would overflow before being assigned to required_size. A correct way is to convert pitch and height to u64 before the multiplication.
required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height;
This patch calls the existing vmw_kms_validate_mode_vram() for validation.
Signed-off-by: Xi Wang xi.wang@gmail.com --- drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c index 8aa1dbb..f94b33a 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c @@ -1093,7 +1093,6 @@ static struct drm_framebuffer *vmw_kms_fb_create(struct drm_device *dev, struct vmw_surface *surface = NULL; struct vmw_dma_buffer *bo = NULL; struct ttm_base_object *user_obj; - u64 required_size; int ret;
/** @@ -1102,8 +1101,9 @@ static struct drm_framebuffer *vmw_kms_fb_create(struct drm_device *dev, * requested framebuffer. */
- required_size = mode_cmd->pitch * mode_cmd->height; - if (unlikely(required_size > (u64) dev_priv->vram_size)) { + if (!vmw_kms_validate_mode_vram(dev_priv, + mode_cmd->pitch, + mode_cmd->height)) { DRM_ERROR("VRAM size is too small for requested mode.\n"); return ERR_PTR(-ENOMEM); }
This looks good, although I want to do a quick test to verify that it doesn't break anything.
I'll get back as soon as possible.
/Thomas
On 12/21/2011 11:18 AM, Xi Wang wrote:
Commit e133e737 didn't correctly fix the integer overflow issue.
- unsigned int required_size;
- u64 required_size; ... required_size = mode_cmd->pitch * mode_cmd->height;
- if (unlikely(required_size> dev_priv->vram_size)) {
- if (unlikely(required_size> (u64) dev_priv->vram_size)) {
Note that both pitch and height are u32. Their product is still u32 and would overflow before being assigned to required_size. A correct way is to convert pitch and height to u64 before the multiplication.
required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height;
This patch calls the existing vmw_kms_validate_mode_vram() for validation.
Signed-off-by: Xi Wangxi.wang@gmail.com
drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c index 8aa1dbb..f94b33a 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c @@ -1093,7 +1093,6 @@ static struct drm_framebuffer *vmw_kms_fb_create(struct drm_device *dev, struct vmw_surface *surface = NULL; struct vmw_dma_buffer *bo = NULL; struct ttm_base_object *user_obj;
u64 required_size; int ret;
/**
@@ -1102,8 +1101,9 @@ static struct drm_framebuffer *vmw_kms_fb_create(struct drm_device *dev, * requested framebuffer. */
- required_size = mode_cmd->pitch * mode_cmd->height;
- if (unlikely(required_size> (u64) dev_priv->vram_size)) {
- if (!vmw_kms_validate_mode_vram(dev_priv,
mode_cmd->pitch,mode_cmd->height)) {
Reviewed- and tested by
Thomas Hellstrom thellstrom@vmware.com
Thanks, Thomas
On 12/21/2011 11:18 AM, Xi Wang wrote:
Commit e133e737 didn't correctly fix the integer overflow issue.
- unsigned int required_size;
- u64 required_size; ... required_size = mode_cmd->pitch * mode_cmd->height;
- if (unlikely(required_size> dev_priv->vram_size)) {
- if (unlikely(required_size> (u64) dev_priv->vram_size)) {
Note that both pitch and height are u32. Their product is still u32 and would overflow before being assigned to required_size. A correct way is to convert pitch and height to u64 before the multiplication.
required_size = (u64)mode_cmd->pitch * (u64)mode_cmd->height;
This patch calls the existing vmw_kms_validate_mode_vram() for validation.
Signed-off-by: Xi Wangxi.wang@gmail.com
drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c index 8aa1dbb..f94b33a 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c @@ -1093,7 +1093,6 @@ static struct drm_framebuffer *vmw_kms_fb_create(struct drm_device *dev, struct vmw_surface *surface = NULL; struct vmw_dma_buffer *bo = NULL; struct ttm_base_object *user_obj;
u64 required_size; int ret;
/**
@@ -1102,8 +1101,9 @@ static struct drm_framebuffer *vmw_kms_fb_create(struct drm_device *dev, * requested framebuffer. */
- required_size = mode_cmd->pitch * mode_cmd->height;
- if (unlikely(required_size> (u64) dev_priv->vram_size)) {
- if (!vmw_kms_validate_mode_vram(dev_priv,
mode_cmd->pitch,mode_cmd->height)) {
dri-devel@lists.freedesktop.org
-
David Airlie -
Thomas Hellstrom -
Xi Wang