On Thu, Nov 6, 2014 at 10:49 AM, Thierry Reding
<thierry.reding@xxxxxxxxx> wrote:
> From: Thierry Reding <treding@xxxxxxxxxx>
>
> When creating a dumb buffer object using the DRM_IOCTL_MODE_CREATE_DUMB
> IOCTL, only the width, height, bpp and flags fields are inputs. The
> caller is not guaranteed to zero out or set handle, pitch and size.
> Drivers must not treat these values as possible inputs, otherwise they
> may use uninitialized memory during the computation of the framebuffer
> size.
>
> The OMAP driver uses the pitch field passed in by userspace as a minimum
> and only override it if the driver-computed pitch is larger than what
> userspace provided. To prevent this from causing overallocation, fix the
> minimum pitch to 0 to enforce the driver-computed pitch.
>
> Cc: Tomi Valkeinen <tomi.valkeinen@xxxxxx>
> Reviewed-by: Daniel Vetter <daniel.vetter@xxxxxxxx>
> Signed-off-by: Thierry Reding <treding@xxxxxxxxxx>
Reviewed-by: Rob Clark <robdclark@xxxxxxxxx>
> ---
> drivers/gpu/drm/omapdrm/omap_gem.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/omapdrm/omap_gem.c b/drivers/gpu/drm/omapdrm/omap_gem.c
> index e4849413ee80..bff60b73995b 100644
> --- a/drivers/gpu/drm/omapdrm/omap_gem.c
> +++ b/drivers/gpu/drm/omapdrm/omap_gem.c
> @@ -613,7 +613,7 @@ int omap_gem_dumb_create(struct drm_file *file, struct drm_device *dev,
> union omap_gem_size gsize;
>
> /* in case someone tries to feed us a completely bogus stride: */
> - args->pitch = align_pitch(args->pitch, args->width, args->bpp);
> + args->pitch = align_pitch(0, args->width, args->bpp);
> args->size = PAGE_ALIGN(args->pitch * args->height);
>
> gsize = (union omap_gem_size){
> --
> 2.1.3
>
_______________________________________________
dri-devel mailing list
dri-devel@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/dri-devel
