Commit 28a5dfd4 authored by Ian Forbes's avatar Ian Forbes Committed by Zack Rusin
Browse files

drm/vmwgfx: Limit display layout ioctl array size to VMWGFX_NUM_DISPLAY_UNITS 



Currently the array size is only limited by the largest kmalloc size which
is incorrect. This change will also return a more specific error message
than ENOMEM to userspace.

Signed-off-by: default avatarIan Forbes <ian.forbes@broadcom.com>
Reviewed-by: default avatarZack Rusin <zack.rusin@broadcom.com>
Reviewed-by: default avatarMartin Krastev <martin.krastev@broadcom.com>
Signed-off-by: default avatarZack Rusin <zack.rusin@broadcom.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20240808200634.1074083-1-ian.forbes@broadcom.com
parent fcddc71e

drivers/gpu/drm/vmwgfx/vmwgfx_drv.h

+2 −2
Original line number Diff line number Diff line
@@ -62,7 +62,7 @@ 
#define VMWGFX_DRIVER_MINOR 20

#define VMWGFX_DRIVER_PATCHLEVEL 0

#define VMWGFX_FIFO_STATIC_SIZE (1024*1024)

#define VMWGFX_MAX_DISPLAYS 16

#define VMWGFX_NUM_DISPLAY_UNITS 8

#define VMWGFX_CMD_BOUNCE_INIT_SIZE 32768



#define VMWGFX_MIN_INITIAL_WIDTH 1280
@@ -82,7 +82,7 @@ 
#define VMWGFX_NUM_GB_CONTEXT 256

#define VMWGFX_NUM_GB_SHADER 20000

#define VMWGFX_NUM_GB_SURFACE 32768

#define VMWGFX_NUM_GB_SCREEN_TARGET VMWGFX_MAX_DISPLAYS

#define VMWGFX_NUM_GB_SCREEN_TARGET VMWGFX_NUM_DISPLAY_UNITS

#define VMWGFX_NUM_DXCONTEXT 256

#define VMWGFX_NUM_DXQUERY 512

#define VMWGFX_NUM_MOB (VMWGFX_NUM_GB_CONTEXT +\

drivers/gpu/drm/vmwgfx/vmwgfx_kms.c

+3 −1
Original line number Diff line number Diff line
@@ -2225,7 +2225,7 @@ int vmw_kms_update_layout_ioctl(struct drm_device *dev, void *data, 
	struct drm_mode_config *mode_config = &dev->mode_config;

	struct drm_vmw_update_layout_arg *arg =

		(struct drm_vmw_update_layout_arg *)data;

	void __user *user_rects;

	const void __user *user_rects;

	struct drm_vmw_rect *rects;

	struct drm_rect *drm_rects;

	unsigned rects_size;
@@ -2237,6 +2237,8 @@ int vmw_kms_update_layout_ioctl(struct drm_device *dev, void *data, 
					    VMWGFX_MIN_INITIAL_HEIGHT};

		vmw_du_update_layout(dev_priv, 1, &def_rect);

		return 0;

	} else if (arg->num_outputs > VMWGFX_NUM_DISPLAY_UNITS) {

		return -E2BIG;

	}



	rects_size = arg->num_outputs * sizeof(struct drm_vmw_rect);

drivers/gpu/drm/vmwgfx/vmwgfx_kms.h

+0 −3
Original line number Diff line number Diff line
@@ -199,9 +199,6 @@ struct vmw_kms_dirty { 
	s32 unit_y2;

};



#define VMWGFX_NUM_DISPLAY_UNITS 8





#define vmw_framebuffer_to_vfb(x) \

	container_of(x, struct vmw_framebuffer, base)

#define vmw_framebuffer_to_vfbs(x) \