From bdb2b933f2622578b8f737ad21504eb83620024a Mon Sep 17 00:00:00 2001 From: Thierry Reding Date: Mon, 3 Nov 2014 11:57:33 +0100 Subject: [PATCH] drm/omap: gem: dumb: pitch is an output When creating a dumb buffer object using the DRM_IOCTL_MODE_CREATE_DUMB IOCTL, only the width, height, bpp and flags fields are inputs. The caller is not guaranteed to zero out or set handle, pitch and size. Drivers must not treat these values as possible inputs, otherwise they may use uninitialized memory during the computation of the framebuffer size. The OMAP driver uses the pitch field passed in by userspace as a minimum and only override it if the driver-computed pitch is larger than what userspace provided. To prevent this from causing overallocation, fix the minimum pitch to 0 to enforce the driver-computed pitch. Cc: Tomi Valkeinen Reviewed-by: Daniel Vetter Reviewed-by: Rob Clark Acked-by: Tomi Valkeinen Signed-off-by: Thierry Reding --- drivers/gpu/drm/omapdrm/omap_gem.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/gpu/drm/omapdrm/omap_gem.c b/drivers/gpu/drm/omapdrm/omap_gem.c index e484941..aeb91ed 100644 --- a/drivers/gpu/drm/omapdrm/omap_gem.c +++ b/drivers/gpu/drm/omapdrm/omap_gem.c @@ -612,8 +612,7 @@ int omap_gem_dumb_create(struct drm_file *file, struct drm_device *dev, { union omap_gem_size gsize; - /* in case someone tries to feed us a completely bogus stride: */ - args->pitch = align_pitch(args->pitch, args->width, args->bpp); + args->pitch = align_pitch(0, args->width, args->bpp); args->size = PAGE_ALIGN(args->pitch * args->height); gsize = (union omap_gem_size){ -- 2.7.4