From dfecf259e1e190bfca8d649e537652ca9e457803 Mon Sep 17 00:00:00 2001 From: Thierry Reding Date: Mon, 3 Nov 2014 12:08:24 +0100 Subject: [PATCH] drm/rcar: gem: dumb: pitch is an output When creating a dumb buffer object using the DRM_IOCTL_MODE_CREATE_DUMB IOCTL, only the width, height, bpp and flags fields are inputs. The caller is not guaranteed to zero out or set handle, pitch and size. Drivers must not treat these values as possible inputs, otherwise they may use uninitialized memory during the computation of the framebuffer size. The R-Car DU driver treats the pitch passed in from userspace as minimum and will only overwrite it when the driver-computed pitch is larger, allowing userspace to, intentionally or not, overallocate framebuffers. Cc: Laurent Pinchart Reviewed-by: Daniel Vetter Signed-off-by: Thierry Reding (cherry picked from commit 7e295a36b3af5d588e585e2300febbb191463939) Signed-off-by: Simon Horman --- drivers/gpu/drm/rcar-du/rcar_du_kms.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/rcar-du/rcar_du_kms.c b/drivers/gpu/drm/rcar-du/rcar_du_kms.c index 6c24ad7..2256fdf 100644 --- a/drivers/gpu/drm/rcar-du/rcar_du_kms.c +++ b/drivers/gpu/drm/rcar-du/rcar_du_kms.c @@ -126,7 +126,7 @@ int rcar_du_dumb_create(struct drm_file *file, struct drm_device *dev, else align = 16 * args->bpp / 8; - args->pitch = roundup(max(args->pitch, min_pitch), align); + args->pitch = roundup(min_pitch, align); return drm_gem_cma_dumb_create(file, dev, args); } -- 2.7.4