[PATCH] drm/vc4: hvs: Fix buffer overflow with the dlist handling

Thomas Zimmermann tzimmermann at suse.de
Tue Feb 2 10:02:34 UTC 2021 


Am 29.01.21 um 17:06 schrieb Maxime Ripard:
> Commit 0a038c1c29a7 ("drm/vc4: Move LBM creation out of
> vc4_plane_mode_set()") changed the LBM allocation logic from first
> allocating the LBM memory for the plane to running mode_set,
> adding a gap in the LBM, and then running the dlist allocation filling
> that gap.
> 
> The gap was introduced by incrementing the dlist array index, but was
> never checking whether or not we were over the array length, leading
> eventually to memory corruptions if we ever crossed this limit.
> 
> vc4_dlist_write had that logic though, and was reallocating a larger
> dlist array when reaching the end of the buffer. Let's share the logic
> between both functions.
> 
> Cc: Boris Brezillon <boris.brezillon at collabora.com>
> Cc: Eric Anholt <eric at anholt.net>
> Fixes: 0a038c1c29a7 ("drm/vc4: Move LBM creation out of vc4_plane_mode_set()")
> Signed-off-by: Maxime Ripard <maxime at cerno.tech>

Acked-by: Thomas Zimmermann <tzimmermann at suse.de>

> ---
>   drivers/gpu/drm/vc4/vc4_plane.c | 18 ++++++++++++++----
>   1 file changed, 14 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/gpu/drm/vc4/vc4_plane.c b/drivers/gpu/drm/vc4/vc4_plane.c
> index b5586c92bfe5..3d33fe3dacea 100644
> --- a/drivers/gpu/drm/vc4/vc4_plane.c
> +++ b/drivers/gpu/drm/vc4/vc4_plane.c
> @@ -227,7 +227,7 @@ static void vc4_plane_reset(struct drm_plane *plane)
>   	__drm_atomic_helper_plane_reset(plane, &vc4_state->base);
>   }
>   
> -static void vc4_dlist_write(struct vc4_plane_state *vc4_state, u32 val)
> +static void vc4_dlist_counter_increment(struct vc4_plane_state *vc4_state)
>   {
>   	if (vc4_state->dlist_count == vc4_state->dlist_size) {
>   		u32 new_size = max(4u, vc4_state->dlist_count * 2);
> @@ -242,7 +242,15 @@ static void vc4_dlist_write(struct vc4_plane_state *vc4_state, u32 val)
>   		vc4_state->dlist_size = new_size;
>   	}
>   
> -	vc4_state->dlist[vc4_state->dlist_count++] = val;
> +	vc4_state->dlist_count++;
> +}
> +
> +static void vc4_dlist_write(struct vc4_plane_state *vc4_state, u32 val)
> +{
> +	unsigned int idx = vc4_state->dlist_count;
> +
> +	vc4_dlist_counter_increment(vc4_state);
> +	vc4_state->dlist[idx] = val;
>   }
>   
>   /* Returns the scl0/scl1 field based on whether the dimensions need to
> @@ -1057,8 +1065,10 @@ static int vc4_plane_mode_set(struct drm_plane *plane,
>   		 * be set when calling vc4_plane_allocate_lbm().
>   		 */
>   		if (vc4_state->y_scaling[0] != VC4_SCALING_NONE ||
> -		    vc4_state->y_scaling[1] != VC4_SCALING_NONE)
> -			vc4_state->lbm_offset = vc4_state->dlist_count++;
> +		    vc4_state->y_scaling[1] != VC4_SCALING_NONE) {
> +			vc4_state->lbm_offset = vc4_state->dlist_count;
> +			vc4_dlist_counter_increment(vc4_state);
> +		}
>   
>   		if (num_planes > 1) {
>   			/* Emit Cb/Cr as channel 0 and Y as channel
> 

-- 
Thomas Zimmermann
Graphics Driver Developer
SUSE Software Solutions Germany GmbH
Maxfeldstr. 5, 90409 Nürnberg, Germany
(HRB 36809, AG Nürnberg)
Geschäftsführer: Felix Imendörffer

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.freedesktop.org/archives/dri-devel/attachments/20210202/385a525d/attachment.sig>

More information about the dri-devel mailing list