From b9ec6793355647bcbcecb21ef6cd179469d3f191 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Ville=20Syrj=C3=A4l=C3=A4?= Date: Fri, 29 Nov 2024 08:50:13 +0200 Subject: [PATCH] drm/i915/fb: Check that the clear color fits within the BO MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Make sure the user supplied offset[] for the clear color plane fits within the actual BO. Note that we use tile units to track the size here. All the other color/aux planes are already being checked correctly. Cc: Sagar Ghuge Cc: Nanley Chery Cc: Xi Ruoyao Signed-off-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20241129065014.8363-4-ville.syrjala@linux.intel.com Reviewed-by: José Roberto de Souza --- drivers/gpu/drm/i915/display/intel_fb.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/drivers/gpu/drm/i915/display/intel_fb.c b/drivers/gpu/drm/i915/display/intel_fb.c index e478d412785e..9f7f1b9f3275 100644 --- a/drivers/gpu/drm/i915/display/intel_fb.c +++ b/drivers/gpu/drm/i915/display/intel_fb.c @@ -1694,6 +1694,8 @@ int intel_fill_fb_info(struct drm_i915_private *i915, struct intel_framebuffer * * arithmetic related to alignment and offset calculation. */ if (is_gen12_ccs_cc_plane(&fb->base, i)) { + unsigned int end; + if (!IS_ALIGNED(fb->base.offsets[i], 64)) { drm_dbg_kms(&i915->drm, "fb misaligned clear color plane %d offset (0x%x)\n", @@ -1701,6 +1703,14 @@ int intel_fill_fb_info(struct drm_i915_private *i915, struct intel_framebuffer * return -EINVAL; } + if (check_add_overflow(fb->base.offsets[i], 64, &end)) { + drm_dbg_kms(&i915->drm, + "fb bad clear color plane %d offset (0x%x)\n", + i, fb->base.offsets[i]); + return -EINVAL; + } + + max_size = max(max_size, DIV_ROUND_UP(end, tile_size)); continue; } -- 2.25.1