User space can send us all kinds of nonsense for num_crtc, num_encoder,
num_connector, or num_plane. So far, we have been checking only for
presence of at least one CRTC/encoder/connector (barring the trivial
case of a render node with no display resources, i.e., GPGPU node).
This patch makes the ioctl fail if user space requests more resources
than the physical GPU has. This is primarily to protect the kmalloc
in drm_mode_group_init from hogging a big chunk of memory if some
bozo sends us a request for some huge number of CRTCs, encoders,
or connectors.
v2: - fail when user space asks for more planes than available
from physical device, but still allow zero planes
(which is a legitimate case)
Signed-off-by: Ilija Hadzic <ihad...@research.bell-labs.com>
---
drivers/gpu/drm/drm_stub.c | 9 ++++++---
1 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/drm_stub.c b/drivers/gpu/drm/drm_stub.c
index 20c72b0..7aa54fb 100644
--- a/drivers/gpu/drm/drm_stub.c
+++ b/drivers/gpu/drm/drm_stub.c
@@ -574,9 +574,12 @@ int drm_render_node_create_ioctl(struct drm_device *dev,
void *data,
return ret;
}
- /* if we have display resources, then we need at least
- * one CRTC, one encoder and one connector */
- if (args->num_crtc == 0 ||
+ /* sanity check for requested num_crtc/_encoder/_connector/_plane */
+ if (args->num_crtc > dev->mode_config.num_crtc ||
+ args->num_encoder > dev->mode_config.num_encoder ||
+ args->num_encoder > dev->mode_config.num_connector ||
+ args->num_plane > dev->mode_config.num_plane ||
+ args->num_crtc == 0 ||
args->num_encoder == 0 ||
args->num_connector == 0)
return -EINVAL;
--
1.7.8.5
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/dri-devel
