| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CACSVV00-v=eyo8=-YwC6c-Yh2S__-sQ1LacLJaa7phP-6c9UXg@mail.gmail.com>
Date: Wed, 20 Aug 2025 17:03:29 -0700
From: Rob Clark <rob.clark@....qualcomm.com>
To: Connor Abbott <cwabbott0@...il.com>
Cc: dri-devel@...ts.freedesktop.org, linux-arm-msm@...r.kernel.org,
freedreno@...ts.freedesktop.org,
Akhil P Oommen <akhilpo@....qualcomm.com>,
Dmitry Baryshkov <lumag@...nel.org>,
Abhinav Kumar <abhinav.kumar@...ux.dev>,
Jessica Zhang <jessica.zhang@....qualcomm.com>,
Sean Paul <sean@...rly.run>,
Marijn Suijten <marijn.suijten@...ainline.org>,
David Airlie <airlied@...il.com>, Simona Vetter <simona@...ll.ch>,
open list <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH 3/3] drm/msm: Fix 32b size truncation
On Wed, Aug 20, 2025 at 6:51 AM Connor Abbott <cwabbott0@...il.com> wrote:
>
> On Tue, Aug 19, 2025 at 7:29 PM Rob Clark <robin.clark@....qualcomm.com> wrote:
> >
> > Somehow we never noticed this when arm64 became a thing, many years ago.
> >
> > Signed-off-by: Rob Clark <robin.clark@....qualcomm.com>
> > ---
> > drivers/gpu/drm/msm/msm_gem.c | 17 ++++++++---------
> > drivers/gpu/drm/msm/msm_gem.h | 6 +++---
> > 2 files changed, 11 insertions(+), 12 deletions(-)
> >
> > diff --git a/drivers/gpu/drm/msm/msm_gem.c b/drivers/gpu/drm/msm/msm_gem.c
> > index 958bac4e2768..9a935650e5e3 100644
> > --- a/drivers/gpu/drm/msm/msm_gem.c
> > +++ b/drivers/gpu/drm/msm/msm_gem.c
> > @@ -1142,7 +1142,7 @@ static int msm_gem_object_mmap(struct drm_gem_object *obj, struct vm_area_struct
> >
> > /* convenience method to construct a GEM buffer object, and userspace handle */
> > int msm_gem_new_handle(struct drm_device *dev, struct drm_file *file,
> > - uint32_t size, uint32_t flags, uint32_t *handle,
> > + size_t size, uint32_t flags, uint32_t *handle,
> > char *name)
> > {
> > struct drm_gem_object *obj;
> > @@ -1208,9 +1208,8 @@ static const struct drm_gem_object_funcs msm_gem_object_funcs = {
> > .vm_ops = &vm_ops,
> > };
> >
> > -static int msm_gem_new_impl(struct drm_device *dev,
> > - uint32_t size, uint32_t flags,
> > - struct drm_gem_object **obj)
> > +static int msm_gem_new_impl(struct drm_device *dev, uint32_t flags,
> > + struct drm_gem_object **obj)
> > {
> > struct msm_drm_private *priv = dev->dev_private;
> > struct msm_gem_object *msm_obj;
> > @@ -1244,7 +1243,7 @@ static int msm_gem_new_impl(struct drm_device *dev,
> > return 0;
> > }
> >
> > -struct drm_gem_object *msm_gem_new(struct drm_device *dev, uint32_t size, uint32_t flags)
> > +struct drm_gem_object *msm_gem_new(struct drm_device *dev, size_t size, uint32_t flags)
> > {
> > struct msm_drm_private *priv = dev->dev_private;
> > struct msm_gem_object *msm_obj;
> > @@ -1259,7 +1258,7 @@ struct drm_gem_object *msm_gem_new(struct drm_device *dev, uint32_t size, uint32
> > if (size == 0)
> > return ERR_PTR(-EINVAL);
> >
> > - ret = msm_gem_new_impl(dev, size, flags, &obj);
> > + ret = msm_gem_new_impl(dev, flags, &obj);
> > if (ret)
> > return ERR_PTR(ret);
> >
> > @@ -1299,12 +1298,12 @@ struct drm_gem_object *msm_gem_import(struct drm_device *dev,
> > struct msm_drm_private *priv = dev->dev_private;
> > struct msm_gem_object *msm_obj;
> > struct drm_gem_object *obj;
> > - uint32_t size;
> > + size_t size;
> > int ret, npages;
>
> npages should also be size_t.
hmm, true.. a bit more of a theoretical overflow on existing devices,
but v2 will fix that
> >
> > size = PAGE_ALIGN(dmabuf->size);
> >
> > - ret = msm_gem_new_impl(dev, size, MSM_BO_WC, &obj);
> > + ret = msm_gem_new_impl(dev, MSM_BO_WC, &obj);
> > if (ret)
> > return ERR_PTR(ret);
> >
> > @@ -1347,7 +1346,7 @@ struct drm_gem_object *msm_gem_import(struct drm_device *dev,
> > return ERR_PTR(ret);
> > }
> >
> > -void *msm_gem_kernel_new(struct drm_device *dev, uint32_t size, uint32_t flags,
> > +void *msm_gem_kernel_new(struct drm_device *dev, size_t size, uint32_t flags,
> > struct drm_gpuvm *vm, struct drm_gem_object **bo,
> > uint64_t *iova)
> > {
> > diff --git a/drivers/gpu/drm/msm/msm_gem.h b/drivers/gpu/drm/msm/msm_gem.h
> > index 751c3b4965bc..a4cf31853c50 100644
> > --- a/drivers/gpu/drm/msm/msm_gem.h
> > +++ b/drivers/gpu/drm/msm/msm_gem.h
> > @@ -297,10 +297,10 @@ bool msm_gem_active(struct drm_gem_object *obj);
> > int msm_gem_cpu_prep(struct drm_gem_object *obj, uint32_t op, ktime_t *timeout);
> > int msm_gem_cpu_fini(struct drm_gem_object *obj);
> > int msm_gem_new_handle(struct drm_device *dev, struct drm_file *file,
> > - uint32_t size, uint32_t flags, uint32_t *handle, char *name);
> > + size_t size, uint32_t flags, uint32_t *handle, char *name);
> > struct drm_gem_object *msm_gem_new(struct drm_device *dev,
> > - uint32_t size, uint32_t flags);
> > -void *msm_gem_kernel_new(struct drm_device *dev, uint32_t size, uint32_t flags,
> > + size_t size, uint32_t flags);
> > +void *msm_gem_kernel_new(struct drm_device *dev, size_t size, uint32_t flags,
> > struct drm_gpuvm *vm, struct drm_gem_object **bo,
> > uint64_t *iova);
> > void msm_gem_kernel_put(struct drm_gem_object *bo, struct drm_gpuvm *vm);
> > --
> > 2.50.1
> >
Powered by blists - more mailing lists