diff options
Diffstat (limited to '0002-drm-nouveau-fbcon-fix-out-of-bounds-memory-accesses.patch')
-rw-r--r-- | 0002-drm-nouveau-fbcon-fix-out-of-bounds-memory-accesses.patch | 138 |
1 files changed, 138 insertions, 0 deletions
diff --git a/0002-drm-nouveau-fbcon-fix-out-of-bounds-memory-accesses.patch b/0002-drm-nouveau-fbcon-fix-out-of-bounds-memory-accesses.patch new file mode 100644 index 000000000..d1c32b439 --- /dev/null +++ b/0002-drm-nouveau-fbcon-fix-out-of-bounds-memory-accesses.patch @@ -0,0 +1,138 @@ +From 02510a8805db2c3f8ca2926f90c4b3793934404a Mon Sep 17 00:00:00 2001 +From: Fedora Kernel Team <kernel-team@fedoraproject.org> +Date: Mon, 20 Jun 2016 14:51:45 +0200 +Subject: [PATCH 2/6] drm/nouveau/fbcon: fix out-of-bounds memory accesses + +Upstream: drm-fixes for 4.7 (and cc'd 4.6-stable) +commit f045f459d925138fe7d6193a8c86406bda7e49da + +Author: Ben Skeggs <bskeggs@redhat.com> +AuthorDate: Thu Jun 2 12:23:31 2016 +1000 +Commit: Ben Skeggs <bskeggs@redhat.com> +CommitDate: Thu Jun 2 13:53:44 2016 +1000 + + drm/nouveau/fbcon: fix out-of-bounds memory accesses + + Reported by KASAN. + + Signed-off-by: Ben Skeggs <bskeggs@redhat.com> + Cc: stable@vger.kernel.org +--- + drivers/gpu/drm/nouveau/nouveau_fbcon.c | 1 + + drivers/gpu/drm/nouveau/nv04_fbcon.c | 7 ++----- + drivers/gpu/drm/nouveau/nv50_fbcon.c | 6 ++---- + drivers/gpu/drm/nouveau/nvc0_fbcon.c | 6 ++---- + 4 files changed, 7 insertions(+), 13 deletions(-) + +diff --git a/drivers/gpu/drm/nouveau/nouveau_fbcon.c b/drivers/gpu/drm/nouveau/nouveau_fbcon.c +index 59f27e7..bd89c86 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_fbcon.c ++++ b/drivers/gpu/drm/nouveau/nouveau_fbcon.c +@@ -557,6 +557,7 @@ nouveau_fbcon_init(struct drm_device *dev) + if (ret) + goto fini; + ++ fbcon->helper.fbdev->pixmap.buf_align = 4; + return 0; + + fini: +diff --git a/drivers/gpu/drm/nouveau/nv04_fbcon.c b/drivers/gpu/drm/nouveau/nv04_fbcon.c +index 789dc29..8f715fe 100644 +--- a/drivers/gpu/drm/nouveau/nv04_fbcon.c ++++ b/drivers/gpu/drm/nouveau/nv04_fbcon.c +@@ -82,7 +82,6 @@ nv04_fbcon_imageblit(struct fb_info *info, const struct fb_image *image) + uint32_t fg; + uint32_t bg; + uint32_t dsize; +- uint32_t width; + uint32_t *data = (uint32_t *)image->data; + int ret; + +@@ -93,9 +92,6 @@ nv04_fbcon_imageblit(struct fb_info *info, const struct fb_image *image) + if (ret) + return ret; + +- width = ALIGN(image->width, 8); +- dsize = ALIGN(width * image->height, 32) >> 5; +- + if (info->fix.visual == FB_VISUAL_TRUECOLOR || + info->fix.visual == FB_VISUAL_DIRECTCOLOR) { + fg = ((uint32_t *) info->pseudo_palette)[image->fg_color]; +@@ -111,10 +107,11 @@ nv04_fbcon_imageblit(struct fb_info *info, const struct fb_image *image) + ((image->dx + image->width) & 0xffff)); + OUT_RING(chan, bg); + OUT_RING(chan, fg); +- OUT_RING(chan, (image->height << 16) | width); ++ OUT_RING(chan, (image->height << 16) | image->width); + OUT_RING(chan, (image->height << 16) | image->width); + OUT_RING(chan, (image->dy << 16) | (image->dx & 0xffff)); + ++ dsize = ALIGN(image->width * image->height, 32) >> 5; + while (dsize) { + int iter_len = dsize > 128 ? 128 : dsize; + +diff --git a/drivers/gpu/drm/nouveau/nv50_fbcon.c b/drivers/gpu/drm/nouveau/nv50_fbcon.c +index e05499d..a4e259a 100644 +--- a/drivers/gpu/drm/nouveau/nv50_fbcon.c ++++ b/drivers/gpu/drm/nouveau/nv50_fbcon.c +@@ -95,7 +95,7 @@ nv50_fbcon_imageblit(struct fb_info *info, const struct fb_image *image) + struct nouveau_fbdev *nfbdev = info->par; + struct nouveau_drm *drm = nouveau_drm(nfbdev->dev); + struct nouveau_channel *chan = drm->channel; +- uint32_t width, dwords, *data = (uint32_t *)image->data; ++ uint32_t dwords, *data = (uint32_t *)image->data; + uint32_t mask = ~(~0 >> (32 - info->var.bits_per_pixel)); + uint32_t *palette = info->pseudo_palette; + int ret; +@@ -107,9 +107,6 @@ nv50_fbcon_imageblit(struct fb_info *info, const struct fb_image *image) + if (ret) + return ret; + +- width = ALIGN(image->width, 32); +- dwords = (width * image->height) >> 5; +- + BEGIN_NV04(chan, NvSub2D, 0x0814, 2); + if (info->fix.visual == FB_VISUAL_TRUECOLOR || + info->fix.visual == FB_VISUAL_DIRECTCOLOR) { +@@ -128,6 +125,7 @@ nv50_fbcon_imageblit(struct fb_info *info, const struct fb_image *image) + OUT_RING(chan, 0); + OUT_RING(chan, image->dy); + ++ dwords = ALIGN(image->width * image->height, 32) >> 5; + while (dwords) { + int push = dwords > 2047 ? 2047 : dwords; + +diff --git a/drivers/gpu/drm/nouveau/nvc0_fbcon.c b/drivers/gpu/drm/nouveau/nvc0_fbcon.c +index c97395b..f28315e 100644 +--- a/drivers/gpu/drm/nouveau/nvc0_fbcon.c ++++ b/drivers/gpu/drm/nouveau/nvc0_fbcon.c +@@ -95,7 +95,7 @@ nvc0_fbcon_imageblit(struct fb_info *info, const struct fb_image *image) + struct nouveau_fbdev *nfbdev = info->par; + struct nouveau_drm *drm = nouveau_drm(nfbdev->dev); + struct nouveau_channel *chan = drm->channel; +- uint32_t width, dwords, *data = (uint32_t *)image->data; ++ uint32_t dwords, *data = (uint32_t *)image->data; + uint32_t mask = ~(~0 >> (32 - info->var.bits_per_pixel)); + uint32_t *palette = info->pseudo_palette; + int ret; +@@ -107,9 +107,6 @@ nvc0_fbcon_imageblit(struct fb_info *info, const struct fb_image *image) + if (ret) + return ret; + +- width = ALIGN(image->width, 32); +- dwords = (width * image->height) >> 5; +- + BEGIN_NVC0(chan, NvSub2D, 0x0814, 2); + if (info->fix.visual == FB_VISUAL_TRUECOLOR || + info->fix.visual == FB_VISUAL_DIRECTCOLOR) { +@@ -128,6 +125,7 @@ nvc0_fbcon_imageblit(struct fb_info *info, const struct fb_image *image) + OUT_RING (chan, 0); + OUT_RING (chan, image->dy); + ++ dwords = ALIGN(image->width * image->height, 32) >> 5; + while (dwords) { + int push = dwords > 2047 ? 2047 : dwords; + +-- +2.7.4 + |