Hi
Am 01.06.26 um 17:49 schrieb Jani Nikula:
On Mon, 01 Jun 2026, Jani Nikula <[email protected]> wrote:
On Mon, 01 Jun 2026, Jani Nikula <[email protected]> wrote:
On Fri, 29 May 2026, Thomas Zimmermann <[email protected]> wrote:
Rajat Gupta (1):
drm: prevent integer overflows in dumb buffer creation helpers
Looks like this commit 5ab62dd3687b ("drm: prevent integer overflows in
dumb buffer creation helpers") regressed in our CI, awaiting
confirmation.
That CI report is where?
The IGT test kms_big_fb uses max width and height from GetResources, and
i915 and xe use max_width 16384 and max_height 16384 in mode config.
The regressing commit adds random hard limits not based on anything:
+ /* Reject unreasonable inputs early. Dumb buffers are for software
+ * rendering; nothing legitimate needs more than 8192x8192 at 32bpp.
+ * This prevents overflows in downstream alignment helpers.
+ */
+ if (args->width >= 8192 || args->height >= 8192 || args->bpp > 32)
+ return -EINVAL;
This is now in v7.1-rc6. Please revert ASAP.
Ah, missed this clue in the pull request:
On Fri, 29 May 2026, Thomas Zimmermann <[email protected]> wrote:
here is this week's PR from drm-misc-fixes. There's one cross-subsys
commit to the dma-buf code. Commit 5ab62dd3687b ("drm: prevent integer
overflows in dumb buffer creation helpers") has not Link tag because
it went through the security list.
We have the whole review and CI processes in place to catch silly
mistakes, and then we proceed to shoot ourselves in the foot and bypass
all of that because "security", and expedite the regressions
everywhere. I'll bet this will be in stable kernels in no time too. This
is stupid.
Indeed. But that's how this fix got in.
It fixes a possible overflow elsewhere and using dumb buffers with
higher values that given here is questionable. Instead of outright
reverting this, let's first look what actually broke.
Best regards
Thomas
Please also read [1] with its recent updates.
BR,
Jani.
[1]
https://docs.kernel.org/process/security-bugs.html#what-qualifies-as-a-security-bug
BR,
Jani.
No matter what, it's immediately suspect because AFAICT it was not
posted on the lists, and the commit doesn't have a Link: trailer
pointing at the patch.
This is not how we're supposed to roll. What's going on?
BR,
Jani.
--
--
Thomas Zimmermann
Graphics Driver Developer
SUSE Software Solutions Germany GmbH
Frankenstr. 146, 90461 Nürnberg, Germany, www.suse.com
GF: Jochen Jaser, Andrew McDonald, Werner Knoblich, (HRB 36809, AG Nürnberg)
