Hi

Am 22.06.26 um 18:13 schrieb Thierry Reding:
On Mon, Jun 22, 2026 at 03:19:39PM +0200, Thomas Zimmermann wrote:
The size of the mmap'ed framebuffer could be smaller than the minimum
required framebuffer size. Validate the resource size against the
framebuffer size.

Buggy firmware that triggers this check should be fixed up with a quirk
on a case-by-case base.

Signed-off-by: Thomas Zimmermann <[email protected]>
Suggested-by: Sashiko <[email protected]>
---
  drivers/gpu/drm/sysfb/simpledrm.c | 25 +++++++++++++++++++++++++
  1 file changed, 25 insertions(+)

diff --git a/drivers/gpu/drm/sysfb/simpledrm.c 
b/drivers/gpu/drm/sysfb/simpledrm.c
index 76b9a3f5c4ef..a04f0c852ea4 100644
--- a/drivers/gpu/drm/sysfb/simpledrm.c
+++ b/drivers/gpu/drm/sysfb/simpledrm.c
@@ -6,6 +6,7 @@
  #include <linux/of_address.h>
  #include <linux/of_clk.h>
  #include <linux/of_reserved_mem.h>
+#include <linux/overflow.h>
  #include <linux/platform_data/simplefb.h>
  #include <linux/platform_device.h>
  #include <linux/pm.h>
@@ -624,6 +625,7 @@ static struct simpledrm_device 
*simpledrm_device_create(struct drm_driver *drv,
        u16 width_mm = 0, height_mm = 0;
        struct device_node *panel_node;
        const struct drm_format_info *format;
+       u64 size;
        struct resource *res, *mem = NULL;
        struct drm_plane *primary_plane;
        struct drm_crtc *crtc;
@@ -704,6 +706,15 @@ static struct simpledrm_device 
*simpledrm_device_create(struct drm_driver *drv,
                }
                stride = pitch;
        }
+       if (check_mul_overflow(height, stride, &size)) {
+               drm_err(dev, "framebuffer size exceeds maximum\n");
+               return ERR_PTR(-EINVAL);
+       }
+       size = ALIGN(size, PAGE_SIZE);
+       if (size < PAGE_SIZE) {
+               drm_err(dev, "framebuffer alignment exceeds maximum\n");
That error message doesn't make sense to me. Maybe "framebuffer
alignment below minimum", or something along those lines?

This tests that the align operation did not overflow size. The result would then be 0. With the earlier patches limiting the height and stride and size being of u64, it's not possible any longer, I think. But testing it doesn't really cost us much.

What do you think of "aligned framebuffer size exceeds maximum"?

Best regards
Thomas


With that fixed:

Reviewed-by: Thierry Reding <[email protected]>

--
--
Thomas Zimmermann
Graphics Driver Developer
SUSE Software Solutions Germany GmbH
Frankenstr. 146, 90461 Nürnberg, Germany, www.suse.com
GF: Jochen Jaser, Andrew McDonald, Werner Knoblich, (HRB 36809, AG Nürnberg)


Reply via email to