While the check for format_count > 64 in __drm_universal_plane_init()
shouldn't be hit (it's a WARN_ON), in its current position it will then
leak the plane->format_types array and fail to call
drm_mode_object_unregister() leaking the modeset identifier. Move it to
the start of the function to avoid allocating those resources in the
first place.
Signed-off-by: Steven Price <[email protected]>
---
drivers/gpu/drm/drm_plane.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/drivers/gpu/drm/drm_plane.c b/drivers/gpu/drm/drm_plane.c
index 82afb854141b..fd0bf90fb4c2 100644
--- a/drivers/gpu/drm/drm_plane.c
+++ b/drivers/gpu/drm/drm_plane.c
@@ -249,6 +249,13 @@ static int __drm_universal_plane_init(struct drm_device *dev,
if (WARN_ON(config->num_total_plane >= 32))
return -EINVAL;
+ /*
+ * First driver to need more than 64 formats needs to fix this. Each
+ * format is encoded as a bit and the current code only supports a u64.
+ */
+ if (WARN_ON(format_count > 64))
+ return -EINVAL;
+
WARN_ON(drm_drv_uses_atomic_modeset(dev) &&
(!funcs->atomic_destroy_state ||
!funcs->atomic_duplicate_state));
@@ -270,13 +277,6 @@ static int __drm_universal_plane_init(struct drm_device *dev,
return -ENOMEM;
}
- /*
- * First driver to need more than 64 formats needs to fix this. Each
- * format is encoded as a bit and the current code only supports a u64.
- */
- if (WARN_ON(format_count > 64))
- return -EINVAL;
-
if (format_modifiers) {
const uint64_t *temp_modifiers = format_modifiers;
--
2.25.1
On Fri, Dec 03, 2021 at 10:28:15AM +0000, Steven Price wrote:
> While the check for format_count > 64 in __drm_universal_plane_init()
> shouldn't be hit (it's a WARN_ON), in its current position it will then
> leak the plane->format_types array and fail to call
> drm_mode_object_unregister() leaking the modeset identifier. Move it to
> the start of the function to avoid allocating those resources in the
> first place.
>
> Signed-off-by: Steven Price <[email protected]>
Well spotted!
Reviewed-by: Liviu Dudau <[email protected]>
I'm going to wait to see if anyone else has any comments before I'll merge this into
drm-misc-fixes (or should it be drm-misc-next-fixes?)
Best regards,
Liviu
> ---
> drivers/gpu/drm/drm_plane.c | 14 +++++++-------
> 1 file changed, 7 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/gpu/drm/drm_plane.c b/drivers/gpu/drm/drm_plane.c
> index 82afb854141b..fd0bf90fb4c2 100644
> --- a/drivers/gpu/drm/drm_plane.c
> +++ b/drivers/gpu/drm/drm_plane.c
> @@ -249,6 +249,13 @@ static int __drm_universal_plane_init(struct drm_device *dev,
> if (WARN_ON(config->num_total_plane >= 32))
> return -EINVAL;
>
> + /*
> + * First driver to need more than 64 formats needs to fix this. Each
> + * format is encoded as a bit and the current code only supports a u64.
> + */
> + if (WARN_ON(format_count > 64))
> + return -EINVAL;
> +
> WARN_ON(drm_drv_uses_atomic_modeset(dev) &&
> (!funcs->atomic_destroy_state ||
> !funcs->atomic_duplicate_state));
> @@ -270,13 +277,6 @@ static int __drm_universal_plane_init(struct drm_device *dev,
> return -ENOMEM;
> }
>
> - /*
> - * First driver to need more than 64 formats needs to fix this. Each
> - * format is encoded as a bit and the current code only supports a u64.
> - */
> - if (WARN_ON(format_count > 64))
> - return -EINVAL;
> -
> if (format_modifiers) {
> const uint64_t *temp_modifiers = format_modifiers;
>
> --
> 2.25.1
>
--
====================
| I would like to |
| fix the world, |
| but they're not |
| giving me the |
\ source code! /
---------------
¯\_(ツ)_/¯
On Thu, Apr 28, 2022 at 12:57:52PM +0100, Steven Price wrote:
> On 03/12/2021 13:08, Liviu Dudau wrote:
> > On Fri, Dec 03, 2021 at 10:28:15AM +0000, Steven Price wrote:
> >> While the check for format_count > 64 in __drm_universal_plane_init()
> >> shouldn't be hit (it's a WARN_ON), in its current position it will then
> >> leak the plane->format_types array and fail to call
> >> drm_mode_object_unregister() leaking the modeset identifier. Move it to
> >> the start of the function to avoid allocating those resources in the
> >> first place.
> >>
> >> Signed-off-by: Steven Price <[email protected]>
> >
> > Well spotted!
> >
> > Reviewed-by: Liviu Dudau <[email protected]>
> >
> > I'm going to wait to see if anyone else has any comments before I'll merge this into
> > drm-misc-fixes (or should it be drm-misc-next-fixes?)
>
> Gentle ping! I think we've probably waited long enough. Are you going to
> merge this or would you like me to?
Apologies for dropping this! I will push this one today.
Best regards,
Liviu
>
> Thanks,
>
> Steve
>
> > Best regards,
> > Liviu
> >
> >> ---
> >> drivers/gpu/drm/drm_plane.c | 14 +++++++-------
> >> 1 file changed, 7 insertions(+), 7 deletions(-)
> >>
> >> diff --git a/drivers/gpu/drm/drm_plane.c b/drivers/gpu/drm/drm_plane.c
> >> index 82afb854141b..fd0bf90fb4c2 100644
> >> --- a/drivers/gpu/drm/drm_plane.c
> >> +++ b/drivers/gpu/drm/drm_plane.c
> >> @@ -249,6 +249,13 @@ static int __drm_universal_plane_init(struct drm_device *dev,
> >> if (WARN_ON(config->num_total_plane >= 32))
> >> return -EINVAL;
> >>
> >> + /*
> >> + * First driver to need more than 64 formats needs to fix this. Each
> >> + * format is encoded as a bit and the current code only supports a u64.
> >> + */
> >> + if (WARN_ON(format_count > 64))
> >> + return -EINVAL;
> >> +
> >> WARN_ON(drm_drv_uses_atomic_modeset(dev) &&
> >> (!funcs->atomic_destroy_state ||
> >> !funcs->atomic_duplicate_state));
> >> @@ -270,13 +277,6 @@ static int __drm_universal_plane_init(struct drm_device *dev,
> >> return -ENOMEM;
> >> }
> >>
> >> - /*
> >> - * First driver to need more than 64 formats needs to fix this. Each
> >> - * format is encoded as a bit and the current code only supports a u64.
> >> - */
> >> - if (WARN_ON(format_count > 64))
> >> - return -EINVAL;
> >> -
> >> if (format_modifiers) {
> >> const uint64_t *temp_modifiers = format_modifiers;
> >>
> >> --
> >> 2.25.1
> >>
> >
>
--
====================
| I would like to |
| fix the world, |
| but they're not |
| giving me the |
\ source code! /
---------------
¯\_(ツ)_/¯
On 03/12/2021 13:08, Liviu Dudau wrote:
> On Fri, Dec 03, 2021 at 10:28:15AM +0000, Steven Price wrote:
>> While the check for format_count > 64 in __drm_universal_plane_init()
>> shouldn't be hit (it's a WARN_ON), in its current position it will then
>> leak the plane->format_types array and fail to call
>> drm_mode_object_unregister() leaking the modeset identifier. Move it to
>> the start of the function to avoid allocating those resources in the
>> first place.
>>
>> Signed-off-by: Steven Price <[email protected]>
>
> Well spotted!
>
> Reviewed-by: Liviu Dudau <[email protected]>
>
> I'm going to wait to see if anyone else has any comments before I'll merge this into
> drm-misc-fixes (or should it be drm-misc-next-fixes?)
Gentle ping! I think we've probably waited long enough. Are you going to
merge this or would you like me to?
Thanks,
Steve
> Best regards,
> Liviu
>
>> ---
>> drivers/gpu/drm/drm_plane.c | 14 +++++++-------
>> 1 file changed, 7 insertions(+), 7 deletions(-)
>>
>> diff --git a/drivers/gpu/drm/drm_plane.c b/drivers/gpu/drm/drm_plane.c
>> index 82afb854141b..fd0bf90fb4c2 100644
>> --- a/drivers/gpu/drm/drm_plane.c
>> +++ b/drivers/gpu/drm/drm_plane.c
>> @@ -249,6 +249,13 @@ static int __drm_universal_plane_init(struct drm_device *dev,
>> if (WARN_ON(config->num_total_plane >= 32))
>> return -EINVAL;
>>
>> + /*
>> + * First driver to need more than 64 formats needs to fix this. Each
>> + * format is encoded as a bit and the current code only supports a u64.
>> + */
>> + if (WARN_ON(format_count > 64))
>> + return -EINVAL;
>> +
>> WARN_ON(drm_drv_uses_atomic_modeset(dev) &&
>> (!funcs->atomic_destroy_state ||
>> !funcs->atomic_duplicate_state));
>> @@ -270,13 +277,6 @@ static int __drm_universal_plane_init(struct drm_device *dev,
>> return -ENOMEM;
>> }
>>
>> - /*
>> - * First driver to need more than 64 formats needs to fix this. Each
>> - * format is encoded as a bit and the current code only supports a u64.
>> - */
>> - if (WARN_ON(format_count > 64))
>> - return -EINVAL;
>> -
>> if (format_modifiers) {
>> const uint64_t *temp_modifiers = format_modifiers;
>>
>> --
>> 2.25.1
>>
>