Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp874354pxb; Tue, 1 Feb 2022 12:11:58 -0800 (PST) X-Google-Smtp-Source: ABdhPJxw2GtD1K61NqYmU7uw2XVnFbTYTkPEEke4iFworApi1DvKsAmuCzCLqFszDNdvfW6kkxql X-Received: by 2002:a17:902:ee51:: with SMTP id 17mr9149481plo.56.1643746318489; Tue, 01 Feb 2022 12:11:58 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643746318; cv=none; d=google.com; s=arc-20160816; b=LUC7sizm3VhpHjeGXZ1HEft7SsEUx/GRBe9e1Q/C+SkX3RGhHMrAH23Elmj44bgUNc jp1Gp26ts2Eo+j/u0g7iXVarQw035N6Sis26zUnqWv+AUd74sWypyHWLmER3DOnJ0avj IoUgY6CWzNjkSWNhm4+sd7LgIafvVqSw8zqGHbgz2s/YN5hxzuzefMQqeJGSBOhqxK+g gmX6k52STbu7M/jjER1MJprQBAIsWvmRoYjjZfb/U7qK0H27tVe8DRQ/9XI3UjtDbNYe FB6PITavvpTyTKORS8YdVIIoizVLz946YSa4qBDqt8CKHSD7qVlwFscTI+wxl6myTuSE oHVg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=3sWWnHByrTkCL1kct+NlTKuoHPYDfgS0z9XaAbHPEgY=; b=t6ekyCBgkOq43oty6X7UHcPBo25dnlhw3O/sRNqSuukAtt++h0wwD9J/H4N7BAFX5b cA8WCi9O3MDqd7EkksgegeamFEA6yIr1+pUpWkk+zDL+g70e3ZArft00o3HuedF8chVL Xyg3GiWqFo8DRfmjmP1bqQSG8znadFUA6jRoS51YhCGxnAsr41JkiiN5DhTu+KZ6Qy3t 2a1Lr2j9QvPvK9R2cQZYblLndQEL52fX9ONE44G9w6Y+odB0GjHxV+Oxw32ASPa3+2YK oq1kTs5NEYl3EvSxf6o0f7ZX+zHxUxMfN0cp7FqoVV2NOVil0XBWxmmdZRyNxMR6EkWi i9yg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=a7tCaOMy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t3si15491037plz.206.2022.02.01.12.11.46; Tue, 01 Feb 2022 12:11:58 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=a7tCaOMy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1378410AbiAaLs2 (ORCPT + 99 others); Mon, 31 Jan 2022 06:48:28 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51600 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1359446AbiAaLgG (ORCPT ); Mon, 31 Jan 2022 06:36:06 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ACCAAC0797AA; Mon, 31 Jan 2022 03:24:15 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 6DD62B82A59; Mon, 31 Jan 2022 11:24:14 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 40E78C340E8; Mon, 31 Jan 2022 11:24:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1643628253; bh=MBN22VmzfNkPcLqzGiCFTU1wm89FYeeBn5uoaTj78F8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=a7tCaOMy0dgYBt/n9OXIEQcfFMI+6dCK5WUs/FJwduZYisNEhE0kMg8CyM3L+Fv6f 8RyCZNOpZhJ0whEfcJpJKUMFOPESKEVaITe8qG+vJ7/RcPpHFepUQhNPVqePQQVKYF cLyKTuOBIurwiNnNJS1tXmNvuqMLaRNodVAAuP3Q= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Michael Kelley , Haiyang Zhang , Helge Deller , Wei Liu , Sasha Levin Subject: [PATCH 5.16 166/200] video: hyperv_fb: Fix validation of screen resolution Date: Mon, 31 Jan 2022 11:57:09 +0100 Message-Id: <20220131105239.137560916@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220131105233.561926043@linuxfoundation.org> References: <20220131105233.561926043@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Michael Kelley [ Upstream commit 9ff5549b1d1d3c3a9d71220d44bd246586160f1d ] In the WIN10 version of the Synthetic Video protocol with Hyper-V, Hyper-V reports a list of supported resolutions as part of the protocol negotiation. The driver calculates the maximum width and height from the list of resolutions, and uses those maximums to validate any screen resolution specified in the video= option on the kernel boot line. This method of validation is incorrect. For example, the list of supported resolutions could contain 1600x1200 and 1920x1080, both of which fit in an 8 Mbyte frame buffer. But calculating the max width and height yields 1920 and 1200, and 1920x1200 resolution does not fit in an 8 Mbyte frame buffer. Unfortunately, this resolution is accepted, causing a kernel fault when the driver accesses memory outside the frame buffer. Instead, validate the specified screen resolution by calculating its size, and comparing against the frame buffer size. Delete the code for calculating the max width and height from the list of resolutions, since these max values have no use. Also add the frame buffer size to the info message to aid in understanding why a resolution might be rejected. Fixes: 67e7cdb4829d ("video: hyperv: hyperv_fb: Obtain screen resolution from Hyper-V host") Signed-off-by: Michael Kelley Reviewed-by: Haiyang Zhang Acked-by: Helge Deller Link: https://lore.kernel.org/r/1642360711-2335-1-git-send-email-mikelley@microsoft.com Signed-off-by: Wei Liu Signed-off-by: Sasha Levin --- drivers/video/fbdev/hyperv_fb.c | 16 +++------------- 1 file changed, 3 insertions(+), 13 deletions(-) diff --git a/drivers/video/fbdev/hyperv_fb.c b/drivers/video/fbdev/hyperv_fb.c index 23999df527393..c8e0ea27caf1d 100644 --- a/drivers/video/fbdev/hyperv_fb.c +++ b/drivers/video/fbdev/hyperv_fb.c @@ -287,8 +287,6 @@ struct hvfb_par { static uint screen_width = HVFB_WIDTH; static uint screen_height = HVFB_HEIGHT; -static uint screen_width_max = HVFB_WIDTH; -static uint screen_height_max = HVFB_HEIGHT; static uint screen_depth; static uint screen_fb_size; static uint dio_fb_size; /* FB size for deferred IO */ @@ -582,7 +580,6 @@ static int synthvid_get_supported_resolution(struct hv_device *hdev) int ret = 0; unsigned long t; u8 index; - int i; memset(msg, 0, sizeof(struct synthvid_msg)); msg->vid_hdr.type = SYNTHVID_RESOLUTION_REQUEST; @@ -613,13 +610,6 @@ static int synthvid_get_supported_resolution(struct hv_device *hdev) goto out; } - for (i = 0; i < msg->resolution_resp.resolution_count; i++) { - screen_width_max = max_t(unsigned int, screen_width_max, - msg->resolution_resp.supported_resolution[i].width); - screen_height_max = max_t(unsigned int, screen_height_max, - msg->resolution_resp.supported_resolution[i].height); - } - screen_width = msg->resolution_resp.supported_resolution[index].width; screen_height = @@ -941,7 +931,7 @@ static void hvfb_get_option(struct fb_info *info) if (x < HVFB_WIDTH_MIN || y < HVFB_HEIGHT_MIN || (synthvid_ver_ge(par->synthvid_version, SYNTHVID_VERSION_WIN10) && - (x > screen_width_max || y > screen_height_max)) || + (x * y * screen_depth / 8 > screen_fb_size)) || (par->synthvid_version == SYNTHVID_VERSION_WIN8 && x * y * screen_depth / 8 > SYNTHVID_FB_SIZE_WIN8) || (par->synthvid_version == SYNTHVID_VERSION_WIN7 && @@ -1194,8 +1184,8 @@ static int hvfb_probe(struct hv_device *hdev, } hvfb_get_option(info); - pr_info("Screen resolution: %dx%d, Color depth: %d\n", - screen_width, screen_height, screen_depth); + pr_info("Screen resolution: %dx%d, Color depth: %d, Frame buffer size: %d\n", + screen_width, screen_height, screen_depth, screen_fb_size); ret = hvfb_getmem(hdev, info); if (ret) { -- 2.34.1