drm/crtc: add sanity checks to create_dumb()

Lets make sure some basic expressions are always true:
  bpp != NULL
  width != NULL
  height != NULL
  stride = bpp * width < 2^32
  size = stride * height < 2^32
  PAGE_ALIGN(size) < 2^32

At least the udl driver doesn't check for multiplication-overflows, so
lets just make sure it will never happen. These checks allow drivers to do
any 32bit math without having to test for mult-overflows themselves.

The two divisions might hurt performance a bit, but dumb_create() is only
used for scanout-buffers, so that should be fine. We could use 64bit math
to avoid the divisions, but that may be slow on 32bit machines.. Or maybe
there should just be a "safe_mult32()" helper, which currently doesn't
exist (I think?).

Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: David Herrmann <dh.herrmann@gmail.com>

diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c
index 35ea15d5ffffed35a4f494afe6df9a1a4e89a8ae..b1c2b278005c3de9661a64f964ef3a1cda3a0ca7 100644 (file)
--- a/drivers/gpu/drm/drm_crtc.c
+++ b/drivers/gpu/drm/drm_crtc.c
@@ -3784,9 +3784,26 @@ int drm_mode_create_dumb_ioctl(struct drm_device *dev,
                               void *data, struct drm_file *file_priv)
 {
        struct drm_mode_create_dumb *args = data;
+       u32 cpp, stride, size;
 
        if (!dev->driver->dumb_create)
                return -ENOSYS;
+       if (!args->width || !args->height || !args->bpp)
+               return -EINVAL;
+
+       /* overflow checks for 32bit size calculations */
+       cpp = DIV_ROUND_UP(args->bpp, 8);
+       if (cpp > 0xffffffffU / args->width)
+               return -EINVAL;
+       stride = cpp * args->width;
+       if (args->height > 0xffffffffU / stride)
+               return -EINVAL;
+
+       /* test for wrap-around */
+       size = args->height * stride;
+       if (PAGE_ALIGN(size) == 0)
+               return -EINVAL;
+
        return dev->driver->dumb_create(file_priv, dev, args);
 }