releases/4.6.5/drm-nouveau-fbcon-fix-out-of-bounds-memory-accesses.patch

   1 From f045f459d925138fe7d6193a8c86406bda7e49da Mon Sep 17 00:00:00 2001
   2 From: Ben Skeggs <bskeggs@redhat.com>
   3 Date: Thu, 2 Jun 2016 12:23:31 +1000
   4 Subject: drm/nouveau/fbcon: fix out-of-bounds memory accesses
   5
   6 From: Ben Skeggs <bskeggs@redhat.com>
   7
   8 commit f045f459d925138fe7d6193a8c86406bda7e49da upstream.
   9
  10 Reported by KASAN.
  11
  12 Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
  13 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  14
  15 ---
  16  drivers/gpu/drm/nouveau/nouveau_fbcon.c |    1 +
  17  drivers/gpu/drm/nouveau/nv04_fbcon.c    |    7 ++-----
  18  drivers/gpu/drm/nouveau/nv50_fbcon.c    |    6 ++----
  19  drivers/gpu/drm/nouveau/nvc0_fbcon.c    |    6 ++----
  20  4 files changed, 7 insertions(+), 13 deletions(-)
  21
  22 --- a/drivers/gpu/drm/nouveau/nouveau_fbcon.c
  23 +++ b/drivers/gpu/drm/nouveau/nouveau_fbcon.c
  24 @@ -557,6 +557,7 @@ nouveau_fbcon_init(struct drm_device *de
  25         if (ret)
  26                 goto fini;
  27
  28 +       fbcon->helper.fbdev->pixmap.buf_align = 4;
  29         return 0;
  30
  31  fini:
  32 --- a/drivers/gpu/drm/nouveau/nv04_fbcon.c
  33 +++ b/drivers/gpu/drm/nouveau/nv04_fbcon.c
  34 @@ -82,7 +82,6 @@ nv04_fbcon_imageblit(struct fb_info *inf
  35         uint32_t fg;
  36         uint32_t bg;
  37         uint32_t dsize;
  38 -       uint32_t width;
  39         uint32_t *data = (uint32_t *)image->data;
  40         int ret;
  41
  42 @@ -93,9 +92,6 @@ nv04_fbcon_imageblit(struct fb_info *inf
  43         if (ret)
  44                 return ret;
  45
  46 -       width = ALIGN(image->width, 8);
  47 -       dsize = ALIGN(width * image->height, 32) >> 5;
  48 -
  49         if (info->fix.visual == FB_VISUAL_TRUECOLOR ||
  50             info->fix.visual == FB_VISUAL_DIRECTCOLOR) {
  51                 fg = ((uint32_t *) info->pseudo_palette)[image->fg_color];
  52 @@ -111,10 +107,11 @@ nv04_fbcon_imageblit(struct fb_info *inf
  53                          ((image->dx + image->width) & 0xffff));
  54         OUT_RING(chan, bg);
  55         OUT_RING(chan, fg);
  56 -       OUT_RING(chan, (image->height << 16) | width);
  57 +       OUT_RING(chan, (image->height << 16) | image->width);
  58         OUT_RING(chan, (image->height << 16) | image->width);
  59         OUT_RING(chan, (image->dy << 16) | (image->dx & 0xffff));
  60
  61 +       dsize = ALIGN(image->width * image->height, 32) >> 5;
  62         while (dsize) {
  63                 int iter_len = dsize > 128 ? 128 : dsize;
  64
  65 --- a/drivers/gpu/drm/nouveau/nv50_fbcon.c
  66 +++ b/drivers/gpu/drm/nouveau/nv50_fbcon.c
  67 @@ -95,7 +95,7 @@ nv50_fbcon_imageblit(struct fb_info *inf
  68         struct nouveau_fbdev *nfbdev = info->par;
  69         struct nouveau_drm *drm = nouveau_drm(nfbdev->dev);
  70         struct nouveau_channel *chan = drm->channel;
  71 -       uint32_t width, dwords, *data = (uint32_t *)image->data;
  72 +       uint32_t dwords, *data = (uint32_t *)image->data;
  73         uint32_t mask = ~(~0 >> (32 - info->var.bits_per_pixel));
  74         uint32_t *palette = info->pseudo_palette;
  75         int ret;
  76 @@ -107,9 +107,6 @@ nv50_fbcon_imageblit(struct fb_info *inf
  77         if (ret)
  78                 return ret;
  79
  80 -       width = ALIGN(image->width, 32);
  81 -       dwords = (width * image->height) >> 5;
  82 -
  83         BEGIN_NV04(chan, NvSub2D, 0x0814, 2);
  84         if (info->fix.visual == FB_VISUAL_TRUECOLOR ||
  85             info->fix.visual == FB_VISUAL_DIRECTCOLOR) {
  86 @@ -128,6 +125,7 @@ nv50_fbcon_imageblit(struct fb_info *inf
  87         OUT_RING(chan, 0);
  88         OUT_RING(chan, image->dy);
  89
  90 +       dwords = ALIGN(image->width * image->height, 32) >> 5;
  91         while (dwords) {
  92                 int push = dwords > 2047 ? 2047 : dwords;
  93
  94 --- a/drivers/gpu/drm/nouveau/nvc0_fbcon.c
  95 +++ b/drivers/gpu/drm/nouveau/nvc0_fbcon.c
  96 @@ -95,7 +95,7 @@ nvc0_fbcon_imageblit(struct fb_info *inf
  97         struct nouveau_fbdev *nfbdev = info->par;
  98         struct nouveau_drm *drm = nouveau_drm(nfbdev->dev);
  99         struct nouveau_channel *chan = drm->channel;
 100 -       uint32_t width, dwords, *data = (uint32_t *)image->data;
 101 +       uint32_t dwords, *data = (uint32_t *)image->data;
 102         uint32_t mask = ~(~0 >> (32 - info->var.bits_per_pixel));
 103         uint32_t *palette = info->pseudo_palette;
 104         int ret;
 105 @@ -107,9 +107,6 @@ nvc0_fbcon_imageblit(struct fb_info *inf
 106         if (ret)
 107                 return ret;
 108
 109 -       width = ALIGN(image->width, 32);
 110 -       dwords = (width * image->height) >> 5;
 111 -
 112         BEGIN_NVC0(chan, NvSub2D, 0x0814, 2);
 113         if (info->fix.visual == FB_VISUAL_TRUECOLOR ||
 114             info->fix.visual == FB_VISUAL_DIRECTCOLOR) {
 115 @@ -128,6 +125,7 @@ nvc0_fbcon_imageblit(struct fb_info *inf
 116         OUT_RING  (chan, 0);
 117         OUT_RING  (chan, image->dy);
 118
 119 +       dwords = ALIGN(image->width * image->height, 32) >> 5;
 120         while (dwords) {
 121                 int push = dwords > 2047 ? 2047 : dwords;
 122