git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Rajat Gupta <rajat.gupta@oss.qualcomm.com>
	Thu, 21 May 2026 05:11:21 +0000 (22:11 -0700)
committer	Thomas Zimmermann <tzimmermann@suse.de>
	Fri, 29 May 2026 06:30:47 +0000 (08:30 +0200)
commit	5ab62dd3687bcc2cc542b99385aabac5c996db6f
tree	eecadb300b76ea23b1b950f9fa216a721392987f	tree \| snapshot
parent	ead6680f354f83966c796fc7f9463a3171789616	commit \| diff

drm: prevent integer overflows in dumb buffer creation helpers

Fix integer overflow issues in the dumb buffer creation path:

1. drm_mode_create_dumb() does not bound width, height, or bpp
   before passing them to driver callbacks.  Downstream helpers
   (e.g. drm_gem_dma_dumb_create_internal) perform pitch/size
   alignment in u32 arithmetic that can overflow for extreme
   values.  Add hard limits: width and height < 8192, bpp <= 32.
   No legitimate software rendering use case exceeds these.

2. drm_mode_align_dumb() uses roundup(pitch, hw_pitch_align)
   without checking for overflow.  If pitch is near U32_MAX,
   roundup() wraps to a small value, making subsequent
   check_mul_overflow() pass with a much smaller pitch than
   intended.  Add an overflow check after roundup.

3. drm_mode_align_dumb() uses ALIGN(size, hw_size_align) which
   only works correctly for power-of-two alignment values.
   Replace with roundup() which works for any alignment.

Suggested-by: Thomas Zimmermann <tzimmermann@suse.de>
Signed-off-by: Rajat Gupta <rajat.gupta@oss.qualcomm.com>
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>