Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e687d691 authored by Bruno Prémont's avatar Bruno Prémont Committed by Linus Torvalds
Browse files

viafb: fix crashes due to 4k stack overflow 



The function viafb_cursor() uses 2 stack-variables of CURSOR_SIZE bits;
CURSOR_SIZE is defined as (8 * 1024).  Using up twice 1k on stack is too
much for 4k-stack (though it works with 8k-stacks).  Make those two
variables kzalloc'ed to preserve stack space.

Also merge the whole lot of local struct's in viafb_ioctl into a union so
the stack usage gets minimized here as well.  (struct's are only accessed
in their indicidual IOCTL case) This second part is only compile-tested as
I know of no userspace app using the IOCTLs.

Signed-off-by: default avatarBruno Prémont <bonbons@linux-vserver.org>
Cc: <JosephChan@via.com.tw>
Cc: Krzysztof Helt <krzysztof.h1@poczta.fm>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent c644f0e4

drivers/video/via/viafbdev.c

+129 −119
Original line number Original line Diff line number Diff line
@@ -546,23 +546,25 @@ static int viafb_blank(int blank_mode, struct fb_info *info) 




static int viafb_ioctl(struct fb_info *info, u_int cmd, u_long arg)

static int viafb_ioctl(struct fb_info *info, u_int cmd, u_long arg)

{

{

	union {

		struct viafb_ioctl_mode viamode;

		struct viafb_ioctl_mode viamode;

		struct viafb_ioctl_samm viasamm;

		struct viafb_ioctl_samm viasamm;

		struct viafb_driver_version driver_version;

		struct viafb_driver_version driver_version;

		struct fb_var_screeninfo sec_var;

		struct fb_var_screeninfo sec_var;

		struct _panel_size_pos_info panel_pos_size_para;

		struct _panel_size_pos_info panel_pos_size_para;

		struct viafb_ioctl_setting viafb_setting;

		struct device_t active_dev;

	} u;

	u32 state_info = 0;

	u32 state_info = 0;

	u32 viainfo_size = sizeof(struct viafb_ioctl_info);

	u32 *viafb_gamma_table;

	u32 *viafb_gamma_table;

	char driver_name[] = "viafb";

	char driver_name[] = "viafb";





	u32 __user *argp = (u32 __user *) arg;

	u32 __user *argp = (u32 __user *) arg;

	u32 gpu32;

	u32 gpu32;

	u32 video_dev_info = 0;

	u32 video_dev_info = 0;

	struct viafb_ioctl_setting viafb_setting = {};

	struct device_t active_dev = {};





	DEBUG_MSG(KERN_INFO "viafb_ioctl: 0x%X !!\n", cmd);

	DEBUG_MSG(KERN_INFO "viafb_ioctl: 0x%X !!\n", cmd);

	memset(&u, 0, sizeof(u));





	switch (cmd) {

	switch (cmd) {

	case VIAFB_GET_CHIP_INFO:

	case VIAFB_GET_CHIP_INFO:
@@ -571,7 +573,7 @@ static int viafb_ioctl(struct fb_info *info, u_int cmd, u_long arg) 
			return -EFAULT;

			return -EFAULT;

		break;

		break;

	case VIAFB_GET_INFO_SIZE:

	case VIAFB_GET_INFO_SIZE:

		return put_user(viainfo_size, argp);

		return put_user((u32)sizeof(struct viafb_ioctl_info), argp);

	case VIAFB_GET_INFO:

	case VIAFB_GET_INFO:

		return viafb_ioctl_get_viafb_info(arg);

		return viafb_ioctl_get_viafb_info(arg);

	case VIAFB_HOTPLUG:

	case VIAFB_HOTPLUG:
@@ -584,60 +586,60 @@ static int viafb_ioctl(struct fb_info *info, u_int cmd, u_long arg) 
		viafb_hotplug = (gpu32) ? 1 : 0;

		viafb_hotplug = (gpu32) ? 1 : 0;

		break;

		break;

	case VIAFB_GET_RESOLUTION:

	case VIAFB_GET_RESOLUTION:

		viamode.xres = (u32) viafb_hotplug_Xres;

		u.viamode.xres = (u32) viafb_hotplug_Xres;

		viamode.yres = (u32) viafb_hotplug_Yres;

		u.viamode.yres = (u32) viafb_hotplug_Yres;

		viamode.refresh = (u32) viafb_hotplug_refresh;

		u.viamode.refresh = (u32) viafb_hotplug_refresh;

		viamode.bpp = (u32) viafb_hotplug_bpp;

		u.viamode.bpp = (u32) viafb_hotplug_bpp;

		if (viafb_SAMM_ON == 1) {

		if (viafb_SAMM_ON == 1) {

			viamode.xres_sec = viafb_second_xres;

			u.viamode.xres_sec = viafb_second_xres;

			viamode.yres_sec = viafb_second_yres;

			u.viamode.yres_sec = viafb_second_yres;

			viamode.virtual_xres_sec = viafb_second_virtual_xres;

			u.viamode.virtual_xres_sec = viafb_second_virtual_xres;

			viamode.virtual_yres_sec = viafb_second_virtual_yres;

			u.viamode.virtual_yres_sec = viafb_second_virtual_yres;

			viamode.refresh_sec = viafb_refresh1;

			u.viamode.refresh_sec = viafb_refresh1;

			viamode.bpp_sec = viafb_bpp1;

			u.viamode.bpp_sec = viafb_bpp1;

		} else {

		} else {

			viamode.xres_sec = 0;

			u.viamode.xres_sec = 0;

			viamode.yres_sec = 0;

			u.viamode.yres_sec = 0;

			viamode.virtual_xres_sec = 0;

			u.viamode.virtual_xres_sec = 0;

			viamode.virtual_yres_sec = 0;

			u.viamode.virtual_yres_sec = 0;

			viamode.refresh_sec = 0;

			u.viamode.refresh_sec = 0;

			viamode.bpp_sec = 0;

			u.viamode.bpp_sec = 0;

		}

		}

		if (copy_to_user(argp, &viamode, sizeof(viamode)))

		if (copy_to_user(argp, &u.viamode, sizeof(u.viamode)))

			return -EFAULT;

			return -EFAULT;

		break;

		break;

	case VIAFB_GET_SAMM_INFO:

	case VIAFB_GET_SAMM_INFO:

		viasamm.samm_status = viafb_SAMM_ON;

		u.viasamm.samm_status = viafb_SAMM_ON;





		if (viafb_SAMM_ON == 1) {

		if (viafb_SAMM_ON == 1) {

			if (viafb_dual_fb) {

			if (viafb_dual_fb) {

				viasamm.size_prim = viaparinfo->fbmem_free;

				u.viasamm.size_prim = viaparinfo->fbmem_free;

				viasamm.size_sec = viaparinfo1->fbmem_free;

				u.viasamm.size_sec = viaparinfo1->fbmem_free;

			} else {

			} else {

				if (viafb_second_size) {

				if (viafb_second_size) {

					viasamm.size_prim =

					u.viasamm.size_prim =

					    viaparinfo->fbmem_free -

					    viaparinfo->fbmem_free -

					    viafb_second_size * 1024 * 1024;

					    viafb_second_size * 1024 * 1024;

					viasamm.size_sec =

					u.viasamm.size_sec =

					    viafb_second_size * 1024 * 1024;

					    viafb_second_size * 1024 * 1024;

				} else {

				} else {

					viasamm.size_prim =

					u.viasamm.size_prim =

					    viaparinfo->fbmem_free >> 1;

					    viaparinfo->fbmem_free >> 1;

					viasamm.size_sec =

					u.viasamm.size_sec =

					    (viaparinfo->fbmem_free >> 1);

					    (viaparinfo->fbmem_free >> 1);

				}

				}

			}

			}

			viasamm.mem_base = viaparinfo->fbmem;

			u.viasamm.mem_base = viaparinfo->fbmem;

			viasamm.offset_sec = viafb_second_offset;

			u.viasamm.offset_sec = viafb_second_offset;

		} else {

		} else {

			viasamm.size_prim =

			u.viasamm.size_prim =

			    viaparinfo->memsize - viaparinfo->fbmem_used;

			    viaparinfo->memsize - viaparinfo->fbmem_used;

			viasamm.size_sec = 0;

			u.viasamm.size_sec = 0;

			viasamm.mem_base = viaparinfo->fbmem;

			u.viasamm.mem_base = viaparinfo->fbmem;

			viasamm.offset_sec = 0;

			u.viasamm.offset_sec = 0;

		}

		}





		if (copy_to_user(argp, &viasamm, sizeof(viasamm)))

		if (copy_to_user(argp, &u.viasamm, sizeof(u.viasamm)))

			return -EFAULT;

			return -EFAULT;





		break;

		break;
@@ -662,74 +664,75 @@ static int viafb_ioctl(struct fb_info *info, u_int cmd, u_long arg) 
			viafb_lcd_disable();

			viafb_lcd_disable();

		break;

		break;

	case VIAFB_SET_DEVICE:

	case VIAFB_SET_DEVICE:

		if (copy_from_user(&active_dev, (void *)argp,

		if (copy_from_user(&u.active_dev, (void *)argp,

			sizeof(active_dev)))

			sizeof(u.active_dev)))

			return -EFAULT;

			return -EFAULT;

		viafb_set_device(active_dev);

		viafb_set_device(u.active_dev);

		viafb_set_par(info);

		viafb_set_par(info);

		break;

		break;

	case VIAFB_GET_DEVICE:

	case VIAFB_GET_DEVICE:

		active_dev.crt = viafb_CRT_ON;

		u.active_dev.crt = viafb_CRT_ON;

		active_dev.dvi = viafb_DVI_ON;

		u.active_dev.dvi = viafb_DVI_ON;

		active_dev.lcd = viafb_LCD_ON;

		u.active_dev.lcd = viafb_LCD_ON;

		active_dev.samm = viafb_SAMM_ON;

		u.active_dev.samm = viafb_SAMM_ON;

		active_dev.primary_dev = viafb_primary_dev;

		u.active_dev.primary_dev = viafb_primary_dev;





		active_dev.lcd_dsp_cent = viafb_lcd_dsp_method;

		u.active_dev.lcd_dsp_cent = viafb_lcd_dsp_method;

		active_dev.lcd_panel_id = viafb_lcd_panel_id;

		u.active_dev.lcd_panel_id = viafb_lcd_panel_id;

		active_dev.lcd_mode = viafb_lcd_mode;

		u.active_dev.lcd_mode = viafb_lcd_mode;





		active_dev.xres = viafb_hotplug_Xres;

		u.active_dev.xres = viafb_hotplug_Xres;

		active_dev.yres = viafb_hotplug_Yres;

		u.active_dev.yres = viafb_hotplug_Yres;





		active_dev.xres1 = viafb_second_xres;

		u.active_dev.xres1 = viafb_second_xres;

		active_dev.yres1 = viafb_second_yres;

		u.active_dev.yres1 = viafb_second_yres;





		active_dev.bpp = viafb_bpp;

		u.active_dev.bpp = viafb_bpp;

		active_dev.bpp1 = viafb_bpp1;

		u.active_dev.bpp1 = viafb_bpp1;

		active_dev.refresh = viafb_refresh;

		u.active_dev.refresh = viafb_refresh;

		active_dev.refresh1 = viafb_refresh1;

		u.active_dev.refresh1 = viafb_refresh1;





		active_dev.epia_dvi = viafb_platform_epia_dvi;

		u.active_dev.epia_dvi = viafb_platform_epia_dvi;

		active_dev.lcd_dual_edge = viafb_device_lcd_dualedge;

		u.active_dev.lcd_dual_edge = viafb_device_lcd_dualedge;

		active_dev.bus_width = viafb_bus_width;

		u.active_dev.bus_width = viafb_bus_width;





		if (copy_to_user(argp, &active_dev, sizeof(active_dev)))

		if (copy_to_user(argp, &u.active_dev, sizeof(u.active_dev)))

			return -EFAULT;

			return -EFAULT;

		break;

		break;





	case VIAFB_GET_DRIVER_VERSION:

	case VIAFB_GET_DRIVER_VERSION:

		driver_version.iMajorNum = VERSION_MAJOR;

		u.driver_version.iMajorNum = VERSION_MAJOR;

		driver_version.iKernelNum = VERSION_KERNEL;

		u.driver_version.iKernelNum = VERSION_KERNEL;

		driver_version.iOSNum = VERSION_OS;

		u.driver_version.iOSNum = VERSION_OS;

		driver_version.iMinorNum = VERSION_MINOR;

		u.driver_version.iMinorNum = VERSION_MINOR;





		if (copy_to_user(argp, &driver_version,

		if (copy_to_user(argp, &u.driver_version,

			sizeof(driver_version)))

			sizeof(u.driver_version)))

			return -EFAULT;

			return -EFAULT;





		break;

		break;





	case VIAFB_SET_DEVICE_INFO:

	case VIAFB_SET_DEVICE_INFO:

		if (copy_from_user(&viafb_setting,

		if (copy_from_user(&u.viafb_setting,

			argp, sizeof(viafb_setting)))

			argp, sizeof(u.viafb_setting)))

			return -EFAULT;

			return -EFAULT;

		if (apply_device_setting(viafb_setting, info) < 0)

		if (apply_device_setting(u.viafb_setting, info) < 0)

			return -EINVAL;

			return -EINVAL;





		break;

		break;





	case VIAFB_SET_SECOND_MODE:

	case VIAFB_SET_SECOND_MODE:

		if (copy_from_user(&sec_var, argp, sizeof(sec_var)))

		if (copy_from_user(&u.sec_var, argp, sizeof(u.sec_var)))

			return -EFAULT;

			return -EFAULT;

		apply_second_mode_setting(&sec_var);

		apply_second_mode_setting(&u.sec_var);

		break;

		break;





	case VIAFB_GET_DEVICE_INFO:

	case VIAFB_GET_DEVICE_INFO:





		retrieve_device_setting(&viafb_setting);

		retrieve_device_setting(&u.viafb_setting);





		if (copy_to_user(argp, &viafb_setting, sizeof(viafb_setting)))

		if (copy_to_user(argp, &u.viafb_setting,

				 sizeof(u.viafb_setting)))

			return -EFAULT;

			return -EFAULT;





		break;

		break;
@@ -806,51 +809,51 @@ static int viafb_ioctl(struct fb_info *info, u_int cmd, u_long arg) 
		break;

		break;





	case VIAFB_GET_PANEL_MAX_SIZE:

	case VIAFB_GET_PANEL_MAX_SIZE:

		if (copy_from_user

		if (copy_from_user(&u.panel_pos_size_para, argp,

		    (&panel_pos_size_para, argp, sizeof(panel_pos_size_para)))

				   sizeof(u.panel_pos_size_para)))

			return -EFAULT;

			return -EFAULT;

		panel_pos_size_para.x = panel_pos_size_para.y = 0;

		u.panel_pos_size_para.x = u.panel_pos_size_para.y = 0;

		if (copy_to_user(argp, &panel_pos_size_para,

		if (copy_to_user(argp, &u.panel_pos_size_para,

		     sizeof(panel_pos_size_para)))

		     sizeof(u.panel_pos_size_para)))

			return -EFAULT;

			return -EFAULT;

		break;

		break;

	case VIAFB_GET_PANEL_MAX_POSITION:

	case VIAFB_GET_PANEL_MAX_POSITION:

		if (copy_from_user

		if (copy_from_user(&u.panel_pos_size_para, argp,

		    (&panel_pos_size_para, argp, sizeof(panel_pos_size_para)))

				   sizeof(u.panel_pos_size_para)))

			return -EFAULT;

			return -EFAULT;

		panel_pos_size_para.x = panel_pos_size_para.y = 0;

		u.panel_pos_size_para.x = u.panel_pos_size_para.y = 0;

		if (copy_to_user(argp, &panel_pos_size_para,

		if (copy_to_user(argp, &u.panel_pos_size_para,

		     sizeof(panel_pos_size_para)))

				 sizeof(u.panel_pos_size_para)))

			return -EFAULT;

			return -EFAULT;

		break;

		break;





	case VIAFB_GET_PANEL_POSITION:

	case VIAFB_GET_PANEL_POSITION:

		if (copy_from_user

		if (copy_from_user(&u.panel_pos_size_para, argp,

		    (&panel_pos_size_para, argp, sizeof(panel_pos_size_para)))

				   sizeof(u.panel_pos_size_para)))

			return -EFAULT;

			return -EFAULT;

		panel_pos_size_para.x = panel_pos_size_para.y = 0;

		u.panel_pos_size_para.x = u.panel_pos_size_para.y = 0;

		if (copy_to_user(argp, &panel_pos_size_para,

		if (copy_to_user(argp, &u.panel_pos_size_para,

		     sizeof(panel_pos_size_para)))

				 sizeof(u.panel_pos_size_para)))

			return -EFAULT;

			return -EFAULT;

		break;

		break;

	case VIAFB_GET_PANEL_SIZE:

	case VIAFB_GET_PANEL_SIZE:

		if (copy_from_user

		if (copy_from_user(&u.panel_pos_size_para, argp,

		    (&panel_pos_size_para, argp, sizeof(panel_pos_size_para)))

				   sizeof(u.panel_pos_size_para)))

			return -EFAULT;

			return -EFAULT;

		panel_pos_size_para.x = panel_pos_size_para.y = 0;

		u.panel_pos_size_para.x = u.panel_pos_size_para.y = 0;

		if (copy_to_user(argp, &panel_pos_size_para,

		if (copy_to_user(argp, &u.panel_pos_size_para,

		     sizeof(panel_pos_size_para)))

				 sizeof(u.panel_pos_size_para)))

			return -EFAULT;

			return -EFAULT;

		break;

		break;





	case VIAFB_SET_PANEL_POSITION:

	case VIAFB_SET_PANEL_POSITION:

		if (copy_from_user

		if (copy_from_user(&u.panel_pos_size_para, argp,

		    (&panel_pos_size_para, argp, sizeof(panel_pos_size_para)))

				   sizeof(u.panel_pos_size_para)))

			return -EFAULT;

			return -EFAULT;

		break;

		break;

	case VIAFB_SET_PANEL_SIZE:

	case VIAFB_SET_PANEL_SIZE:

		if (copy_from_user

		if (copy_from_user(&u.panel_pos_size_para, argp,

		    (&panel_pos_size_para, argp, sizeof(panel_pos_size_para)))

				   sizeof(u.panel_pos_size_para)))

			return -EFAULT;

			return -EFAULT;

		break;

		break;
@@ -1052,10 +1055,8 @@ static void viafb_imageblit(struct fb_info *info, 




static int viafb_cursor(struct fb_info *info, struct fb_cursor *cursor)

static int viafb_cursor(struct fb_info *info, struct fb_cursor *cursor)

{

{

	u8 data[CURSOR_SIZE / 8];

	u32 data_bak[CURSOR_SIZE / 32];

	u32 temp, xx, yy, bg_col = 0, fg_col = 0;

	u32 temp, xx, yy, bg_col = 0, fg_col = 0;

	int size, i, j = 0;

	int i, j = 0;

	static int hw_cursor;

	static int hw_cursor;

	struct viafb_par *p_viafb_par;

	struct viafb_par *p_viafb_par;
@@ -1178,22 +1179,29 @@ static int viafb_cursor(struct fb_info *info, struct fb_cursor *cursor) 
	}

	}





	if (cursor->set & FB_CUR_SETSHAPE) {

	if (cursor->set & FB_CUR_SETSHAPE) {

		size =

		struct {

			u8 data[CURSOR_SIZE / 8];

			u32 bak[CURSOR_SIZE / 32];

		} *cr_data = kzalloc(sizeof(*cr_data), GFP_ATOMIC);

		int size =

		    ((viacursor.image.width + 7) >> 3) *

		    ((viacursor.image.width + 7) >> 3) *

		    viacursor.image.height;

		    viacursor.image.height;





		if (cr_data == NULL)

			goto out;



		if (MAX_CURS == 32) {

		if (MAX_CURS == 32) {

			for (i = 0; i < (CURSOR_SIZE / 32); i++) {

			for (i = 0; i < (CURSOR_SIZE / 32); i++) {

				data_bak[i] = 0x0;

				cr_data->bak[i] = 0x0;

				data_bak[i + 1] = 0xFFFFFFFF;

				cr_data->bak[i + 1] = 0xFFFFFFFF;

				i += 1;

				i += 1;

			}

			}

		} else if (MAX_CURS == 64) {

		} else if (MAX_CURS == 64) {

			for (i = 0; i < (CURSOR_SIZE / 32); i++) {

			for (i = 0; i < (CURSOR_SIZE / 32); i++) {

				data_bak[i] = 0x0;

				cr_data->bak[i] = 0x0;

				data_bak[i + 1] = 0x0;

				cr_data->bak[i + 1] = 0x0;

				data_bak[i + 2] = 0xFFFFFFFF;

				cr_data->bak[i + 2] = 0xFFFFFFFF;

				data_bak[i + 3] = 0xFFFFFFFF;

				cr_data->bak[i + 3] = 0xFFFFFFFF;

				i += 3;

				i += 3;

			}

			}

		}

		}
@@ -1201,12 +1209,12 @@ static int viafb_cursor(struct fb_info *info, struct fb_cursor *cursor) 
		switch (viacursor.rop) {

		switch (viacursor.rop) {

		case ROP_XOR:

		case ROP_XOR:

			for (i = 0; i < size; i++)

			for (i = 0; i < size; i++)

				data[i] = viacursor.mask[i];

				cr_data->data[i] = viacursor.mask[i];

			break;

			break;

		case ROP_COPY:

		case ROP_COPY:





			for (i = 0; i < size; i++)

			for (i = 0; i < size; i++)

				data[i] = viacursor.mask[i];

				cr_data->data[i] = viacursor.mask[i];

			break;

			break;

		default:

		default:

			break;

			break;
@@ -1214,23 +1222,25 @@ static int viafb_cursor(struct fb_info *info, struct fb_cursor *cursor) 




		if (MAX_CURS == 32) {

		if (MAX_CURS == 32) {

			for (i = 0; i < size; i++) {

			for (i = 0; i < size; i++) {

				data_bak[j] = (u32) data[i];

				cr_data->bak[j] = (u32) cr_data->data[i];

				data_bak[j + 1] = ~data_bak[j];

				cr_data->bak[j + 1] = ~cr_data->bak[j];

				j += 2;

				j += 2;

			}

			}

		} else if (MAX_CURS == 64) {

		} else if (MAX_CURS == 64) {

			for (i = 0; i < size; i++) {

			for (i = 0; i < size; i++) {

				data_bak[j] = (u32) data[i];

				cr_data->bak[j] = (u32) cr_data->data[i];

				data_bak[j + 1] = 0x0;

				cr_data->bak[j + 1] = 0x0;

				data_bak[j + 2] = ~data_bak[j];

				cr_data->bak[j + 2] = ~cr_data->bak[j];

				data_bak[j + 3] = ~data_bak[j + 1];

				cr_data->bak[j + 3] = ~cr_data->bak[j + 1];

				j += 4;

				j += 4;

			}

			}

		}

		}





		memcpy(((struct viafb_par *)(info->par))->fbmem_virt +

		memcpy(((struct viafb_par *)(info->par))->fbmem_virt +

		       ((struct viafb_par *)(info->par))->cursor_start,

		       ((struct viafb_par *)(info->par))->cursor_start,

		       data_bak, CURSOR_SIZE);

		       cr_data->bak, CURSOR_SIZE);

out:

		kfree(cr_data);

	}

	}





	if (viacursor.enable)

	if (viacursor.enable)