drm/msm/sde: Modify event notifier size to overcome out of bounds errors (acbe4e22) · Commits · e / devices / android_kernel_xiaomi_nabu

drivers/gpu/drm/msm/msm_drv.c

+3 −2

Original line number	Original line	Diff line number	Diff line
	@@ -1463,7 +1463,7 @@ void msm_mode_object_event_notify(struct drm_mode_object *obj,
	if (node->event.type != event->type \|\|		if (node->event.type != event->type \|\|
	obj->id != node->info.object_id)		obj->id != node->info.object_id)
	continue;		continue;
	len = event->length + sizeof(struct drm_msm_event_resp);		len = event->length + sizeof(struct msm_drm_event);
	if (node->base.file_priv->event_space < len) {		if (node->base.file_priv->event_space < len) {
	DRM_ERROR("Insufficient space %d for event %x len %d\n",		DRM_ERROR("Insufficient space %d for event %x len %d\n",
	node->base.file_priv->event_space, event->type,		node->base.file_priv->event_space, event->type,
	@@ -1477,7 +1477,8 @@ void msm_mode_object_event_notify(struct drm_mode_object *obj,
	notify->base.event = &notify->event;		notify->base.event = &notify->event;
	notify->base.pid = node->base.pid;		notify->base.pid = node->base.pid;
	notify->event.type = node->event.type;		notify->event.type = node->event.type;
	notify->event.length = len;		notify->event.length = event->length +
			sizeof(struct drm_msm_event_resp);
	memcpy(&notify->info, &node->info, sizeof(notify->info));		memcpy(&notify->info, &node->info, sizeof(notify->info));
	memcpy(notify->data, payload, event->length);		memcpy(notify->data, payload, event->length);
	ret = drm_event_reserve_init_locked(dev, node->base.file_priv,		ret = drm_event_reserve_init_locked(dev, node->base.file_priv,