Hi, > -----Original Message----- > From: Intel-gfx <[email protected]> On Behalf Of > Thomas Zimmermann > Sent: Monday, 1 June 2026 20.27 > To: Jani Nikula <[email protected]>; Dave Airlie > <[email protected]>; Simona Vetter <[email protected]> > Cc: Joonas Lahtinen <[email protected]>; Tvrtko Ursulin > <[email protected]>; Vivi, Rodrigo <[email protected]>; Maarten > Lankhorst <[email protected]>; Maxime Ripard > <[email protected]>; Brost, Matthew <[email protected]>; Thomas > Hellström <[email protected]>; Oded Gabbay > <[email protected]>; [email protected]; intel- > [email protected]; [email protected]; dim- > [email protected] > Subject: Re: [PULL] drm-misc-fixes > > Hi > > Am 01.06.26 um 17:49 schrieb Jani Nikula: > > On Mon, 01 Jun 2026, Jani Nikula <[email protected]> wrote: > >> On Mon, 01 Jun 2026, Jani Nikula <[email protected]> wrote: > >>> On Fri, 29 May 2026, Thomas Zimmermann <[email protected]> > wrote: > >>>> Rajat Gupta (1): > >>>> drm: prevent integer overflows in dumb buffer creation > >>>> helpers > >>> Looks like this commit 5ab62dd3687b ("drm: prevent integer overflows > >>> in dumb buffer creation helpers") regressed in our CI, awaiting > >>> confirmation. > > That CI report is where?
See eg. https://intel-gfx-ci.01.org/tree/drm-tip/index.html?testfilter=kms_big that is https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/16308 and second one: https://intel-gfx-ci.01.org/tree/drm-tip/igt@[email protected] that is https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/16296 there is also comment from Chaitanya now already "issue is not seen after reverting and test "igt@vgem_basic@create" is passing commit 5ab62dd3687bcc2cc542b99385aabac5c996db6f Author: Rajat Gupta <[email protected]> Date: Wed May 20 22:11:21 2026 -0700 drm: prevent integer overflows in dumb buffer creation helpers" Br Jani > >> The IGT test kms_big_fb uses max width and height from GetResources, > >> and > >> i915 and xe use max_width 16384 and max_height 16384 in mode config. > >> > >> The regressing commit adds random hard limits not based on anything: > >> > >> + /* Reject unreasonable inputs early. Dumb buffers are for software > >> + * rendering; nothing legitimate needs more than 8192x8192 at > 32bpp. > >> + * This prevents overflows in downstream alignment helpers. > >> + */ > >> + if (args->width >= 8192 || args->height >= 8192 || args->bpp > 32) > >> + return -EINVAL; > >> > >> This is now in v7.1-rc6. Please revert ASAP. > > Ah, missed this clue in the pull request: > > > > On Fri, 29 May 2026, Thomas Zimmermann <[email protected]> > wrote: > >> here is this week's PR from drm-misc-fixes. There's one cross-subsys > >> commit to the dma-buf code. Commit 5ab62dd3687b ("drm: prevent > >> integer overflows in dumb buffer creation helpers") has not Link tag > >> because it went through the security list. > > We have the whole review and CI processes in place to catch silly > > mistakes, and then we proceed to shoot ourselves in the foot and > > bypass all of that because "security", and expedite the regressions > > everywhere. I'll bet this will be in stable kernels in no time too. > > This is stupid. > > Indeed. But that's how this fix got in. > > It fixes a possible overflow elsewhere and using dumb buffers with higher > values that given here is questionable. Instead of outright reverting this, > let's > first look what actually broke. > > Best regards > Thomas > > > > > Please also read [1] with its recent updates. > > > > > > BR, > > Jani. > > > > > > [1] > > https://docs.kernel.org/process/security-bugs.html#what-qualifies-as-a > > -security-bug > > > > > >> > >> BR, > >> Jani. > >> > >> > >>> No matter what, it's immediately suspect because AFAICT it was not > >>> posted on the lists, and the commit doesn't have a Link: trailer > >>> pointing at the patch. > >>> > >>> This is not how we're supposed to roll. What's going on? > >>> > >>> > >>> BR, > >>> Jani. > > -- > -- > Thomas Zimmermann > Graphics Driver Developer > SUSE Software Solutions Germany GmbH > Frankenstr. 146, 90461 Nürnberg, Germany, www.suse.com > GF: Jochen Jaser, Andrew McDonald, Werner Knoblich, (HRB 36809, AG > Nürnberg) >
