1. Patchew
  2. linux
  3. View series

[PATCH] drm/komeda: fix integer overflow in AFBC framebuffer size check

Alexander Konyukhov posted 1 patch 4 days, 15 hours ago 
drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
[PATCH] drm/komeda: fix integer overflow in AFBC framebuffer size check
Posted by Alexander Konyukhov 4 days, 15 hours ago 
The AFBC framebuffer size validation calculates the minimum required
buffer size by adding the AFBC payload size to the framebuffer offset.
This addition is performed without checking for integer overflow.

If the addition oveflows, the size check may incorrectly succed and
allow userspace to provide an undersized drm_gem_object, potentially
leading to out-of-bounds memory access.

Add usage of check_add_overflow() to safely compute the minimum
required size and reject the framebuffer if an overflow is detected.
This makes the AFBC size validation more robust against malformed.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 65ad2392dd6d ("drm/komeda: Added AFBC support for komeda driver")
Signed-off-by: Alexander Konyukhov <Alexander.Konyukhov@kaspersky.com>
---
 drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c b/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c
index 3ca461eb0a24..3cb34d03f7f8 100644
--- a/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c
+++ b/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c
@@ -4,6 +4,8 @@
  * Author: James.Qian.Wang <james.qian.wang@arm.com>
  *
  */
+#include <linux/overflow.h>
+
 #include <drm/drm_device.h>
 #include <drm/drm_fb_dma_helper.h>
 #include <drm/drm_gem.h>
@@ -93,7 +95,9 @@ komeda_fb_afbc_size_check(struct komeda_fb *kfb, struct drm_file *file,
 	kfb->afbc_size = kfb->offset_payload + n_blocks *
 			 ALIGN(bpp * AFBC_SUPERBLK_PIXELS / 8,
 			       AFBC_SUPERBLK_ALIGNMENT);
-	min_size = kfb->afbc_size + fb->offsets[0];
+	if (check_add_overflow(kfb->afbc_size, fb->offsets[0], &min_size)) {
+		goto check_failed;
+	}
 	if (min_size > obj->size) {
 		DRM_DEBUG_KMS("afbc size check failed, obj_size: 0x%zx. min_size 0x%llx.\n",
 			      obj->size, min_size);
-- 
2.43.0
Re: [PATCH] drm/komeda: fix integer overflow in AFBC framebuffer size check
Posted by Brian Starkey 4 days, 7 hours ago 
Hi Alexander,

On Tue, Feb 03, 2026 at 04:48:46PM +0000, Alexander Konyukhov wrote:
> The AFBC framebuffer size validation calculates the minimum required
> buffer size by adding the AFBC payload size to the framebuffer offset.
> This addition is performed without checking for integer overflow.
> 
> If the addition oveflows, the size check may incorrectly succed and
> allow userspace to provide an undersized drm_gem_object, potentially
> leading to out-of-bounds memory access.
> 
> Add usage of check_add_overflow() to safely compute the minimum
> required size and reject the framebuffer if an overflow is detected.
> This makes the AFBC size validation more robust against malformed.
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Fixes: 65ad2392dd6d ("drm/komeda: Added AFBC support for komeda driver")
> Signed-off-by: Alexander Konyukhov <Alexander.Konyukhov@kaspersky.com>
> ---
>  drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c b/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c
> index 3ca461eb0a24..3cb34d03f7f8 100644
> --- a/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c
> +++ b/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c
> @@ -4,6 +4,8 @@
>   * Author: James.Qian.Wang <james.qian.wang@arm.com>
>   *
>   */
> +#include <linux/overflow.h>
> +
>  #include <drm/drm_device.h>
>  #include <drm/drm_fb_dma_helper.h>
>  #include <drm/drm_gem.h>
> @@ -93,7 +95,9 @@ komeda_fb_afbc_size_check(struct komeda_fb *kfb, struct drm_file *file,
>  	kfb->afbc_size = kfb->offset_payload + n_blocks *
>  			 ALIGN(bpp * AFBC_SUPERBLK_PIXELS / 8,
>  			       AFBC_SUPERBLK_ALIGNMENT);
> -	min_size = kfb->afbc_size + fb->offsets[0];

Can this really overflow? Is the concern a hypothetical ILP64
situation?

min_size is u64, kfb->afbc_size is u32, and fb->offsets[0] is unsigned
int.

Thanks,
-Brian

> +	if (check_add_overflow(kfb->afbc_size, fb->offsets[0], &min_size)) {
> +		goto check_failed;
> +	}
>  	if (min_size > obj->size) {
>  		DRM_DEBUG_KMS("afbc size check failed, obj_size: 0x%zx. min_size 0x%llx.\n",
>  			      obj->size, min_size);
> -- 
> 2.43.0
>
Re: [PATCH] drm/komeda: fix integer overflow in AFBC framebuffer size check
Posted by Liviu Dudau 3 days, 16 hours ago 
On Tue, Feb 03, 2026 at 09:43:12PM +0000, Brian Starkey wrote:
> Hi Alexander,
> 
> On Tue, Feb 03, 2026 at 04:48:46PM +0000, Alexander Konyukhov wrote:
> > The AFBC framebuffer size validation calculates the minimum required
> > buffer size by adding the AFBC payload size to the framebuffer offset.
> > This addition is performed without checking for integer overflow.
> > 
> > If the addition oveflows, the size check may incorrectly succed and
> > allow userspace to provide an undersized drm_gem_object, potentially
> > leading to out-of-bounds memory access.
> > 
> > Add usage of check_add_overflow() to safely compute the minimum
> > required size and reject the framebuffer if an overflow is detected.
> > This makes the AFBC size validation more robust against malformed.
> > 
> > Found by Linux Verification Center (linuxtesting.org) with SVACE.
> > 
> > Fixes: 65ad2392dd6d ("drm/komeda: Added AFBC support for komeda driver")
> > Signed-off-by: Alexander Konyukhov <Alexander.Konyukhov@kaspersky.com>
> > ---
> >  drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c | 6 +++++-
> >  1 file changed, 5 insertions(+), 1 deletion(-)
> > 
> > diff --git a/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c b/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c
> > index 3ca461eb0a24..3cb34d03f7f8 100644
> > --- a/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c
> > +++ b/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c
> > @@ -4,6 +4,8 @@
> >   * Author: James.Qian.Wang <james.qian.wang@arm.com>
> >   *
> >   */
> > +#include <linux/overflow.h>
> > +
> >  #include <drm/drm_device.h>
> >  #include <drm/drm_fb_dma_helper.h>
> >  #include <drm/drm_gem.h>
> > @@ -93,7 +95,9 @@ komeda_fb_afbc_size_check(struct komeda_fb *kfb, struct drm_file *file,
> >  	kfb->afbc_size = kfb->offset_payload + n_blocks *
> >  			 ALIGN(bpp * AFBC_SUPERBLK_PIXELS / 8,
> >  			       AFBC_SUPERBLK_ALIGNMENT);
> > -	min_size = kfb->afbc_size + fb->offsets[0];
> 
> Can this really overflow? Is the concern a hypothetical ILP64
> situation?
> 
> min_size is u64, kfb->afbc_size is u32, and fb->offsets[0] is unsigned
> int.

Yeah, I was thinking the same thing yesterday at the end of the work day when I looked
at the patch. I don't think following the call flow you can end up with an overflow.

Best regards,
Liviu

> 
> Thanks,
> -Brian
> 
> > +	if (check_add_overflow(kfb->afbc_size, fb->offsets[0], &min_size)) {
> > +		goto check_failed;
> > +	}
> >  	if (min_size > obj->size) {
> >  		DRM_DEBUG_KMS("afbc size check failed, obj_size: 0x%zx. min_size 0x%llx.\n",
> >  			      obj->size, min_size);
> > -- 
> > 2.43.0
> >
RE: [PATCH] drm/komeda: fix integer overflow in AFBC framebuffer size check
Posted by Alexander Konyukhov 3 days, 14 hours ago 
Thank you for the replies.

According to ISO 9899 6.3.1 both operands are first converted to a common type (u32), there are no defined limits of kfb->afbc_size and fb->offsets[0] , so min_size can have an overflowed u32 value.

-----Original Message-----
From: Liviu Dudau <liviu.dudau@arm.com> 
Sent: Wednesday, February 4, 2026 4:25 PM
To: Brian Starkey <brian.starkey@arm.com>
Cc: Alexander Konyukhov <Alexander.Konyukhov@kaspersky.com>; Maarten Lankhorst <maarten.lankhorst@linux.intel.com>; Maxime Ripard <mripard@kernel.org>; Thomas Zimmermann <tzimmermann@suse.de>; David Airlie <airlied@gmail.com>; Simona Vetter <simona@ffwll.ch>; dri-devel@lists.freedesktop.org; linux-kernel@vger.kernel.org; lvc-project@linuxtesting.org; nd@arm.com
Subject: Re: [PATCH] drm/komeda: fix integer overflow in AFBC framebuffer size check

Caution: This is an external email.



On Tue, Feb 03, 2026 at 09:43:12PM +0000, Brian Starkey wrote:
> Hi Alexander,
>
> On Tue, Feb 03, 2026 at 04:48:46PM +0000, Alexander Konyukhov wrote:
> > The AFBC framebuffer size validation calculates the minimum required 
> > buffer size by adding the AFBC payload size to the framebuffer offset.
> > This addition is performed without checking for integer overflow.
> >
> > If the addition oveflows, the size check may incorrectly succed and 
> > allow userspace to provide an undersized drm_gem_object, potentially 
> > leading to out-of-bounds memory access.
> >
> > Add usage of check_add_overflow() to safely compute the minimum 
> > required size and reject the framebuffer if an overflow is detected.
> > This makes the AFBC size validation more robust against malformed.
> >
> > Found by Linux Verification Center (linuxtesting.org) with SVACE.
> >
> > Fixes: 65ad2392dd6d ("drm/komeda: Added AFBC support for komeda 
> > driver")
> > Signed-off-by: Alexander Konyukhov 
> > <Alexander.Konyukhov@kaspersky.com>
> > ---
> >  drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c | 6 +++++-
> >  1 file changed, 5 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c 
> > b/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c
> > index 3ca461eb0a24..3cb34d03f7f8 100644
> > --- a/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c
> > +++ b/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c
> > @@ -4,6 +4,8 @@
> >   * Author: James.Qian.Wang <james.qian.wang@arm.com>
> >   *
> >   */
> > +#include <linux/overflow.h>
> > +
> >  #include <drm/drm_device.h>
> >  #include <drm/drm_fb_dma_helper.h>
> >  #include <drm/drm_gem.h>
> > @@ -93,7 +95,9 @@ komeda_fb_afbc_size_check(struct komeda_fb *kfb, struct drm_file *file,
> >     kfb->afbc_size = kfb->offset_payload + n_blocks *
> >                      ALIGN(bpp * AFBC_SUPERBLK_PIXELS / 8,
> >                            AFBC_SUPERBLK_ALIGNMENT);
> > -   min_size = kfb->afbc_size + fb->offsets[0];
>
> Can this really overflow? Is the concern a hypothetical ILP64 
> situation?
>
> min_size is u64, kfb->afbc_size is u32, and fb->offsets[0] is unsigned 
> int.

Yeah, I was thinking the same thing yesterday at the end of the work day when I looked at the patch. I don't think following the call flow you can end up with an overflow.

Best regards,
Liviu

>
> Thanks,
> -Brian
>
> > +   if (check_add_overflow(kfb->afbc_size, fb->offsets[0], &min_size)) {
> > +           goto check_failed;
> > +   }
> >     if (min_size > obj->size) {
> >             DRM_DEBUG_KMS("afbc size check failed, obj_size: 0x%zx. min_size 0x%llx.\n",
> >                           obj->size, min_size);
> > --
> > 2.43.0
> >
Re: [PATCH] drm/komeda: fix integer overflow in AFBC framebuffer size check
Posted by Liviu Dudau 2 days, 15 hours ago 
On Wed, Feb 04, 2026 at 02:56:38PM +0000, Alexander Konyukhov wrote:
> Thank you for the replies.
> 
> According to ISO 9899 6.3.1 both operands are first converted to a common type (u32), there are no defined limits of kfb->afbc_size and fb->offsets[0] , so min_size can have an overflowed u32 value.

Brian has pointed out that just looking at the type of the result is not enough.

Acked-by: Liviu Dudau <liviu.dudau@arm.com>

Will push this into drm-misc-next later today.

Thanks for the fix!

Best regards,
Liviu

> 
> -----Original Message-----
> From: Liviu Dudau <liviu.dudau@arm.com> 
> Sent: Wednesday, February 4, 2026 4:25 PM
> To: Brian Starkey <brian.starkey@arm.com>
> Cc: Alexander Konyukhov <Alexander.Konyukhov@kaspersky.com>; Maarten Lankhorst <maarten.lankhorst@linux.intel.com>; Maxime Ripard <mripard@kernel.org>; Thomas Zimmermann <tzimmermann@suse.de>; David Airlie <airlied@gmail.com>; Simona Vetter <simona@ffwll.ch>; dri-devel@lists.freedesktop.org; linux-kernel@vger.kernel.org; lvc-project@linuxtesting.org; nd@arm.com
> Subject: Re: [PATCH] drm/komeda: fix integer overflow in AFBC framebuffer size check
> 
> Caution: This is an external email.
> 
> 
> 
> On Tue, Feb 03, 2026 at 09:43:12PM +0000, Brian Starkey wrote:
> > Hi Alexander,
> >
> > On Tue, Feb 03, 2026 at 04:48:46PM +0000, Alexander Konyukhov wrote:
> > > The AFBC framebuffer size validation calculates the minimum required 
> > > buffer size by adding the AFBC payload size to the framebuffer offset.
> > > This addition is performed without checking for integer overflow.
> > >
> > > If the addition oveflows, the size check may incorrectly succed and 
> > > allow userspace to provide an undersized drm_gem_object, potentially 
> > > leading to out-of-bounds memory access.
> > >
> > > Add usage of check_add_overflow() to safely compute the minimum 
> > > required size and reject the framebuffer if an overflow is detected.
> > > This makes the AFBC size validation more robust against malformed.
> > >
> > > Found by Linux Verification Center (linuxtesting.org) with SVACE.
> > >
> > > Fixes: 65ad2392dd6d ("drm/komeda: Added AFBC support for komeda 
> > > driver")
> > > Signed-off-by: Alexander Konyukhov 
> > > <Alexander.Konyukhov@kaspersky.com>
> > > ---
> > >  drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c | 6 +++++-
> > >  1 file changed, 5 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c 
> > > b/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c
> > > index 3ca461eb0a24..3cb34d03f7f8 100644
> > > --- a/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c
> > > +++ b/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c
> > > @@ -4,6 +4,8 @@
> > >   * Author: James.Qian.Wang <james.qian.wang@arm.com>
> > >   *
> > >   */
> > > +#include <linux/overflow.h>
> > > +
> > >  #include <drm/drm_device.h>
> > >  #include <drm/drm_fb_dma_helper.h>
> > >  #include <drm/drm_gem.h>
> > > @@ -93,7 +95,9 @@ komeda_fb_afbc_size_check(struct komeda_fb *kfb, struct drm_file *file,
> > >     kfb->afbc_size = kfb->offset_payload + n_blocks *
> > >                      ALIGN(bpp * AFBC_SUPERBLK_PIXELS / 8,
> > >                            AFBC_SUPERBLK_ALIGNMENT);
> > > -   min_size = kfb->afbc_size + fb->offsets[0];
> >
> > Can this really overflow? Is the concern a hypothetical ILP64 
> > situation?
> >
> > min_size is u64, kfb->afbc_size is u32, and fb->offsets[0] is unsigned 
> > int.
> 
> Yeah, I was thinking the same thing yesterday at the end of the work day when I looked at the patch. I don't think following the call flow you can end up with an overflow.
> 
> Best regards,
> Liviu
> 
> >
> > Thanks,
> > -Brian
> >
> > > +   if (check_add_overflow(kfb->afbc_size, fb->offsets[0], &min_size)) {
> > > +           goto check_failed;
> > > +   }
> > >     if (min_size > obj->size) {
> > >             DRM_DEBUG_KMS("afbc size check failed, obj_size: 0x%zx. min_size 0x%llx.\n",
> > >                           obj->size, min_size);
> > > --
> > > 2.43.0
> > >
Re: [PATCH] drm/komeda: fix integer overflow in AFBC framebuffer size check
Posted by Brian Starkey 3 days, 13 hours ago 
On Wed, Feb 04, 2026 at 02:56:38PM +0000, Alexander Konyukhov wrote:
> Thank you for the replies.
> 
> According to ISO 9899 6.3.1 both operands are first converted to a common type (u32), there are no defined limits of kfb->afbc_size and fb->offsets[0] , so min_size can have an overflowed u32 value.
> 

Ack, my bad - thanks for the refresher on the promotion rules.

I think afbc_size is indirectly constrained, but offsets[0] may not
be.

-Brian
Re: [PATCH] drm/komeda: fix integer overflow in AFBC framebuffer size check
Posted by Liviu Dudau 3 days, 14 hours ago 
On Wed, Feb 04, 2026 at 02:56:38PM +0000, Alexander Konyukhov wrote:
> Thank you for the replies.
> 
> According to ISO 9899 6.3.1 both operands are first converted to a common type (u32), there are no defined limits of kfb->afbc_size and fb->offsets[0] , so min_size can have an overflowed u32 value.

Yes, but according to the komeda_framebuffer.c file, line 48, the min_size is an u64 variable, so it can hold the result of adding two u32 values safely.

Best regards,
Liviu

> 
> -----Original Message-----
> From: Liviu Dudau <liviu.dudau@arm.com> 
> Sent: Wednesday, February 4, 2026 4:25 PM
> To: Brian Starkey <brian.starkey@arm.com>
> Cc: Alexander Konyukhov <Alexander.Konyukhov@kaspersky.com>; Maarten Lankhorst <maarten.lankhorst@linux.intel.com>; Maxime Ripard <mripard@kernel.org>; Thomas Zimmermann <tzimmermann@suse.de>; David Airlie <airlied@gmail.com>; Simona Vetter <simona@ffwll.ch>; dri-devel@lists.freedesktop.org; linux-kernel@vger.kernel.org; lvc-project@linuxtesting.org; nd@arm.com
> Subject: Re: [PATCH] drm/komeda: fix integer overflow in AFBC framebuffer size check
> 
> Caution: This is an external email.
> 
> 
> 
> On Tue, Feb 03, 2026 at 09:43:12PM +0000, Brian Starkey wrote:
> > Hi Alexander,
> >
> > On Tue, Feb 03, 2026 at 04:48:46PM +0000, Alexander Konyukhov wrote:
> > > The AFBC framebuffer size validation calculates the minimum required 
> > > buffer size by adding the AFBC payload size to the framebuffer offset.
> > > This addition is performed without checking for integer overflow.
> > >
> > > If the addition oveflows, the size check may incorrectly succed and 
> > > allow userspace to provide an undersized drm_gem_object, potentially 
> > > leading to out-of-bounds memory access.
> > >
> > > Add usage of check_add_overflow() to safely compute the minimum 
> > > required size and reject the framebuffer if an overflow is detected.
> > > This makes the AFBC size validation more robust against malformed.
> > >
> > > Found by Linux Verification Center (linuxtesting.org) with SVACE.
> > >
> > > Fixes: 65ad2392dd6d ("drm/komeda: Added AFBC support for komeda 
> > > driver")
> > > Signed-off-by: Alexander Konyukhov 
> > > <Alexander.Konyukhov@kaspersky.com>
> > > ---
> > >  drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c | 6 +++++-
> > >  1 file changed, 5 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c 
> > > b/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c
> > > index 3ca461eb0a24..3cb34d03f7f8 100644
> > > --- a/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c
> > > +++ b/drivers/gpu/drm/arm/display/komeda/komeda_framebuffer.c
> > > @@ -4,6 +4,8 @@
> > >   * Author: James.Qian.Wang <james.qian.wang@arm.com>
> > >   *
> > >   */
> > > +#include <linux/overflow.h>
> > > +
> > >  #include <drm/drm_device.h>
> > >  #include <drm/drm_fb_dma_helper.h>
> > >  #include <drm/drm_gem.h>
> > > @@ -93,7 +95,9 @@ komeda_fb_afbc_size_check(struct komeda_fb *kfb, struct drm_file *file,
> > >     kfb->afbc_size = kfb->offset_payload + n_blocks *
> > >                      ALIGN(bpp * AFBC_SUPERBLK_PIXELS / 8,
> > >                            AFBC_SUPERBLK_ALIGNMENT);
> > > -   min_size = kfb->afbc_size + fb->offsets[0];
> >
> > Can this really overflow? Is the concern a hypothetical ILP64 
> > situation?
> >
> > min_size is u64, kfb->afbc_size is u32, and fb->offsets[0] is unsigned 
> > int.
> 
> Yeah, I was thinking the same thing yesterday at the end of the work day when I looked at the patch. I don't think following the call flow you can end up with an overflow.
> 
> Best regards,
> Liviu
> 
> >
> > Thanks,
> > -Brian
> >
> > > +   if (check_add_overflow(kfb->afbc_size, fb->offsets[0], &min_size)) {
> > > +           goto check_failed;
> > > +   }
> > >     if (min_size > obj->size) {
> > >             DRM_DEBUG_KMS("afbc size check failed, obj_size: 0x%zx. min_size 0x%llx.\n",
> > >                           obj->size, min_size);
> > > --
> > > 2.43.0
> > >

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.