In the Linux kernel, the following vulnerability has been resolved:
drm/fbdev-dma: Only set smem_start is enable per module option
Only export struct fbinfo.fix.smemstart if that is required by the user and the memory does not come from vmalloc().
Setting struct fbinfo.fix.smemstart breaks systems where DMA memory is backed by vmalloc address space. An example error is shown below.
[ 3.536043] ------------[ cut here ]------------ [ 3.540716] virttophys used for non-linear address: 000000007fc4f540 (0xffff800086001000) [ 3.552628] WARNING: CPU: 4 PID: 61 at arch/arm64/mm/physaddr.c:12 _virttophys+0x68/0x98 [ 3.565455] Modules linked in: [ 3.568525] CPU: 4 PID: 61 Comm: kworker/u12:5 Not tainted 6.6.23-06226-g4986cc3e1b75-dirty #250 [ 3.577310] Hardware name: NXP i.MX95 19X19 board (DT) [ 3.582452] Workqueue: eventsunbound deferredprobeworkfunc [ 3.588291] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 3.595233] pc : _virttophys+0x68/0x98 [ 3.599246] lr : _virttophys+0x68/0x98 [ 3.603276] sp : ffff800083603990 [ 3.677939] Call trace: [ 3.680393] _virttophys+0x68/0x98 [ 3.684067] drmfbdevdmahelperfbprobe+0x138/0x238 [ 3.689214] _drmfbhelperinitialconfigandunlock+0x2b0/0x4c0 [ 3.695385] drmfbhelperinitialconfig+0x4c/0x68 [ 3.700264] drmfbdevdmaclienthotplug+0x8c/0xe0 [ 3.705161] drmclientregister+0x60/0xb0 [ 3.709269] drmfbdevdma_setup+0x94/0x148
Additionally, DMA memory is assumed to by contiguous in physical address space, which is not guaranteed by vmalloc().
Resolve this by checking the module flag drmleakfbdevsmem when DRM allocated the instance of struct fbinfo. Fbdev-dma then only sets smemstart only if required (via FBINFOHIDESMEMSTART). Also guarantee that the framebuffer is not located in vmalloc address space.