From patchwork Mon Jul 9 05:23:23 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Inki Dae X-Patchwork-Id: 1170881 Return-Path: X-Original-To: patchwork-dri-devel@patchwork.kernel.org Delivered-To: patchwork-process-083081@patchwork1.kernel.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) by patchwork1.kernel.org (Postfix) with ESMTP id 0421C3FD4F for ; Mon, 9 Jul 2012 05:23:37 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id DB8399F0D8 for ; Sun, 8 Jul 2012 22:23:36 -0700 (PDT) X-Original-To: dri-devel@lists.freedesktop.org Delivered-To: dri-devel@lists.freedesktop.org Received: from mailout1.samsung.com (mailout1.samsung.com [203.254.224.24]) by gabe.freedesktop.org (Postfix) with ESMTP id 3685A9E817 for ; Sun, 8 Jul 2012 22:23:26 -0700 (PDT) Received: from epcpsbgm1.samsung.com (mailout1.samsung.com [203.254.224.24]) by mailout1.samsung.com (Oracle Communications Messaging Server 7u4-24.01(7.0.4.24.0) 64bit (built Nov 17 2011)) with ESMTP id <0M6V00C4IOA7LMB0@mailout1.samsung.com> for dri-devel@lists.freedesktop.org; Mon, 09 Jul 2012 14:23:24 +0900 (KST) X-AuditID: cbfee61a-b7f616d000004b7e-e1-4ffa6acb7af9 Received: from epmmp1.local.host ( [203.254.227.16]) by epcpsbgm1.samsung.com (EPCPMTA) with SMTP id 52.5F.19326.BCA6AFF4; Mon, 09 Jul 2012 14:23:24 +0900 (KST) Received: from daeinki-desktop.10.32.193.11 ([10.90.51.53]) by mmp1.samsung.com (Oracle Communications Messaging Server 7u4-24.01 (7.0.4.24.0) 64bit (built Nov 17 2011)) with ESMTPA id <0M6V004YJOAZIC10@mmp1.samsung.com> for dri-devel@lists.freedesktop.org; Mon, 09 Jul 2012 14:23:23 +0900 (KST) From: Inki Dae To: airlied@linux.ie, dri-devel@lists.freedesktop.org Subject: [PATCH v2] drm/exynos: check if framebuffer and gem size are valid or not. Date: Mon, 09 Jul 2012 14:23:23 +0900 Message-id: <1341811403-4642-1-git-send-email-inki.dae@samsung.com> X-Mailer: git-send-email 1.7.4.1 In-reply-to: <1340956976-3698-5-git-send-email-inki.dae@samsung.com> References: <1340956976-3698-5-git-send-email-inki.dae@samsung.com> X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrEJMWRmVeSWpSXmKPExsVy+t9jAd0zWb/8DWZtYLK48vU9mwOjx/3u 40wBjFFcNimpOZllqUX6dglcGYv2tzIXvBOp+Dn9HUsD43uBLkZODgkBE4lHiw+wQ9hiEhfu rWfrYuTiEBJYxCix/cU/JghnPZPE1hszWUCq2ARUJSauuM8GYosImEp0TFoKFmcWKJRY2PMU zBYWCJV4+GA2mM0CVH9i73ygeg4OXgFniafPpCCWKUgsuPcWbAyngIvE5tl7mUFsIaCSj1uP s09g5F3AyLCKUTS1ILmgOCk911CvODG3uDQvXS85P3cTI9jnz6R2MK5ssDjEKMDBqMTDG5D6 y1+INbGsuDL3EKMEB7OSCO+jdKAQb0piZVVqUX58UWlOavEhRmkOFiVxXmPvr/5CAumJJanZ qakFqUUwWSYOTqkGxrx7AuqL1qtefcTxObyg6lPRniO5T2UF5vcvtz8f+ezf9g8ZZxdPdj6z 95Cyq8GhfRXr/pWuvSZR9YVfOMpyvcXN5y9nzKxSuFv72kIsgrHQXqOD/WPApd+Sjs+kDUWe 3PWQ/KhZw5uW/sZ+u4atZ/2+ScWWv4In/7rx2kD7s4VuivX2+/yXtJVYijMSDbWYi4oTAdz6 fTH1AQAA X-TM-AS-MML: No Cc: Inki Dae , kyungmin.park@samsung.com, sw0312.kim@samsung.com X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: dri-devel-bounces+patchwork-dri-devel=patchwork.kernel.org@lists.freedesktop.org Errors-To: dri-devel-bounces+patchwork-dri-devel=patchwork.kernel.org@lists.freedesktop.org with addfb request by user, wrong framebuffer or gem size could be sent to kernel side so this could induce invalid memory access by dma of a device. this patch checks if framebuffer and gem size are valid or not to avoid this issue. Changelog v2: use fb->pitches instead of caculating it with fb->width and fb->bpp as line size. Signed-off-by: Inki Dae Signed-off-by: Kyungmin Park --- drivers/gpu/drm/exynos/exynos_drm_fb.c | 47 ++++++++++++++++++++++++++++++- 1 files changed, 45 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/exynos/exynos_drm_fb.c b/drivers/gpu/drm/exynos/exynos_drm_fb.c index 4ccfe43..f1b1008 100644 --- a/drivers/gpu/drm/exynos/exynos_drm_fb.c +++ b/drivers/gpu/drm/exynos/exynos_drm_fb.c @@ -48,6 +48,44 @@ struct exynos_drm_fb { struct exynos_drm_gem_obj *exynos_gem_obj[MAX_FB_BUFFER]; }; +static int check_fb_gem_size(struct drm_device *drm_dev, + struct drm_framebuffer *fb, + unsigned int nr) +{ + unsigned long fb_size; + struct drm_gem_object *obj; + struct exynos_drm_gem_obj *exynos_gem_obj; + struct exynos_drm_fb *exynos_fb = to_exynos_fb(fb); + + /* in case of RGB format, only one plane is used. */ + if (nr < 2) { + exynos_gem_obj = exynos_fb->exynos_gem_obj[0]; + obj = &exynos_gem_obj->base; + fb_size = fb->pitches[0] * fb->height; + + if (fb_size != exynos_gem_obj->packed_size) { + DRM_ERROR("invalid fb or gem size.\n"); + return -EINVAL; + } + /* in case of NV12MT, YUV420M and so on, two and three planes. */ + } else { + unsigned int i; + + for (i = 0; i < nr; i++) { + exynos_gem_obj = exynos_fb->exynos_gem_obj[i]; + obj = &exynos_gem_obj->base; + fb_size = fb->pitches[i] * fb->height; + + if (fb_size != exynos_gem_obj->packed_size) { + DRM_ERROR("invalid fb or gem size.\n"); + return -EINVAL; + } + } + } + + return 0; +} + static void exynos_drm_fb_destroy(struct drm_framebuffer *fb) { struct exynos_drm_fb *exynos_fb = to_exynos_fb(fb); @@ -134,8 +172,7 @@ exynos_user_fb_create(struct drm_device *dev, struct drm_file *file_priv, struct drm_gem_object *obj; struct drm_framebuffer *fb; struct exynos_drm_fb *exynos_fb; - int nr; - int i; + int nr, i, ret; DRM_DEBUG_KMS("%s\n", __FILE__); @@ -166,6 +203,12 @@ exynos_user_fb_create(struct drm_device *dev, struct drm_file *file_priv, exynos_fb->exynos_gem_obj[i] = to_exynos_gem_obj(obj); } + ret = check_fb_gem_size(dev, fb, nr); + if (ret < 0) { + exynos_drm_fb_destroy(fb); + return ERR_PTR(ret); + } + return fb; }