| Message ID | 1394470062-27442-8-git-send-email-robdclark@gmail.com (mailing list archive) |
|---|---|
| State | Deferred |
| Headers | show |
On 03/10/2014 10:47 AM, Rob Clark wrote: > After reading a nice article on LWN[1], I went back and double checked > my handling of invalid-input checking. Turns out there were a couple > places I had missed. > > Since the driver is fairly young, and the devices it supports are really > only just barely usable for basic stuff (serial console) with an > upstream kernel, I think we should fix this now and revert specific > parts of this patch later in the unlikely event that a regression is > reported. > > [1] https://lwn.net/Articles/588444/ > > Signed-off-by: Rob Clark <robdclark@gmail.com> Acked-by: Jordan Crouse <jcrouse@codeaurora.org> > --- > drivers/gpu/drm/msm/msm_drv.c | 20 +++++++++++++++++++- > drivers/gpu/drm/msm/msm_gem_submit.c | 15 +++++++++++++-- > include/uapi/drm/msm_drm.h | 11 +++++++++++ > 3 files changed, 43 insertions(+), 3 deletions(-) > > diff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c > index 9ffc275..eee8d37 100644 > --- a/drivers/gpu/drm/msm/msm_drv.c > +++ b/drivers/gpu/drm/msm/msm_drv.c > @@ -664,6 +664,12 @@ static int msm_ioctl_gem_new(struct drm_device *dev, void *data, > struct drm_file *file) > { > struct drm_msm_gem_new *args = data; > + > + if (args->flags & ~MSM_BO_FLAGS) { > + DRM_ERROR("invalid flags: %08x\n", args->flags); > + return -EINVAL; > + } > + > return msm_gem_new_handle(dev, file, args->size, > args->flags, &args->handle); > } > @@ -677,6 +683,11 @@ static int msm_ioctl_gem_cpu_prep(struct drm_device *dev, void *data, > struct drm_gem_object *obj; > int ret; > > + if (args->op & ~MSM_PREP_FLAGS) { > + DRM_ERROR("invalid op: %08x\n", args->op); > + return -EINVAL; > + } > + > obj = drm_gem_object_lookup(dev, file, args->handle); > if (!obj) > return -ENOENT; > @@ -731,7 +742,14 @@ static int msm_ioctl_wait_fence(struct drm_device *dev, void *data, > struct drm_file *file) > { > struct drm_msm_wait_fence *args = data; > - return msm_wait_fence_interruptable(dev, args->fence, &TS(args->timeout)); > + > + if (args->pad) { > + DRM_ERROR("invalid pad: %08x\n", args->pad); > + return -EINVAL; > + } > + > + return msm_wait_fence_interruptable(dev, args->fence, > + &TS(args->timeout)); > } > > static const struct drm_ioctl_desc msm_ioctls[] = { > diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c > index 5423e91..1f1f4cf 100644 > --- a/drivers/gpu/drm/msm/msm_gem_submit.c > +++ b/drivers/gpu/drm/msm/msm_gem_submit.c > @@ -23,7 +23,6 @@ > * Cmdstream submission: > */ > > -#define BO_INVALID_FLAGS ~(MSM_SUBMIT_BO_READ | MSM_SUBMIT_BO_WRITE) > /* make sure these don't conflict w/ MSM_SUBMIT_BO_x */ > #define BO_VALID 0x8000 > #define BO_LOCKED 0x4000 > @@ -77,7 +76,7 @@ static int submit_lookup_objects(struct msm_gem_submit *submit, > goto out_unlock; > } > > - if (submit_bo.flags & BO_INVALID_FLAGS) { > + if (submit_bo.flags & ~MSM_SUBMIT_BO_FLAGS) { > DRM_ERROR("invalid flags: %x\n", submit_bo.flags); > ret = -EINVAL; > goto out_unlock; > @@ -369,6 +368,18 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data, > goto out; > } > > + /* validate input from userspace: */ > + switch (submit_cmd.type) { > + case MSM_SUBMIT_CMD_BUF: > + case MSM_SUBMIT_CMD_IB_TARGET_BUF: > + case MSM_SUBMIT_CMD_CTX_RESTORE_BUF: > + break; > + default: > + DRM_ERROR("invalid type: %08x\n", submit_cmd.type); > + ret = -EINVAL; > + goto out; > + } > + > ret = submit_bo(submit, submit_cmd.submit_idx, > &msm_obj, &iova, NULL); > if (ret) > diff --git a/include/uapi/drm/msm_drm.h b/include/uapi/drm/msm_drm.h > index bf91a78..0664c31 100644 > --- a/include/uapi/drm/msm_drm.h > +++ b/include/uapi/drm/msm_drm.h > @@ -70,6 +70,12 @@ struct drm_msm_param { > #define MSM_BO_WC 0x00020000 > #define MSM_BO_UNCACHED 0x00040000 > > +#define MSM_BO_FLAGS (MSM_BO_SCANOUT | \ > + MSM_BO_GPU_READONLY | \ > + MSM_BO_CACHED | \ > + MSM_BO_WC | \ > + MSM_BO_UNCACHED) > + > struct drm_msm_gem_new { > uint64_t size; /* in */ > uint32_t flags; /* in, mask of MSM_BO_x */ > @@ -86,6 +92,8 @@ struct drm_msm_gem_info { > #define MSM_PREP_WRITE 0x02 > #define MSM_PREP_NOSYNC 0x04 > > +#define MSM_PREP_FLAGS (MSM_PREP_READ | MSM_PREP_WRITE | MSM_PREP_NOSYNC) > + > struct drm_msm_gem_cpu_prep { > uint32_t handle; /* in */ > uint32_t op; /* in, mask of MSM_PREP_x */ > @@ -153,6 +161,9 @@ struct drm_msm_gem_submit_cmd { > */ > #define MSM_SUBMIT_BO_READ 0x0001 > #define MSM_SUBMIT_BO_WRITE 0x0002 > + > +#define MSM_SUBMIT_BO_FLAGS (MSM_SUBMIT_BO_READ | MSM_SUBMIT_BO_WRITE) > + > struct drm_msm_gem_submit_bo { > uint32_t flags; /* in, mask of MSM_SUBMIT_BO_x */ > uint32_t handle; /* in, GEM handle */ >
diff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c index 9ffc275..eee8d37 100644 --- a/drivers/gpu/drm/msm/msm_drv.c +++ b/drivers/gpu/drm/msm/msm_drv.c @@ -664,6 +664,12 @@ static int msm_ioctl_gem_new(struct drm_device *dev, void *data, struct drm_file *file) { struct drm_msm_gem_new *args = data; + + if (args->flags & ~MSM_BO_FLAGS) { + DRM_ERROR("invalid flags: %08x\n", args->flags); + return -EINVAL; + } + return msm_gem_new_handle(dev, file, args->size, args->flags, &args->handle); } @@ -677,6 +683,11 @@ static int msm_ioctl_gem_cpu_prep(struct drm_device *dev, void *data, struct drm_gem_object *obj; int ret; + if (args->op & ~MSM_PREP_FLAGS) { + DRM_ERROR("invalid op: %08x\n", args->op); + return -EINVAL; + } + obj = drm_gem_object_lookup(dev, file, args->handle); if (!obj) return -ENOENT; @@ -731,7 +742,14 @@ static int msm_ioctl_wait_fence(struct drm_device *dev, void *data, struct drm_file *file) { struct drm_msm_wait_fence *args = data; - return msm_wait_fence_interruptable(dev, args->fence, &TS(args->timeout)); + + if (args->pad) { + DRM_ERROR("invalid pad: %08x\n", args->pad); + return -EINVAL; + } + + return msm_wait_fence_interruptable(dev, args->fence, + &TS(args->timeout)); } static const struct drm_ioctl_desc msm_ioctls[] = { diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c index 5423e91..1f1f4cf 100644 --- a/drivers/gpu/drm/msm/msm_gem_submit.c +++ b/drivers/gpu/drm/msm/msm_gem_submit.c @@ -23,7 +23,6 @@ * Cmdstream submission: */ -#define BO_INVALID_FLAGS ~(MSM_SUBMIT_BO_READ | MSM_SUBMIT_BO_WRITE) /* make sure these don't conflict w/ MSM_SUBMIT_BO_x */ #define BO_VALID 0x8000 #define BO_LOCKED 0x4000 @@ -77,7 +76,7 @@ static int submit_lookup_objects(struct msm_gem_submit *submit, goto out_unlock; } - if (submit_bo.flags & BO_INVALID_FLAGS) { + if (submit_bo.flags & ~MSM_SUBMIT_BO_FLAGS) { DRM_ERROR("invalid flags: %x\n", submit_bo.flags); ret = -EINVAL; goto out_unlock; @@ -369,6 +368,18 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data, goto out; } + /* validate input from userspace: */ + switch (submit_cmd.type) { + case MSM_SUBMIT_CMD_BUF: + case MSM_SUBMIT_CMD_IB_TARGET_BUF: + case MSM_SUBMIT_CMD_CTX_RESTORE_BUF: + break; + default: + DRM_ERROR("invalid type: %08x\n", submit_cmd.type); + ret = -EINVAL; + goto out; + } + ret = submit_bo(submit, submit_cmd.submit_idx, &msm_obj, &iova, NULL); if (ret) diff --git a/include/uapi/drm/msm_drm.h b/include/uapi/drm/msm_drm.h index bf91a78..0664c31 100644 --- a/include/uapi/drm/msm_drm.h +++ b/include/uapi/drm/msm_drm.h @@ -70,6 +70,12 @@ struct drm_msm_param { #define MSM_BO_WC 0x00020000 #define MSM_BO_UNCACHED 0x00040000 +#define MSM_BO_FLAGS (MSM_BO_SCANOUT | \ + MSM_BO_GPU_READONLY | \ + MSM_BO_CACHED | \ + MSM_BO_WC | \ + MSM_BO_UNCACHED) + struct drm_msm_gem_new { uint64_t size; /* in */ uint32_t flags; /* in, mask of MSM_BO_x */ @@ -86,6 +92,8 @@ struct drm_msm_gem_info { #define MSM_PREP_WRITE 0x02 #define MSM_PREP_NOSYNC 0x04 +#define MSM_PREP_FLAGS (MSM_PREP_READ | MSM_PREP_WRITE | MSM_PREP_NOSYNC) + struct drm_msm_gem_cpu_prep { uint32_t handle; /* in */ uint32_t op; /* in, mask of MSM_PREP_x */ @@ -153,6 +161,9 @@ struct drm_msm_gem_submit_cmd { */ #define MSM_SUBMIT_BO_READ 0x0001 #define MSM_SUBMIT_BO_WRITE 0x0002 + +#define MSM_SUBMIT_BO_FLAGS (MSM_SUBMIT_BO_READ | MSM_SUBMIT_BO_WRITE) + struct drm_msm_gem_submit_bo { uint32_t flags; /* in, mask of MSM_SUBMIT_BO_x */ uint32_t handle; /* in, GEM handle */
After reading a nice article on LWN[1], I went back and double checked my handling of invalid-input checking. Turns out there were a couple places I had missed. Since the driver is fairly young, and the devices it supports are really only just barely usable for basic stuff (serial console) with an upstream kernel, I think we should fix this now and revert specific parts of this patch later in the unlikely event that a regression is reported. [1] https://lwn.net/Articles/588444/ Signed-off-by: Rob Clark <robdclark@gmail.com> --- drivers/gpu/drm/msm/msm_drv.c | 20 +++++++++++++++++++- drivers/gpu/drm/msm/msm_gem_submit.c | 15 +++++++++++++-- include/uapi/drm/msm_drm.h | 11 +++++++++++ 3 files changed, 43 insertions(+), 3 deletions(-)