From patchwork Mon Mar 10 16:47:42 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rob Clark X-Patchwork-Id: 3804401 Return-Path: X-Original-To: patchwork-linux-arm-msm@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork1.web.kernel.org (Postfix) with ESMTP id D66DF9F1CD for ; Mon, 10 Mar 2014 16:48:33 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id C445220394 for ; Mon, 10 Mar 2014 16:48:32 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 4014D202AE for ; Mon, 10 Mar 2014 16:48:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753847AbaCJQsa (ORCPT ); Mon, 10 Mar 2014 12:48:30 -0400 Received: from mail-qa0-f52.google.com ([209.85.216.52]:51679 "EHLO mail-qa0-f52.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753095AbaCJQsa (ORCPT ); Mon, 10 Mar 2014 12:48:30 -0400 Received: by mail-qa0-f52.google.com with SMTP id m5so7024862qaj.25 for ; Mon, 10 Mar 2014 09:48:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=5UkVUMEoEE/U+o5lgQbcMw+9KMkwwVKbmY6+yt46Z64=; b=bfTPsD5hnxlLDVxPYZ1g1ZyJVSdb+LwJsH2Lzttg7+l66gvSAgY8PaYrIuxCBTDACe on6i5DmCTSUzavY0n+rXgIe5ei/seAetDz3GFte5hnPD6GGr6vSiabl04kORQAiJ2pvO mR8sgWGHRDa99FaP9/ZuWAxcKnYrddpWk6gDFMfiyNjF0nFlOMMLmyyr+iWws8wnS9+D NRSFzxkdKqVqTHLQAGbEJ9TgZG9nCQkGzqqAzHa2na8frivE91LFuDLKroBFQpPRxS/c j2LcAV3Cj1mR3lno8i8o3J/Oo7Fe93ITtF3e3dyS6yceS+L7CDmf1r5fbsitSvGI9Ap5 8mTg== X-Received: by 10.229.66.133 with SMTP id n5mr35655914qci.0.1394470109625; Mon, 10 Mar 2014 09:48:29 -0700 (PDT) Received: from localhost (pool-108-20-244-150.bstnma.east.verizon.net. [108.20.244.150]) by mx.google.com with ESMTPSA id m74sm24508535qgd.14.2014.03.10.09.48.27 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 10 Mar 2014 09:48:28 -0700 (PDT) From: Rob Clark To: dri-devel@lists.freedesktop.org Cc: linux-arm-msm@vger.kernel.org, Rob Clark Subject: [PATCH 7/7] drm/msm: validate flags, etc Date: Mon, 10 Mar 2014 12:47:42 -0400 Message-Id: <1394470062-27442-8-git-send-email-robdclark@gmail.com> X-Mailer: git-send-email 1.8.5.3 In-Reply-To: <1394470062-27442-1-git-send-email-robdclark@gmail.com> References: <1394470062-27442-1-git-send-email-robdclark@gmail.com> Sender: linux-arm-msm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-arm-msm@vger.kernel.org X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, T_DKIM_INVALID, T_RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP After reading a nice article on LWN[1], I went back and double checked my handling of invalid-input checking. Turns out there were a couple places I had missed. Since the driver is fairly young, and the devices it supports are really only just barely usable for basic stuff (serial console) with an upstream kernel, I think we should fix this now and revert specific parts of this patch later in the unlikely event that a regression is reported. [1] https://lwn.net/Articles/588444/ Signed-off-by: Rob Clark Acked-by: Jordan Crouse --- drivers/gpu/drm/msm/msm_drv.c | 20 +++++++++++++++++++- drivers/gpu/drm/msm/msm_gem_submit.c | 15 +++++++++++++-- include/uapi/drm/msm_drm.h | 11 +++++++++++ 3 files changed, 43 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c index 9ffc275..eee8d37 100644 --- a/drivers/gpu/drm/msm/msm_drv.c +++ b/drivers/gpu/drm/msm/msm_drv.c @@ -664,6 +664,12 @@ static int msm_ioctl_gem_new(struct drm_device *dev, void *data, struct drm_file *file) { struct drm_msm_gem_new *args = data; + + if (args->flags & ~MSM_BO_FLAGS) { + DRM_ERROR("invalid flags: %08x\n", args->flags); + return -EINVAL; + } + return msm_gem_new_handle(dev, file, args->size, args->flags, &args->handle); } @@ -677,6 +683,11 @@ static int msm_ioctl_gem_cpu_prep(struct drm_device *dev, void *data, struct drm_gem_object *obj; int ret; + if (args->op & ~MSM_PREP_FLAGS) { + DRM_ERROR("invalid op: %08x\n", args->op); + return -EINVAL; + } + obj = drm_gem_object_lookup(dev, file, args->handle); if (!obj) return -ENOENT; @@ -731,7 +742,14 @@ static int msm_ioctl_wait_fence(struct drm_device *dev, void *data, struct drm_file *file) { struct drm_msm_wait_fence *args = data; - return msm_wait_fence_interruptable(dev, args->fence, &TS(args->timeout)); + + if (args->pad) { + DRM_ERROR("invalid pad: %08x\n", args->pad); + return -EINVAL; + } + + return msm_wait_fence_interruptable(dev, args->fence, + &TS(args->timeout)); } static const struct drm_ioctl_desc msm_ioctls[] = { diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c index 5423e91..1f1f4cf 100644 --- a/drivers/gpu/drm/msm/msm_gem_submit.c +++ b/drivers/gpu/drm/msm/msm_gem_submit.c @@ -23,7 +23,6 @@ * Cmdstream submission: */ -#define BO_INVALID_FLAGS ~(MSM_SUBMIT_BO_READ | MSM_SUBMIT_BO_WRITE) /* make sure these don't conflict w/ MSM_SUBMIT_BO_x */ #define BO_VALID 0x8000 #define BO_LOCKED 0x4000 @@ -77,7 +76,7 @@ static int submit_lookup_objects(struct msm_gem_submit *submit, goto out_unlock; } - if (submit_bo.flags & BO_INVALID_FLAGS) { + if (submit_bo.flags & ~MSM_SUBMIT_BO_FLAGS) { DRM_ERROR("invalid flags: %x\n", submit_bo.flags); ret = -EINVAL; goto out_unlock; @@ -369,6 +368,18 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data, goto out; } + /* validate input from userspace: */ + switch (submit_cmd.type) { + case MSM_SUBMIT_CMD_BUF: + case MSM_SUBMIT_CMD_IB_TARGET_BUF: + case MSM_SUBMIT_CMD_CTX_RESTORE_BUF: + break; + default: + DRM_ERROR("invalid type: %08x\n", submit_cmd.type); + ret = -EINVAL; + goto out; + } + ret = submit_bo(submit, submit_cmd.submit_idx, &msm_obj, &iova, NULL); if (ret) diff --git a/include/uapi/drm/msm_drm.h b/include/uapi/drm/msm_drm.h index bf91a78..0664c31 100644 --- a/include/uapi/drm/msm_drm.h +++ b/include/uapi/drm/msm_drm.h @@ -70,6 +70,12 @@ struct drm_msm_param { #define MSM_BO_WC 0x00020000 #define MSM_BO_UNCACHED 0x00040000 +#define MSM_BO_FLAGS (MSM_BO_SCANOUT | \ + MSM_BO_GPU_READONLY | \ + MSM_BO_CACHED | \ + MSM_BO_WC | \ + MSM_BO_UNCACHED) + struct drm_msm_gem_new { uint64_t size; /* in */ uint32_t flags; /* in, mask of MSM_BO_x */ @@ -86,6 +92,8 @@ struct drm_msm_gem_info { #define MSM_PREP_WRITE 0x02 #define MSM_PREP_NOSYNC 0x04 +#define MSM_PREP_FLAGS (MSM_PREP_READ | MSM_PREP_WRITE | MSM_PREP_NOSYNC) + struct drm_msm_gem_cpu_prep { uint32_t handle; /* in */ uint32_t op; /* in, mask of MSM_PREP_x */ @@ -153,6 +161,9 @@ struct drm_msm_gem_submit_cmd { */ #define MSM_SUBMIT_BO_READ 0x0001 #define MSM_SUBMIT_BO_WRITE 0x0002 + +#define MSM_SUBMIT_BO_FLAGS (MSM_SUBMIT_BO_READ | MSM_SUBMIT_BO_WRITE) + struct drm_msm_gem_submit_bo { uint32_t flags; /* in, mask of MSM_SUBMIT_BO_x */ uint32_t handle; /* in, GEM handle */