Limit the blob size and number of blobs that can be allocated by a client. This prevents fuzzers from abusing this ioctl and exhausting the system memory.
Signed-off-by: Steve Cohen <[email protected]> --- drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c index 6c92f0f..5fbb7c3 100644 --- a/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c +++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c @@ -41,6 +41,8 @@ */ #define DPU_DEBUGFS_DIR "msm_dpu" #define DPU_DEBUGFS_HWMASKNAME "hw_log_mask" +#define MAX_BLOB_PROP_SIZE (PAGE_SIZE * 30) +#define MAX_BLOB_PROP_COUNT 250 static int dpu_kms_hw_init(struct msm_kms *kms); static void _dpu_kms_mmu_destroy(struct dpu_kms *dpu_kms); @@ -544,6 +546,17 @@ static int _dpu_kms_drm_obj_init(struct dpu_kms *dpu_kms) return ret; } +static int dpu_kms_createblob_check(unsigned int count, size_t length) +{ + if (count >= MAX_BLOB_PROP_COUNT) + return -EINVAL; + + if (length > MAX_BLOB_PROP_SIZE) + return -EINVAL; + + return 0; +} + static long dpu_kms_round_pixclk(struct msm_kms *kms, unsigned long rate, struct drm_encoder *encoder) { @@ -683,6 +696,7 @@ static const struct msm_kms_funcs kms_funcs = { #ifdef CONFIG_DEBUG_FS .debugfs_init = dpu_kms_debugfs_init, #endif + .createblob_check = dpu_kms_createblob_check, }; static void _dpu_kms_mmu_destroy(struct dpu_kms *dpu_kms) -- The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum, a Linux Foundation Collaborative Project _______________________________________________ Freedreno mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/freedreno
