msm: validate flags, etc

Jordan Crouse Mon, 10 Mar 2014 13:23:26 -0700

On 03/10/2014 10:47 AM, Rob Clark wrote:

After reading a nice article on LWN[1], I went back and double checked
my handling of invalid-input checking.  Turns out there were a couple
places I had missed.


Since the driver is fairly young, and the devices it supports are really
only just barely usable for basic stuff (serial console) with an
upstream kernel, I think we should fix this now and revert specific
parts of this patch later in the unlikely event that a regression is
reported.

[1] https://lwn.net/Articles/588444/

Signed-off-by: Rob Clark <[email protected]>


Acked-by: Jordan Crouse <[email protected]>

---
  drivers/gpu/drm/msm/msm_drv.c        | 20 +++++++++++++++++++-
  drivers/gpu/drm/msm/msm_gem_submit.c | 15 +++++++++++++--
  include/uapi/drm/msm_drm.h           | 11 +++++++++++
  3 files changed, 43 insertions(+), 3 deletions(-)

diff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c
index 9ffc275..eee8d37 100644
--- a/drivers/gpu/drm/msm/msm_drv.c
+++ b/drivers/gpu/drm/msm/msm_drv.c
@@ -664,6 +664,12 @@ static int msm_ioctl_gem_new(struct drm_device *dev, void 
*data,
                struct drm_file *file)
  {
        struct drm_msm_gem_new *args = data;
+
+       if (args->flags & ~MSM_BO_FLAGS) {
+               DRM_ERROR("invalid flags: %08x\n", args->flags);
+               return -EINVAL;
+       }
+
        return msm_gem_new_handle(dev, file, args->size,
                        args->flags, &args->handle);
  }
@@ -677,6 +683,11 @@ static int msm_ioctl_gem_cpu_prep(struct drm_device *dev, 
void *data,
        struct drm_gem_object *obj;
        int ret;

+       if (args->op & ~MSM_PREP_FLAGS) {
+               DRM_ERROR("invalid op: %08x\n", args->op);
+               return -EINVAL;
+       }
+
        obj = drm_gem_object_lookup(dev, file, args->handle);
        if (!obj)
                return -ENOENT;
@@ -731,7 +742,14 @@ static int msm_ioctl_wait_fence(struct drm_device *dev, 
void *data,
                struct drm_file *file)
  {
        struct drm_msm_wait_fence *args = data;
-       return msm_wait_fence_interruptable(dev, args->fence, 
&TS(args->timeout));
+
+       if (args->pad) {
+               DRM_ERROR("invalid pad: %08x\n", args->pad);
+               return -EINVAL;
+       }
+
+       return msm_wait_fence_interruptable(dev, args->fence,
+                       &TS(args->timeout));
  }

  static const struct drm_ioctl_desc msm_ioctls[] = {
diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c 
b/drivers/gpu/drm/msm/msm_gem_submit.c
index 5423e91..1f1f4cf 100644
--- a/drivers/gpu/drm/msm/msm_gem_submit.c
+++ b/drivers/gpu/drm/msm/msm_gem_submit.c
@@ -23,7 +23,6 @@
   * Cmdstream submission:
   */

-#define BO_INVALID_FLAGS ~(MSM_SUBMIT_BO_READ | MSM_SUBMIT_BO_WRITE)
  /* make sure these don't conflict w/ MSM_SUBMIT_BO_x */
  #define BO_VALID    0x8000
  #define BO_LOCKED   0x4000
@@ -77,7 +76,7 @@ static int submit_lookup_objects(struct msm_gem_submit 
*submit,
                        goto out_unlock;
                }

-               if (submit_bo.flags & BO_INVALID_FLAGS) {
+               if (submit_bo.flags & ~MSM_SUBMIT_BO_FLAGS) {
                        DRM_ERROR("invalid flags: %x\n", submit_bo.flags);
                        ret = -EINVAL;
                        goto out_unlock;
@@ -369,6 +368,18 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void 
*data,
                        goto out;
                }

+               /* validate input from userspace: */
+               switch (submit_cmd.type) {
+               case MSM_SUBMIT_CMD_BUF:
+               case MSM_SUBMIT_CMD_IB_TARGET_BUF:
+               case MSM_SUBMIT_CMD_CTX_RESTORE_BUF:
+                       break;
+               default:
+                       DRM_ERROR("invalid type: %08x\n", submit_cmd.type);
+                       ret = -EINVAL;
+                       goto out;
+               }
+
                ret = submit_bo(submit, submit_cmd.submit_idx,
                                &msm_obj, &iova, NULL);
                if (ret)
diff --git a/include/uapi/drm/msm_drm.h b/include/uapi/drm/msm_drm.h
index bf91a78..0664c31 100644
--- a/include/uapi/drm/msm_drm.h
+++ b/include/uapi/drm/msm_drm.h
@@ -70,6 +70,12 @@ struct drm_msm_param {
  #define MSM_BO_WC            0x00020000
  #define MSM_BO_UNCACHED      0x00040000

+#define MSM_BO_FLAGS         (MSM_BO_SCANOUT | \
+                              MSM_BO_GPU_READONLY | \
+                              MSM_BO_CACHED | \
+                              MSM_BO_WC | \
+                              MSM_BO_UNCACHED)
+
  struct drm_msm_gem_new {
        uint64_t size;           /* in */
        uint32_t flags;          /* in, mask of MSM_BO_x */
@@ -86,6 +92,8 @@ struct drm_msm_gem_info {
  #define MSM_PREP_WRITE       0x02
  #define MSM_PREP_NOSYNC      0x04

+#define MSM_PREP_FLAGS       (MSM_PREP_READ | MSM_PREP_WRITE | MSM_PREP_NOSYNC)
+
  struct drm_msm_gem_cpu_prep {
        uint32_t handle;         /* in */
        uint32_t op;             /* in, mask of MSM_PREP_x */
@@ -153,6 +161,9 @@ struct drm_msm_gem_submit_cmd {
   */
  #define MSM_SUBMIT_BO_READ             0x0001
  #define MSM_SUBMIT_BO_WRITE            0x0002
+
+#define MSM_SUBMIT_BO_FLAGS            (MSM_SUBMIT_BO_READ | 
MSM_SUBMIT_BO_WRITE)
+
  struct drm_msm_gem_submit_bo {
        uint32_t flags;          /* in, mask of MSM_SUBMIT_BO_x */
        uint32_t handle;         /* in, GEM handle */



--
The Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum,
hosted by The Linux Foundation
--
To unsubscribe from this list: send the line "unsubscribe linux-arm-msm" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 7/7] drm/msm: validate flags, etc

Reply via email to