Re: [PATCH 2/3] drm/amd: validate user pitch alignment
On 2018-12-23 10:44 p.m., Yu Zhao wrote: > On Fri, Dec 21, 2018 at 10:07:26AM +0100, Michel Dänzer wrote: >> On 2018-12-21 4:10 a.m., Yu Zhao wrote: >>> Userspace may request pitch alignment that is not supported by GPU. >>> Some requests 32, but GPU ignores it and uses default 64 when cpp is >>> 4. If GEM object is allocated based on the smaller alignment, GPU >>> DMA will go out of bound. >>> >>> For GPU that does frame buffer compression, DMA writing out of bound >>> memory will cause memory corruption. >>> >>> Signed-off-by: Yu Zhao >>> --- >>> drivers/gpu/drm/amd/amdgpu/amdgpu_display.c | 9 + >>> 1 file changed, 9 insertions(+) >>> >>> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c >>> b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c >>> index e309d26170db..755daa332f8a 100644 >>> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c >>> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c >>> @@ -527,6 +527,15 @@ amdgpu_display_user_framebuffer_create(struct >>> drm_device *dev, >>> struct drm_gem_object *obj; >>> struct amdgpu_framebuffer *amdgpu_fb; >>> int ret; >>> + struct amdgpu_device *adev = dev->dev_private; >>> + int cpp = drm_format_plane_cpp(mode_cmd->pixel_format, 0); >>> + int pitch = amdgpu_align_pitch(adev, mode_cmd->width, cpp, false); >> >> Also, this needs to use mode_cmd->pitches[0] instead of mode_cmd->width, >> otherwise it'll spuriously fail for larger but well-aligned pitches. > > Actually mode_cmd->pitches[0] is aligned mode_cmd->width multiplied > by cpp. So we can't just use mode_cmd->pitches[0]. Use mode_cmd->pitches[0] / cpp then? > And I'm not sure if the hardware works with larger alignment It does. > (it certainly ignores smaller alignment). Yeah, pitch must be >= width. Maybe this patch could check that as well. -- Earthling Michel Dänzer | http://www.amd.com Libre software enthusiast | Mesa and X developer
Re: [PATCH 2/3] drm/amd: validate user pitch alignment
On Fri, Dec 21, 2018 at 10:07:26AM +0100, Michel Dänzer wrote: > On 2018-12-21 4:10 a.m., Yu Zhao wrote: > > Userspace may request pitch alignment that is not supported by GPU. > > Some requests 32, but GPU ignores it and uses default 64 when cpp is > > 4. If GEM object is allocated based on the smaller alignment, GPU > > DMA will go out of bound. > > > > For GPU that does frame buffer compression, DMA writing out of bound > > memory will cause memory corruption. > > > > Signed-off-by: Yu Zhao > > --- > > drivers/gpu/drm/amd/amdgpu/amdgpu_display.c | 9 + > > 1 file changed, 9 insertions(+) > > > > diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c > > b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c > > index e309d26170db..755daa332f8a 100644 > > --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c > > +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c > > @@ -527,6 +527,15 @@ amdgpu_display_user_framebuffer_create(struct > > drm_device *dev, > > struct drm_gem_object *obj; > > struct amdgpu_framebuffer *amdgpu_fb; > > int ret; > > + struct amdgpu_device *adev = dev->dev_private; > > + int cpp = drm_format_plane_cpp(mode_cmd->pixel_format, 0); > > + int pitch = amdgpu_align_pitch(adev, mode_cmd->width, cpp, false); > > Also, this needs to use mode_cmd->pitches[0] instead of mode_cmd->width, > otherwise it'll spuriously fail for larger but well-aligned pitches. Actually mode_cmd->pitches[0] is aligned mode_cmd->width multiplied by cpp. So we can't just use mode_cmd->pitches[0]. And I'm not sure if the hardware works with larger alignment (it certainly ignores smaller alignment).
Re: [PATCH 2/3] drm/amd: validate user pitch alignment
On Fri, Dec 21, 2018 at 10:07:26AM +0100, Michel Dänzer wrote: > On 2018-12-21 4:10 a.m., Yu Zhao wrote: > > Userspace may request pitch alignment that is not supported by GPU. > > Some requests 32, but GPU ignores it and uses default 64 when cpp is > > 4. If GEM object is allocated based on the smaller alignment, GPU > > DMA will go out of bound. > > > > For GPU that does frame buffer compression, DMA writing out of bound > > memory will cause memory corruption. > > > > Signed-off-by: Yu Zhao > > --- > > drivers/gpu/drm/amd/amdgpu/amdgpu_display.c | 9 + > > 1 file changed, 9 insertions(+) > > > > diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c > > b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c > > index e309d26170db..755daa332f8a 100644 > > --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c > > +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c > > @@ -527,6 +527,15 @@ amdgpu_display_user_framebuffer_create(struct > > drm_device *dev, > > struct drm_gem_object *obj; > > struct amdgpu_framebuffer *amdgpu_fb; > > int ret; > > + struct amdgpu_device *adev = dev->dev_private; > > + int cpp = drm_format_plane_cpp(mode_cmd->pixel_format, 0); > > + int pitch = amdgpu_align_pitch(adev, mode_cmd->width, cpp, false); > > Also, this needs to use mode_cmd->pitches[0] instead of mode_cmd->width, > otherwise it'll spuriously fail for larger but well-aligned pitches. Good point, thanks.
Re: [PATCH 2/3] drm/amd: validate user pitch alignment
On 2018-12-21 4:10 a.m., Yu Zhao wrote: > Userspace may request pitch alignment that is not supported by GPU. > Some requests 32, but GPU ignores it and uses default 64 when cpp is > 4. If GEM object is allocated based on the smaller alignment, GPU > DMA will go out of bound. > > For GPU that does frame buffer compression, DMA writing out of bound > memory will cause memory corruption. > > Signed-off-by: Yu Zhao > --- > drivers/gpu/drm/amd/amdgpu/amdgpu_display.c | 9 + > 1 file changed, 9 insertions(+) > > diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c > b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c > index e309d26170db..755daa332f8a 100644 > --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c > +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c > @@ -527,6 +527,15 @@ amdgpu_display_user_framebuffer_create(struct drm_device > *dev, > struct drm_gem_object *obj; > struct amdgpu_framebuffer *amdgpu_fb; > int ret; > + struct amdgpu_device *adev = dev->dev_private; > + int cpp = drm_format_plane_cpp(mode_cmd->pixel_format, 0); > + int pitch = amdgpu_align_pitch(adev, mode_cmd->width, cpp, false); Also, this needs to use mode_cmd->pitches[0] instead of mode_cmd->width, otherwise it'll spuriously fail for larger but well-aligned pitches. -- Earthling Michel Dänzer | http://www.amd.com Libre software enthusiast | Mesa and X developer
Re: [PATCH 2/3] drm/amd: validate user pitch alignment
On 2018-12-21 4:10 a.m., Yu Zhao wrote:
> Userspace may request pitch alignment that is not supported by GPU.
> Some requests 32, but GPU ignores it and uses default 64 when cpp is
> 4. If GEM object is allocated based on the smaller alignment, GPU
> DMA will go out of bound.
>
> For GPU that does frame buffer compression, DMA writing out of bound
> memory will cause memory corruption.
>
> Signed-off-by: Yu Zhao
> ---
> drivers/gpu/drm/amd/amdgpu/amdgpu_display.c | 9 +
> 1 file changed, 9 insertions(+)
>
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c
> b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c
> index e309d26170db..755daa332f8a 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c
> @@ -527,6 +527,15 @@ amdgpu_display_user_framebuffer_create(struct drm_device
> *dev,
> struct drm_gem_object *obj;
> struct amdgpu_framebuffer *amdgpu_fb;
> int ret;
> + struct amdgpu_device *adev = dev->dev_private;
> + int cpp = drm_format_plane_cpp(mode_cmd->pixel_format, 0);
> + int pitch = amdgpu_align_pitch(adev, mode_cmd->width, cpp, false);
> +
> + if (mode_cmd->pitches[0] != pitch) {
> + dev_err(>pdev->dev, "Invalid pitch: expecting %d but got
> %d\n",
> + pitch, mode_cmd->pitches[0]);
This message shouldn't be printed by default, or buggy / malicious
userspace can spam dmesg. I suggest using DRM_DEBUG_KMS or DRM_DEBUG_DRIVER.
> + return ERR_PTR(-EINVAL);
> + }
>
> obj = drm_gem_object_lookup(file_priv, mode_cmd->handles[0]);
> if (obj == NULL) {
>
Other than that, looks good to me.
--
Earthling Michel Dänzer | http://www.amd.com
Libre software enthusiast | Mesa and X developer
