Commit 93ddb0d3 authored by Rob Clark's avatar Rob Clark

drm/msm: validate flags, etc

After reading a nice article on LWN[1], I went back and double checked
my handling of invalid-input checking.  Turns out there were a couple
places I had missed.

Since the driver is fairly young, and the devices it supports are really
only just barely usable for basic stuff (serial console) with an
upstream kernel, I think we should fix this now and revert specific
parts of this patch later in the unlikely event that a regression is
reported.

[1] https://lwn.net/Articles/588444/Signed-off-by: default avatarRob Clark <robdclark@gmail.com>
parent 060530f1
...@@ -664,6 +664,12 @@ static int msm_ioctl_gem_new(struct drm_device *dev, void *data, ...@@ -664,6 +664,12 @@ static int msm_ioctl_gem_new(struct drm_device *dev, void *data,
struct drm_file *file) struct drm_file *file)
{ {
struct drm_msm_gem_new *args = data; struct drm_msm_gem_new *args = data;
if (args->flags & ~MSM_BO_FLAGS) {
DRM_ERROR("invalid flags: %08x\n", args->flags);
return -EINVAL;
}
return msm_gem_new_handle(dev, file, args->size, return msm_gem_new_handle(dev, file, args->size,
args->flags, &args->handle); args->flags, &args->handle);
} }
...@@ -677,6 +683,11 @@ static int msm_ioctl_gem_cpu_prep(struct drm_device *dev, void *data, ...@@ -677,6 +683,11 @@ static int msm_ioctl_gem_cpu_prep(struct drm_device *dev, void *data,
struct drm_gem_object *obj; struct drm_gem_object *obj;
int ret; int ret;
if (args->op & ~MSM_PREP_FLAGS) {
DRM_ERROR("invalid op: %08x\n", args->op);
return -EINVAL;
}
obj = drm_gem_object_lookup(dev, file, args->handle); obj = drm_gem_object_lookup(dev, file, args->handle);
if (!obj) if (!obj)
return -ENOENT; return -ENOENT;
...@@ -731,7 +742,14 @@ static int msm_ioctl_wait_fence(struct drm_device *dev, void *data, ...@@ -731,7 +742,14 @@ static int msm_ioctl_wait_fence(struct drm_device *dev, void *data,
struct drm_file *file) struct drm_file *file)
{ {
struct drm_msm_wait_fence *args = data; struct drm_msm_wait_fence *args = data;
return msm_wait_fence_interruptable(dev, args->fence, &TS(args->timeout));
if (args->pad) {
DRM_ERROR("invalid pad: %08x\n", args->pad);
return -EINVAL;
}
return msm_wait_fence_interruptable(dev, args->fence,
&TS(args->timeout));
} }
static const struct drm_ioctl_desc msm_ioctls[] = { static const struct drm_ioctl_desc msm_ioctls[] = {
......
...@@ -23,7 +23,6 @@ ...@@ -23,7 +23,6 @@
* Cmdstream submission: * Cmdstream submission:
*/ */
#define BO_INVALID_FLAGS ~(MSM_SUBMIT_BO_READ | MSM_SUBMIT_BO_WRITE)
/* make sure these don't conflict w/ MSM_SUBMIT_BO_x */ /* make sure these don't conflict w/ MSM_SUBMIT_BO_x */
#define BO_VALID 0x8000 #define BO_VALID 0x8000
#define BO_LOCKED 0x4000 #define BO_LOCKED 0x4000
...@@ -77,7 +76,7 @@ static int submit_lookup_objects(struct msm_gem_submit *submit, ...@@ -77,7 +76,7 @@ static int submit_lookup_objects(struct msm_gem_submit *submit,
goto out_unlock; goto out_unlock;
} }
if (submit_bo.flags & BO_INVALID_FLAGS) { if (submit_bo.flags & ~MSM_SUBMIT_BO_FLAGS) {
DRM_ERROR("invalid flags: %x\n", submit_bo.flags); DRM_ERROR("invalid flags: %x\n", submit_bo.flags);
ret = -EINVAL; ret = -EINVAL;
goto out_unlock; goto out_unlock;
...@@ -369,6 +368,18 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data, ...@@ -369,6 +368,18 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data,
goto out; goto out;
} }
/* validate input from userspace: */
switch (submit_cmd.type) {
case MSM_SUBMIT_CMD_BUF:
case MSM_SUBMIT_CMD_IB_TARGET_BUF:
case MSM_SUBMIT_CMD_CTX_RESTORE_BUF:
break;
default:
DRM_ERROR("invalid type: %08x\n", submit_cmd.type);
ret = -EINVAL;
goto out;
}
ret = submit_bo(submit, submit_cmd.submit_idx, ret = submit_bo(submit, submit_cmd.submit_idx,
&msm_obj, &iova, NULL); &msm_obj, &iova, NULL);
if (ret) if (ret)
......
...@@ -70,6 +70,12 @@ struct drm_msm_param { ...@@ -70,6 +70,12 @@ struct drm_msm_param {
#define MSM_BO_WC 0x00020000 #define MSM_BO_WC 0x00020000
#define MSM_BO_UNCACHED 0x00040000 #define MSM_BO_UNCACHED 0x00040000
#define MSM_BO_FLAGS (MSM_BO_SCANOUT | \
MSM_BO_GPU_READONLY | \
MSM_BO_CACHED | \
MSM_BO_WC | \
MSM_BO_UNCACHED)
struct drm_msm_gem_new { struct drm_msm_gem_new {
uint64_t size; /* in */ uint64_t size; /* in */
uint32_t flags; /* in, mask of MSM_BO_x */ uint32_t flags; /* in, mask of MSM_BO_x */
...@@ -86,6 +92,8 @@ struct drm_msm_gem_info { ...@@ -86,6 +92,8 @@ struct drm_msm_gem_info {
#define MSM_PREP_WRITE 0x02 #define MSM_PREP_WRITE 0x02
#define MSM_PREP_NOSYNC 0x04 #define MSM_PREP_NOSYNC 0x04
#define MSM_PREP_FLAGS (MSM_PREP_READ | MSM_PREP_WRITE | MSM_PREP_NOSYNC)
struct drm_msm_gem_cpu_prep { struct drm_msm_gem_cpu_prep {
uint32_t handle; /* in */ uint32_t handle; /* in */
uint32_t op; /* in, mask of MSM_PREP_x */ uint32_t op; /* in, mask of MSM_PREP_x */
...@@ -153,6 +161,9 @@ struct drm_msm_gem_submit_cmd { ...@@ -153,6 +161,9 @@ struct drm_msm_gem_submit_cmd {
*/ */
#define MSM_SUBMIT_BO_READ 0x0001 #define MSM_SUBMIT_BO_READ 0x0001
#define MSM_SUBMIT_BO_WRITE 0x0002 #define MSM_SUBMIT_BO_WRITE 0x0002
#define MSM_SUBMIT_BO_FLAGS (MSM_SUBMIT_BO_READ | MSM_SUBMIT_BO_WRITE)
struct drm_msm_gem_submit_bo { struct drm_msm_gem_submit_bo {
uint32_t flags; /* in, mask of MSM_SUBMIT_BO_x */ uint32_t flags; /* in, mask of MSM_SUBMIT_BO_x */
uint32_t handle; /* in, GEM handle */ uint32_t handle; /* in, GEM handle */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment