[PATCH] drm/amdgpu:Added support for MV packet

[Christian König]

Am 29.03.2018 um 23:02 schrieb James Zhu:
> Motion vector packet needs support in physic mode.
>
> Signed-off-by: James Zhu <James.Zhu at amd.com>
> ---
>   drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c | 24 ++++++++++++++++++++++++
>   1 file changed, 24 insertions(+)
>
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c
> index 4dfa868..ef6b780 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c
> @@ -767,6 +767,18 @@ int amdgpu_vce_ring_parse_cs(struct amdgpu_cs_parser *p, uint32_t ib_idx)
>   			if (r)
>   				goto out;
>   			break;
> +
> +		case 0x0500000d: /* MV buffer */
> +			r = amdgpu_vce_validate_bo(p, ib_idx, idx + 3,
> +							idx + 2, 0, 0);
> +			if (r)
> +				goto out;
> +
> +			r = amdgpu_vce_validate_bo(p, ib_idx, idx + 8,
> +							idx + 7, 0, 0);
> +			if (r)
> +				goto out;
> +			break;

You need to specify a size here or otherwise userspace could allocate 
only a 4kb buffer and hope that VCE write over the end of the buffer.

Since the MVs are easily controllable userspace can hope to hit and fill 
a page table with this. That would be a security hole you can push an 
elephant through, taking over the whole system with that is just a 
typing exercise.

Regards,
Christian.

>   		}
>   
>   		idx += len / 4;
> @@ -884,6 +896,18 @@ int amdgpu_vce_ring_parse_cs(struct amdgpu_cs_parser *p, uint32_t ib_idx)
>   				goto out;
>   			break;
>   
> +		case 0x0500000d: /* MV buffer */
> +			r = amdgpu_vce_cs_reloc(p, ib_idx, idx + 3,
> +							idx + 2, 0, 0);
> +			if (r)
> +				goto out;
> +
> +			r = amdgpu_vce_cs_reloc(p, ib_idx, idx + 8,
> +							idx + 7, 0, 0);
> +			if (r)
> +				goto out;
> +			break;
> +
>   		default:
>   			DRM_ERROR("invalid VCE command (0x%x)!\n", cmd);
>   			r = -EINVAL;