[PATCH 7/7] drm/msm: validate flags, etc

Jordan Crouse jcrouse at codeaurora.org
Mon Mar 10 13:22:15 PDT 2014 

On 03/10/2014 10:47 AM, Rob Clark wrote:
> After reading a nice article on LWN[1], I went back and double checked
> my handling of invalid-input checking.  Turns out there were a couple
> places I had missed.
>
> Since the driver is fairly young, and the devices it supports are really
> only just barely usable for basic stuff (serial console) with an
> upstream kernel, I think we should fix this now and revert specific
> parts of this patch later in the unlikely event that a regression is
> reported.
>
> [1] https://lwn.net/Articles/588444/
>
> Signed-off-by: Rob Clark <robdclark at gmail.com>

Acked-by: Jordan Crouse <jcrouse at codeaurora.org>
> ---
>   drivers/gpu/drm/msm/msm_drv.c        | 20 +++++++++++++++++++-
>   drivers/gpu/drm/msm/msm_gem_submit.c | 15 +++++++++++++--
>   include/uapi/drm/msm_drm.h           | 11 +++++++++++
>   3 files changed, 43 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c
> index 9ffc275..eee8d37 100644
> --- a/drivers/gpu/drm/msm/msm_drv.c
> +++ b/drivers/gpu/drm/msm/msm_drv.c
> @@ -664,6 +664,12 @@ static int msm_ioctl_gem_new(struct drm_device *dev, void *data,
>   		struct drm_file *file)
>   {
>   	struct drm_msm_gem_new *args = data;
> +
> +	if (args->flags & ~MSM_BO_FLAGS) {
> +		DRM_ERROR("invalid flags: %08x\n", args->flags);
> +		return -EINVAL;
> +	}
> +
>   	return msm_gem_new_handle(dev, file, args->size,
>   			args->flags, &args->handle);
>   }
> @@ -677,6 +683,11 @@ static int msm_ioctl_gem_cpu_prep(struct drm_device *dev, void *data,
>   	struct drm_gem_object *obj;
>   	int ret;
>
> +	if (args->op & ~MSM_PREP_FLAGS) {
> +		DRM_ERROR("invalid op: %08x\n", args->op);
> +		return -EINVAL;
> +	}
> +
>   	obj = drm_gem_object_lookup(dev, file, args->handle);
>   	if (!obj)
>   		return -ENOENT;
> @@ -731,7 +742,14 @@ static int msm_ioctl_wait_fence(struct drm_device *dev, void *data,
>   		struct drm_file *file)
>   {
>   	struct drm_msm_wait_fence *args = data;
> -	return msm_wait_fence_interruptable(dev, args->fence, &TS(args->timeout));
> +
> +	if (args->pad) {
> +		DRM_ERROR("invalid pad: %08x\n", args->pad);
> +		return -EINVAL;
> +	}
> +
> +	return msm_wait_fence_interruptable(dev, args->fence,
> +			&TS(args->timeout));
>   }
>
>   static const struct drm_ioctl_desc msm_ioctls[] = {
> diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c
> index 5423e91..1f1f4cf 100644
> --- a/drivers/gpu/drm/msm/msm_gem_submit.c
> +++ b/drivers/gpu/drm/msm/msm_gem_submit.c
> @@ -23,7 +23,6 @@
>    * Cmdstream submission:
>    */
>
> -#define BO_INVALID_FLAGS ~(MSM_SUBMIT_BO_READ | MSM_SUBMIT_BO_WRITE)
>   /* make sure these don't conflict w/ MSM_SUBMIT_BO_x */
>   #define BO_VALID    0x8000
>   #define BO_LOCKED   0x4000
> @@ -77,7 +76,7 @@ static int submit_lookup_objects(struct msm_gem_submit *submit,
>   			goto out_unlock;
>   		}
>
> -		if (submit_bo.flags & BO_INVALID_FLAGS) {
> +		if (submit_bo.flags & ~MSM_SUBMIT_BO_FLAGS) {
>   			DRM_ERROR("invalid flags: %x\n", submit_bo.flags);
>   			ret = -EINVAL;
>   			goto out_unlock;
> @@ -369,6 +368,18 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data,
>   			goto out;
>   		}
>
> +		/* validate input from userspace: */
> +		switch (submit_cmd.type) {
> +		case MSM_SUBMIT_CMD_BUF:
> +		case MSM_SUBMIT_CMD_IB_TARGET_BUF:
> +		case MSM_SUBMIT_CMD_CTX_RESTORE_BUF:
> +			break;
> +		default:
> +			DRM_ERROR("invalid type: %08x\n", submit_cmd.type);
> +			ret = -EINVAL;
> +			goto out;
> +		}
> +
>   		ret = submit_bo(submit, submit_cmd.submit_idx,
>   				&msm_obj, &iova, NULL);
>   		if (ret)
> diff --git a/include/uapi/drm/msm_drm.h b/include/uapi/drm/msm_drm.h
> index bf91a78..0664c31 100644
> --- a/include/uapi/drm/msm_drm.h
> +++ b/include/uapi/drm/msm_drm.h
> @@ -70,6 +70,12 @@ struct drm_msm_param {
>   #define MSM_BO_WC            0x00020000
>   #define MSM_BO_UNCACHED      0x00040000
>
> +#define MSM_BO_FLAGS         (MSM_BO_SCANOUT | \
> +                              MSM_BO_GPU_READONLY | \
> +                              MSM_BO_CACHED | \
> +                              MSM_BO_WC | \
> +                              MSM_BO_UNCACHED)
> +
>   struct drm_msm_gem_new {
>   	uint64_t size;           /* in */
>   	uint32_t flags;          /* in, mask of MSM_BO_x */
> @@ -86,6 +92,8 @@ struct drm_msm_gem_info {
>   #define MSM_PREP_WRITE       0x02
>   #define MSM_PREP_NOSYNC      0x04
>
> +#define MSM_PREP_FLAGS       (MSM_PREP_READ | MSM_PREP_WRITE | MSM_PREP_NOSYNC)
> +
>   struct drm_msm_gem_cpu_prep {
>   	uint32_t handle;         /* in */
>   	uint32_t op;             /* in, mask of MSM_PREP_x */
> @@ -153,6 +161,9 @@ struct drm_msm_gem_submit_cmd {
>    */
>   #define MSM_SUBMIT_BO_READ             0x0001
>   #define MSM_SUBMIT_BO_WRITE            0x0002
> +
> +#define MSM_SUBMIT_BO_FLAGS            (MSM_SUBMIT_BO_READ | MSM_SUBMIT_BO_WRITE)
> +
>   struct drm_msm_gem_submit_bo {
>   	uint32_t flags;          /* in, mask of MSM_SUBMIT_BO_x */
>   	uint32_t handle;         /* in, GEM handle */
>


-- 
The Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum,
hosted by The Linux Foundation

More information about the dri-devel mailing list