On 03/10/2014 10:47 AM, Rob Clark wrote:
> After reading a nice article on LWN[1], I went back and double checked
> my handling of invalid-input checking. Turns out there were a couple
> places I had missed.
>
> Since the driver is fairly young, and the devices it supports are really
> only just barely usable for basic stuff (serial console) with an
> upstream kernel, I think we should fix this now and revert specific
> parts of this patch later in the unlikely event that a regression is
> reported.
>
> [1] https://lwn.net/Articles/588444/
>
> Signed-off-by: Rob Clark <robdclark at gmail.com>
Acked-by: Jordan Crouse <jcrouse at codeaurora.org>
> ---
> drivers/gpu/drm/msm/msm_drv.c | 20 +++++++++++++++++++-
> drivers/gpu/drm/msm/msm_gem_submit.c | 15 +++++++++++++--
> include/uapi/drm/msm_drm.h | 11 +++++++++++
> 3 files changed, 43 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c
> index 9ffc275..eee8d37 100644
> --- a/drivers/gpu/drm/msm/msm_drv.c
> +++ b/drivers/gpu/drm/msm/msm_drv.c
> @@ -664,6 +664,12 @@ static int msm_ioctl_gem_new(struct drm_device *dev,
> void *data,
> struct drm_file *file)
> {
> struct drm_msm_gem_new *args = data;
> +
> + if (args->flags & ~MSM_BO_FLAGS) {
> + DRM_ERROR("invalid flags: %08x\n", args->flags);
> + return -EINVAL;
> + }
> +
> return msm_gem_new_handle(dev, file, args->size,
> args->flags, &args->handle);
> }
> @@ -677,6 +683,11 @@ static int msm_ioctl_gem_cpu_prep(struct drm_device
> *dev, void *data,
> struct drm_gem_object *obj;
> int ret;
>
> + if (args->op & ~MSM_PREP_FLAGS) {
> + DRM_ERROR("invalid op: %08x\n", args->op);
> + return -EINVAL;
> + }
> +
> obj = drm_gem_object_lookup(dev, file, args->handle);
> if (!obj)
> return -ENOENT;
> @@ -731,7 +742,14 @@ static int msm_ioctl_wait_fence(struct drm_device *dev,
> void *data,
> struct drm_file *file)
> {
> struct drm_msm_wait_fence *args = data;
> - return msm_wait_fence_interruptable(dev, args->fence,
> &TS(args->timeout));
> +
> + if (args->pad) {
> + DRM_ERROR("invalid pad: %08x\n", args->pad);
> + return -EINVAL;
> + }
> +
> + return msm_wait_fence_interruptable(dev, args->fence,
> + &TS(args->timeout));
> }
>
> static const struct drm_ioctl_desc msm_ioctls[] = {
> diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c
> b/drivers/gpu/drm/msm/msm_gem_submit.c
> index 5423e91..1f1f4cf 100644
> --- a/drivers/gpu/drm/msm/msm_gem_submit.c
> +++ b/drivers/gpu/drm/msm/msm_gem_submit.c
> @@ -23,7 +23,6 @@
> * Cmdstream submission:
> */
>
> -#define BO_INVALID_FLAGS ~(MSM_SUBMIT_BO_READ | MSM_SUBMIT_BO_WRITE)
> /* make sure these don't conflict w/ MSM_SUBMIT_BO_x */
> #define BO_VALID 0x8000
> #define BO_LOCKED 0x4000
> @@ -77,7 +76,7 @@ static int submit_lookup_objects(struct msm_gem_submit
> *submit,
> goto out_unlock;
> }
>
> - if (submit_bo.flags & BO_INVALID_FLAGS) {
> + if (submit_bo.flags & ~MSM_SUBMIT_BO_FLAGS) {
> DRM_ERROR("invalid flags: %x\n", submit_bo.flags);
> ret = -EINVAL;
> goto out_unlock;
> @@ -369,6 +368,18 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void
> *data,
> goto out;
> }
>
> + /* validate input from userspace: */
> + switch (submit_cmd.type) {
> + case MSM_SUBMIT_CMD_BUF:
> + case MSM_SUBMIT_CMD_IB_TARGET_BUF:
> + case MSM_SUBMIT_CMD_CTX_RESTORE_BUF:
> + break;
> + default:
> + DRM_ERROR("invalid type: %08x\n", submit_cmd.type);
> + ret = -EINVAL;
> + goto out;
> + }
> +
> ret = submit_bo(submit, submit_cmd.submit_idx,
> &msm_obj, &iova, NULL);
> if (ret)
> diff --git a/include/uapi/drm/msm_drm.h b/include/uapi/drm/msm_drm.h
> index bf91a78..0664c31 100644
> --- a/include/uapi/drm/msm_drm.h
> +++ b/include/uapi/drm/msm_drm.h
> @@ -70,6 +70,12 @@ struct drm_msm_param {
> #define MSM_BO_WC 0x00020000
> #define MSM_BO_UNCACHED 0x00040000
>
> +#define MSM_BO_FLAGS (MSM_BO_SCANOUT | \
> + MSM_BO_GPU_READONLY | \
> + MSM_BO_CACHED | \
> + MSM_BO_WC | \
> + MSM_BO_UNCACHED)
> +
> struct drm_msm_gem_new {
> uint64_t size; /* in */
> uint32_t flags; /* in, mask of MSM_BO_x */
> @@ -86,6 +92,8 @@ struct drm_msm_gem_info {
> #define MSM_PREP_WRITE 0x02
> #define MSM_PREP_NOSYNC 0x04
>
> +#define MSM_PREP_FLAGS (MSM_PREP_READ | MSM_PREP_WRITE |
> MSM_PREP_NOSYNC)
> +
> struct drm_msm_gem_cpu_prep {
> uint32_t handle; /* in */
> uint32_t op; /* in, mask of MSM_PREP_x */
> @@ -153,6 +161,9 @@ struct drm_msm_gem_submit_cmd {
> */
> #define MSM_SUBMIT_BO_READ 0x0001
> #define MSM_SUBMIT_BO_WRITE 0x0002
> +
> +#define MSM_SUBMIT_BO_FLAGS (MSM_SUBMIT_BO_READ |
> MSM_SUBMIT_BO_WRITE)
> +
> struct drm_msm_gem_submit_bo {
> uint32_t flags; /* in, mask of MSM_SUBMIT_BO_x */
> uint32_t handle; /* in, GEM handle */
>
--
The Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum,
hosted by The Linux Foundation
