@@ -41,6 +41,8 @@
*/
#define DPU_DEBUGFS_DIR "msm_dpu"
#define DPU_DEBUGFS_HWMASKNAME "hw_log_mask"
+#define MAX_BLOB_PROP_SIZE (PAGE_SIZE * 30)
+#define MAX_BLOB_PROP_COUNT 250
static int dpu_kms_hw_init(struct msm_kms *kms);
static void _dpu_kms_mmu_destroy(struct dpu_kms *dpu_kms);
@@ -544,6 +546,17 @@ static int _dpu_kms_drm_obj_init(struct dpu_kms *dpu_kms)
return ret;
}
+static int dpu_kms_createblob_check(unsigned int count, size_t length)
+{
+ if (count >= MAX_BLOB_PROP_COUNT)
+ return -EINVAL;
+
+ if (length > MAX_BLOB_PROP_SIZE)
+ return -EINVAL;
+
+ return 0;
+}
+
static long dpu_kms_round_pixclk(struct msm_kms *kms, unsigned long rate,
struct drm_encoder *encoder)
{
@@ -683,6 +696,7 @@ static const struct msm_kms_funcs kms_funcs = {
#ifdef CONFIG_DEBUG_FS
.debugfs_init = dpu_kms_debugfs_init,
#endif
+ .createblob_check = dpu_kms_createblob_check,
};
static void _dpu_kms_mmu_destroy(struct dpu_kms *dpu_kms)
Limit the blob size and number of blobs that can be allocated by a client. This prevents fuzzers from abusing this ioctl and exhausting the system memory. Signed-off-by: Steve Cohen <cohens@codeaurora.org> --- drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+)