From patchwork Fri Dec 21 19:47:38 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yu Zhao X-Patchwork-Id: 10741789 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id EE3A06C2 for ; Sun, 23 Dec 2018 19:35:43 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DFA6D2874C for ; Sun, 23 Dec 2018 19:35:43 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D374C28762; Sun, 23 Dec 2018 19:35:43 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 91B9C2874C for ; Sun, 23 Dec 2018 19:35:43 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 321CC6E517; Sun, 23 Dec 2018 19:35:30 +0000 (UTC) X-Original-To: dri-devel@lists.freedesktop.org Delivered-To: dri-devel@lists.freedesktop.org Received: from mail-io1-xd43.google.com (mail-io1-xd43.google.com [IPv6:2607:f8b0:4864:20::d43]) by gabe.freedesktop.org (Postfix) with ESMTPS id 1E4B66E041 for ; Fri, 21 Dec 2018 19:48:38 +0000 (UTC) Received: by mail-io1-xd43.google.com with SMTP id k7so4541821iob.6 for ; Fri, 21 Dec 2018 11:48:38 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=OVSHWNk4j44/NEJZil+PbDIgCZZhA/ex4ZcaIDuIdNg=; b=CHsQDSp36DTdfezPSp7QRXWTXAsroumt+eWHx+i+lgajt/kGK3js/vwhLeqpCpU3Ot DtIbpl1KPAAKAifU1lBKQ5ZJq/tcVI2Hoz8Vyhzcdbr5ac4xpPmwyFF4IF6q5bhYQWLZ whiMZBRz5JDTLYicppEUldQcd0tzLUvFRH6BAzJpYo9HQ85Gw5l6WJIB2K0IN9LiCEqi /tuOcZ3COVXfvcpJxB7udfVfr7/+q6cbhkJ+2htVyh02T/3FWrgU8WHP09B6G218jnva XwKVDE5yvpssXdRMWzn1U4iSruQJKUDdUpWkDMU1hY9bQgdrxtyWLxhDiXyuie1lOLWS Od/A== X-Gm-Message-State: AJcUukc/VqjRCuRbcCBgWd/lAFl/UiU4Ho/Bx9TbgucHygNjlEu2QnmR S+UQkSHd5RfWjpyGRAMGV4pErw== X-Google-Smtp-Source: ALg8bN7EzMSdimFpeWv2OFnyN75T8884AgdZU/jmOV8UYdfZCL9mQXCzwJ9vlxNo+9Ff8YUqtjCPpw== X-Received: by 2002:a6b:8d11:: with SMTP id p17mr2611416iod.74.1545421717331; Fri, 21 Dec 2018 11:48:37 -0800 (PST) Received: from yuzhao.bld.corp.google.com ([2620:15c:183:0:a0c3:519e:9276:fc96]) by smtp.gmail.com with ESMTPSA id h14sm11157581ior.41.2018.12.21.11.48.36 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 21 Dec 2018 11:48:36 -0800 (PST) From: Yu Zhao To: David Airlie , Daniel Vetter , =?utf-8?q?Christian_K=C3=B6nig?= , Alex Deucher Subject: [PATCH v2 1/2] drm/amd: validate user pitch alignment Date: Fri, 21 Dec 2018 12:47:38 -0700 Message-Id: <20181221194739.25523-1-yuzhao@google.com> X-Mailer: git-send-email 2.20.1.415.g653613c723-goog In-Reply-To: <20181221031053.240161-2-yuzhao@google.com> References: <20181221031053.240161-2-yuzhao@google.com> MIME-Version: 1.0 X-Mailman-Approved-At: Sun, 23 Dec 2018 19:35:28 +0000 X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: dri-devel@lists.freedesktop.org, Daniel Stone , linux-kernel@vger.kernel.org, Samuel Li , amd-gfx@lists.freedesktop.org, Junwei Zhang , Yu Zhao Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" X-Virus-Scanned: ClamAV using ClamSMTP Userspace may request pitch alignment that is not supported by GPU. Some requests 32, but GPU ignores it and uses default 64 when cpp is 4. If GEM object is allocated based on the smaller alignment, GPU DMA will go out of bound. For GPU that does frame buffer compression, DMA writing out of bound memory will cause memory corruption. Signed-off-by: Yu Zhao --- drivers/gpu/drm/amd/amdgpu/amdgpu_display.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c index 686a26de50f9..883a4df2386d 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c @@ -527,6 +527,15 @@ amdgpu_display_user_framebuffer_create(struct drm_device *dev, struct drm_gem_object *obj; struct amdgpu_framebuffer *amdgpu_fb; int ret; + struct amdgpu_device *adev = dev->dev_private; + int cpp = drm_format_plane_cpp(mode_cmd->pixel_format, 0); + int pitch = amdgpu_align_pitch(adev, mode_cmd->pitches[0], cpp, false); + + if (mode_cmd->pitches[0] != pitch) { + DRM_DEBUG_KMS("Invalid pitch: expecting %d but got %d\n", + pitch, mode_cmd->pitches[0]); + return ERR_PTR(-EINVAL); + } obj = drm_gem_object_lookup(file_priv, mode_cmd->handles[0]); if (obj == NULL) {