From patchwork Sat Dec 22 19:27:11 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yu Zhao X-Patchwork-Id: 10741793 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id EA0BC6C2 for ; Sun, 23 Dec 2018 19:35:48 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DA2D32874C for ; Sun, 23 Dec 2018 19:35:48 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id CE9E028762; Sun, 23 Dec 2018 19:35:48 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 957162874C for ; Sun, 23 Dec 2018 19:35:48 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 8FFF46E51E; Sun, 23 Dec 2018 19:35:31 +0000 (UTC) X-Original-To: dri-devel@lists.freedesktop.org Delivered-To: dri-devel@lists.freedesktop.org Received: from mail-io1-xd43.google.com (mail-io1-xd43.google.com [IPv6:2607:f8b0:4864:20::d43]) by gabe.freedesktop.org (Postfix) with ESMTPS id 1A8D46E3F6 for ; Sat, 22 Dec 2018 19:27:19 +0000 (UTC) Received: by mail-io1-xd43.google.com with SMTP id v10so6345155ios.13 for ; Sat, 22 Dec 2018 11:27:19 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=rPTzuq2SmsgI0TyOi5Xd0ry0MyhbhpYqnj0R4kWWcY4=; b=K2BoS84yu+NBAJGZYgY9A5vD6aM1NKr6CG5RFh8JNhKH6IwFVmEZMWtnILuWSgofjN kR2LB4BFkiWetTNXRbEJpMdl2jMmfAomMDxuVe/mo0f66FDmpC7CXQ0P8R80Cu+KmBSC WvEGL/+w1zjLqoU4DXNmvflHYLwDMrOZjxS/QDMYmrEUGJYtnmO89FXgXsplBeiv6pt+ JzSMBHr3rxpLVdMy1pXjQeZfa4Ct7RGXlhBq2vWsAIWSyq3HBsCVCK/703IT3LusjkjP ZKKM1ufrZzVWFwB2Ey4SBhe2VYIuyD4f2qQYBYfBKQFizhGBOkP6yFdbBE3Zp/KNPJus aPpw== X-Gm-Message-State: AJcUukeT62yR4jugySyFkdABnlw+Nzz2nyglmVcWFv38L/QHcjqMU1JD FWHPj+MkW7fTBZkVTKZBJHjjxg== X-Google-Smtp-Source: ALg8bN4+6fnifNIvIshPWxwszkjief4rv+Dqp+bdyYC0TlNFe+FWm6uWiyi2cLD5nmHGOs/Jye4SRg== X-Received: by 2002:a6b:1411:: with SMTP id 17mr5159065iou.252.1545506838135; Sat, 22 Dec 2018 11:27:18 -0800 (PST) Received: from yuzhao.bld.corp.google.com ([2620:15c:183:0:a0c3:519e:9276:fc96]) by smtp.gmail.com with ESMTPSA id y23sm10377045ita.1.2018.12.22.11.27.16 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 22 Dec 2018 11:27:17 -0800 (PST) From: Yu Zhao To: David Airlie , Daniel Vetter , =?utf-8?q?Christian_K=C3=B6nig?= , Alex Deucher Subject: [PATCH v3 1/2] drm/amd: validate user pitch alignment Date: Sat, 22 Dec 2018 12:27:11 -0700 Message-Id: <20181222192712.9420-1-yuzhao@google.com> X-Mailer: git-send-email 2.20.1.415.g653613c723-goog In-Reply-To: <20181221194739.25523-1-yuzhao@google.com> References: <20181221194739.25523-1-yuzhao@google.com> MIME-Version: 1.0 X-Mailman-Approved-At: Sun, 23 Dec 2018 19:35:28 +0000 X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Daniel Stone , dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, amd-gfx@lists.freedesktop.org, Samuel Li , Junwei Zhang , stable@vger.kernel.org, Yu Zhao Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" X-Virus-Scanned: ClamAV using ClamSMTP Userspace may request pitch alignment that is not supported by GPU. Some requests 32, but GPU ignores it and uses default 64 when cpp is 4. If GEM object is allocated based on the smaller alignment, GPU DMA will go out of bound. For GPU that does frame buffer compression, DMA writing out of bound memory will cause memory corruption. Cc: stable@vger.kernel.org # v4.2+ Signed-off-by: Yu Zhao --- drivers/gpu/drm/amd/amdgpu/amdgpu_display.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c index 686a26de50f9..883a4df2386d 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c @@ -527,6 +527,15 @@ amdgpu_display_user_framebuffer_create(struct drm_device *dev, struct drm_gem_object *obj; struct amdgpu_framebuffer *amdgpu_fb; int ret; + struct amdgpu_device *adev = dev->dev_private; + int cpp = drm_format_plane_cpp(mode_cmd->pixel_format, 0); + int pitch = amdgpu_align_pitch(adev, mode_cmd->pitches[0], cpp, false); + + if (mode_cmd->pitches[0] != pitch) { + DRM_DEBUG_KMS("Invalid pitch: expecting %d but got %d\n", + pitch, mode_cmd->pitches[0]); + return ERR_PTR(-EINVAL); + } obj = drm_gem_object_lookup(file_priv, mode_cmd->handles[0]); if (obj == NULL) {