From patchwork Sat Dec 22 19:27:11 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yu Zhao X-Patchwork-Id: 10741793 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id EA0BC6C2 for ; Sun, 23 Dec 2018 19:35:48 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DA2D32874C for ; Sun, 23 Dec 2018 19:35:48 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id CE9E028762; Sun, 23 Dec 2018 19:35:48 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 957162874C for ; Sun, 23 Dec 2018 19:35:48 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 8FFF46E51E; Sun, 23 Dec 2018 19:35:31 +0000 (UTC) X-Original-To: dri-devel@lists.freedesktop.org Delivered-To: dri-devel@lists.freedesktop.org Received: from mail-io1-xd43.google.com (mail-io1-xd43.google.com [IPv6:2607:f8b0:4864:20::d43]) by gabe.freedesktop.org (Postfix) with ESMTPS id 1A8D46E3F6 for ; Sat, 22 Dec 2018 19:27:19 +0000 (UTC) Received: by mail-io1-xd43.google.com with SMTP id v10so6345155ios.13 for ; Sat, 22 Dec 2018 11:27:19 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=rPTzuq2SmsgI0TyOi5Xd0ry0MyhbhpYqnj0R4kWWcY4=; b=K2BoS84yu+NBAJGZYgY9A5vD6aM1NKr6CG5RFh8JNhKH6IwFVmEZMWtnILuWSgofjN kR2LB4BFkiWetTNXRbEJpMdl2jMmfAomMDxuVe/mo0f66FDmpC7CXQ0P8R80Cu+KmBSC WvEGL/+w1zjLqoU4DXNmvflHYLwDMrOZjxS/QDMYmrEUGJYtnmO89FXgXsplBeiv6pt+ JzSMBHr3rxpLVdMy1pXjQeZfa4Ct7RGXlhBq2vWsAIWSyq3HBsCVCK/703IT3LusjkjP ZKKM1ufrZzVWFwB2Ey4SBhe2VYIuyD4f2qQYBYfBKQFizhGBOkP6yFdbBE3Zp/KNPJus aPpw== X-Gm-Message-State: AJcUukeT62yR4jugySyFkdABnlw+Nzz2nyglmVcWFv38L/QHcjqMU1JD FWHPj+MkW7fTBZkVTKZBJHjjxg== X-Google-Smtp-Source: ALg8bN4+6fnifNIvIshPWxwszkjief4rv+Dqp+bdyYC0TlNFe+FWm6uWiyi2cLD5nmHGOs/Jye4SRg== X-Received: by 2002:a6b:1411:: with SMTP id 17mr5159065iou.252.1545506838135; Sat, 22 Dec 2018 11:27:18 -0800 (PST) Received: from yuzhao.bld.corp.google.com ([2620:15c:183:0:a0c3:519e:9276:fc96]) by smtp.gmail.com with ESMTPSA id y23sm10377045ita.1.2018.12.22.11.27.16 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 22 Dec 2018 11:27:17 -0800 (PST) From: Yu Zhao To: David Airlie , Daniel Vetter , =?utf-8?q?Christian_K=C3=B6nig?= , Alex Deucher Subject: [PATCH v3 1/2] drm/amd: validate user pitch alignment Date: Sat, 22 Dec 2018 12:27:11 -0700 Message-Id: <20181222192712.9420-1-yuzhao@google.com> X-Mailer: git-send-email 2.20.1.415.g653613c723-goog In-Reply-To: <20181221194739.25523-1-yuzhao@google.com> References: <20181221194739.25523-1-yuzhao@google.com> MIME-Version: 1.0 X-Mailman-Approved-At: Sun, 23 Dec 2018 19:35:28 +0000 X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Daniel Stone , dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, amd-gfx@lists.freedesktop.org, Samuel Li , Junwei Zhang , stable@vger.kernel.org, Yu Zhao Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" X-Virus-Scanned: ClamAV using ClamSMTP Userspace may request pitch alignment that is not supported by GPU. Some requests 32, but GPU ignores it and uses default 64 when cpp is 4. If GEM object is allocated based on the smaller alignment, GPU DMA will go out of bound. For GPU that does frame buffer compression, DMA writing out of bound memory will cause memory corruption. Cc: stable@vger.kernel.org # v4.2+ Signed-off-by: Yu Zhao --- drivers/gpu/drm/amd/amdgpu/amdgpu_display.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c index 686a26de50f9..883a4df2386d 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c @@ -527,6 +527,15 @@ amdgpu_display_user_framebuffer_create(struct drm_device *dev, struct drm_gem_object *obj; struct amdgpu_framebuffer *amdgpu_fb; int ret; + struct amdgpu_device *adev = dev->dev_private; + int cpp = drm_format_plane_cpp(mode_cmd->pixel_format, 0); + int pitch = amdgpu_align_pitch(adev, mode_cmd->pitches[0], cpp, false); + + if (mode_cmd->pitches[0] != pitch) { + DRM_DEBUG_KMS("Invalid pitch: expecting %d but got %d\n", + pitch, mode_cmd->pitches[0]); + return ERR_PTR(-EINVAL); + } obj = drm_gem_object_lookup(file_priv, mode_cmd->handles[0]); if (obj == NULL) { From patchwork Sat Dec 22 19:27:12 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yu Zhao X-Patchwork-Id: 10741797 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 7E5CD6C2 for ; Sun, 23 Dec 2018 19:35:52 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6FDA12874C for ; Sun, 23 Dec 2018 19:35:52 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 63F5E28762; Sun, 23 Dec 2018 19:35:52 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 25A162874C for ; Sun, 23 Dec 2018 19:35:52 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 8DBBF6E514; Sun, 23 Dec 2018 19:35:32 +0000 (UTC) X-Original-To: dri-devel@lists.freedesktop.org Delivered-To: dri-devel@lists.freedesktop.org Received: from mail-it1-x141.google.com (mail-it1-x141.google.com [IPv6:2607:f8b0:4864:20::141]) by gabe.freedesktop.org (Postfix) with ESMTPS id 2F6B26E3F6 for ; Sat, 22 Dec 2018 19:27:20 +0000 (UTC) Received: by mail-it1-x141.google.com with SMTP id i145so11597326ita.4 for ; Sat, 22 Dec 2018 11:27:20 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=zFwfU0xFXcufPFumdupMa7jS24fXn34AP1pLKb4kCHc=; b=o8QUpA8EQ41g6WgnYw7WCgGQlx0RFK6Qv0j2ICj2T8LYVkugyi9ISsub0Bo+xDD330 fdi0hRhi3fZZ9qr3Qk5T5xV0G2S/gNnlMJMAv+CNS9JoOoJz5sCLbKH+SCd+VlJhbY1Z cLebjula53ZPwSmuZ2lkQBVWEZHxbhly4J34XUs1Rltnd3XO8RhByWMuQ64UJ97AbZdV 6SEvvaVQrdrTXzQBuFWFFZ39uQiTdIlT0pHv/+LpoXmXfza425psQAOi3KeWSl1Z7lE1 aGEO1xLj+gMkS7W6CnDeN84b5vYvRaZmsvp0QLinbaCzZnkNkQJUMmSQUeuAI8QUZZF6 XnuQ== X-Gm-Message-State: AA+aEWZojCZFWXnOojtId6JF6+gJUm7hX220dG1axM19RtpHX3UnUFqe 3hYL4L8+eeBYRs1xQYKKnMAwDA== X-Google-Smtp-Source: AFSGD/XE9Yqmag/ApeSRSul62xM712ZoAzSsbhqpJPVrnQ8mVJFTO9lBNDNH1rKSmuH5HSGb/3bSgA== X-Received: by 2002:a02:7a58:: with SMTP id z24mr5086061jad.22.1545506839427; Sat, 22 Dec 2018 11:27:19 -0800 (PST) Received: from yuzhao.bld.corp.google.com ([2620:15c:183:0:a0c3:519e:9276:fc96]) by smtp.gmail.com with ESMTPSA id y23sm10377045ita.1.2018.12.22.11.27.18 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 22 Dec 2018 11:27:18 -0800 (PST) From: Yu Zhao To: David Airlie , Daniel Vetter , =?utf-8?q?Christian_K=C3=B6nig?= , Alex Deucher Subject: [PATCH v3 2/2] drm/amd: validate user GEM object size Date: Sat, 22 Dec 2018 12:27:12 -0700 Message-Id: <20181222192712.9420-2-yuzhao@google.com> X-Mailer: git-send-email 2.20.1.415.g653613c723-goog In-Reply-To: <20181222192712.9420-1-yuzhao@google.com> References: <20181221194739.25523-1-yuzhao@google.com> <20181222192712.9420-1-yuzhao@google.com> MIME-Version: 1.0 X-Mailman-Approved-At: Sun, 23 Dec 2018 19:35:28 +0000 X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Daniel Stone , dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, amd-gfx@lists.freedesktop.org, Samuel Li , Junwei Zhang , stable@vger.kernel.org, Yu Zhao Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" X-Virus-Scanned: ClamAV using ClamSMTP When creating frame buffer, userspace may request to attach to a previously allocated GEM object that is smaller than what GPU requires. Validation must be done to prevent out-of-bound DMA, which could not only corrupt memory but also reveal sensitive data. This fix is not done in a common code path because individual driver might have different requirement. Cc: stable@vger.kernel.org # v4.2+ Signed-off-by: Yu Zhao --- drivers/gpu/drm/amd/amdgpu/amdgpu_display.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c index 883a4df2386d..a58fb8e021c6 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c @@ -527,6 +527,7 @@ amdgpu_display_user_framebuffer_create(struct drm_device *dev, struct drm_gem_object *obj; struct amdgpu_framebuffer *amdgpu_fb; int ret; + int height; struct amdgpu_device *adev = dev->dev_private; int cpp = drm_format_plane_cpp(mode_cmd->pixel_format, 0); int pitch = amdgpu_align_pitch(adev, mode_cmd->pitches[0], cpp, false); @@ -550,6 +551,13 @@ amdgpu_display_user_framebuffer_create(struct drm_device *dev, return ERR_PTR(-EINVAL); } + height = ALIGN(mode_cmd->height, 8); + if (obj->size < pitch * height) { + DRM_DEBUG_KMS("Invalid GEM size: expecting >= %d but got %zu\n", + pitch * height, obj->size); + return ERR_PTR(-EINVAL); + } + amdgpu_fb = kzalloc(sizeof(*amdgpu_fb), GFP_KERNEL); if (amdgpu_fb == NULL) { drm_gem_object_put_unlocked(obj);