From patchwork Sun Dec 23 21:52:38 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yu Zhao X-Patchwork-Id: 10742181 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 29E766C2 for ; Mon, 24 Dec 2018 10:52:28 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 19F1E28C13 for ; Mon, 24 Dec 2018 10:52:28 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 0E5DA28C15; Mon, 24 Dec 2018 10:52:28 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id C303428C13 for ; Mon, 24 Dec 2018 10:52:27 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id B71396E586; Mon, 24 Dec 2018 10:52:15 +0000 (UTC) X-Original-To: dri-devel@lists.freedesktop.org Delivered-To: dri-devel@lists.freedesktop.org Received: from mail-io1-xd41.google.com (mail-io1-xd41.google.com [IPv6:2607:f8b0:4864:20::d41]) by gabe.freedesktop.org (Postfix) with ESMTPS id AF8B56E048 for ; Sun, 23 Dec 2018 21:52:46 +0000 (UTC) Received: by mail-io1-xd41.google.com with SMTP id r7so736390iog.4 for ; Sun, 23 Dec 2018 13:52:46 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=XygzaLnlh8fA4HxjIg+gRtTOPZSyENnxsvJMnBxmHwE=; b=hQEp2VJ2LZtVYWUn+YKqOKlSKoMdtBhPk0JacPiunZfoWZQs53QX+Vb84rYb6k4e5o WJ09xe8uLVJAPgmuGsxg3Jig6xe8DIBPzSZqhPNFjtsxFKFLOa6mrPzlcuuKvpw9376R MTF2/WoRroOXGLkuzprKjgL8VQ40+AotcxS0INVzEry0cJzw8G4fZxGsq8y+0aY2djI3 2MBIA24Ai1PF63zMAz9gp8n7TsJIPMzb7zgUJ7wYUdWVhachiYs9VlsstVCYGxFyTQI8 lx4pbyjqCwA4FKvKc6g5L42Stl5Q1OCirn+RQ1+A0/FOoM1CPBSL1NOr6GlOc942yqa7 WAzg== X-Gm-Message-State: AJcUukfKA+cJJIgxbBtNKdfnqyO1IM49bd7zBpcNaZTlfKjDPLWixyBA JYrmNzA9agZxeOfc2Wa/f+gAVA== X-Google-Smtp-Source: ALg8bN6ZJ1Ux5od/pGxwoVH1E5XiRYEa+BvmZn+u1HXAMxUVHFafMX6xGGe3TGPdo8amHA5GfGQ86Q== X-Received: by 2002:a6b:ee16:: with SMTP id i22mr7203946ioh.124.1545601966020; Sun, 23 Dec 2018 13:52:46 -0800 (PST) Received: from yuzhao.bld.corp.google.com ([2620:15c:183:0:a0c3:519e:9276:fc96]) by smtp.gmail.com with ESMTPSA id v74sm10386881ita.27.2018.12.23.13.52.44 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 23 Dec 2018 13:52:45 -0800 (PST) From: Yu Zhao To: David Airlie , Daniel Vetter , =?utf-8?q?Christian_K=C3=B6nig?= , Alex Deucher Subject: [PATCH v4 1/2] drm/amd: validate user pitch alignment Date: Sun, 23 Dec 2018 14:52:38 -0700 Message-Id: <20181223215239.173339-1-yuzhao@google.com> X-Mailer: git-send-email 2.20.1.415.g653613c723-goog In-Reply-To: <20181222192712.9420-1-yuzhao@google.com> References: <20181222192712.9420-1-yuzhao@google.com> MIME-Version: 1.0 X-Mailman-Approved-At: Mon, 24 Dec 2018 10:52:02 +0000 X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Daniel Stone , dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, amd-gfx@lists.freedesktop.org, Samuel Li , Junwei Zhang , stable@vger.kernel.org, Yu Zhao Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" X-Virus-Scanned: ClamAV using ClamSMTP Userspace may request pitch alignment that is not supported by GPU. Some requests 32, but GPU ignores it and uses default 64 when cpp is 4. If GEM object is allocated based on the smaller alignment, GPU DMA will go out of bound. For GPU that does frame buffer compression, DMA writing out of bound memory will cause memory corruption. Cc: stable@vger.kernel.org # v4.2+ Signed-off-by: Yu Zhao --- drivers/gpu/drm/amd/amdgpu/amdgpu_display.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c index 686a26de50f9..af0626a2b528 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c @@ -527,6 +527,15 @@ amdgpu_display_user_framebuffer_create(struct drm_device *dev, struct drm_gem_object *obj; struct amdgpu_framebuffer *amdgpu_fb; int ret; + struct amdgpu_device *adev = dev->dev_private; + int cpp = drm_format_plane_cpp(mode_cmd->pixel_format, 0); + int pitch = amdgpu_align_pitch(adev, mode_cmd->width, cpp, false); + + if (mode_cmd->pitches[0] != pitch) { + DRM_DEBUG_KMS("Invalid pitch: expecting %d but got %d\n", + pitch, mode_cmd->pitches[0]); + return ERR_PTR(-EINVAL); + } obj = drm_gem_object_lookup(file_priv, mode_cmd->handles[0]); if (obj == NULL) { From patchwork Sun Dec 23 21:52:39 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yu Zhao X-Patchwork-Id: 10742173 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 5EC3C6C2 for ; Mon, 24 Dec 2018 10:52:22 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4E62A28C13 for ; Mon, 24 Dec 2018 10:52:22 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 42AB928C15; Mon, 24 Dec 2018 10:52:22 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 0238428C13 for ; Mon, 24 Dec 2018 10:52:22 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 97BF36E57F; Mon, 24 Dec 2018 10:52:14 +0000 (UTC) X-Original-To: dri-devel@lists.freedesktop.org Delivered-To: dri-devel@lists.freedesktop.org Received: from mail-it1-x141.google.com (mail-it1-x141.google.com [IPv6:2607:f8b0:4864:20::141]) by gabe.freedesktop.org (Postfix) with ESMTPS id 8A0716E52A for ; Sun, 23 Dec 2018 21:52:54 +0000 (UTC) Received: by mail-it1-x141.google.com with SMTP id w18so13997135ite.1 for ; Sun, 23 Dec 2018 13:52:54 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=C4T60ebSd3XIwaQkfiltqImM3j39ie8rJCcw2QWQ+cE=; b=nW2DEYSTTWhtfgn+h/9+gjJAJ7nV7uKYYmPh+lVqG7yu5/R8OnosgbgbRmz7QhTGcf BpKzx0I8Fk5CkEQ07bY1YAE+srK2DsquTirkXkUXahuz8WyzlcVNGtOYkYsGozwlyQhj BQqBe1dO2Q3zkMqE38BJMMyspJDimPzsJ+U3NLD8SMefxpSQdny1WyBS84YIDYO/eeke 4ejw7lba6n5BRKF6O0TTf/PX5QUh/xFyD/f3Ki76kFYo4B4i82oNkf21h0F3whQZwqVC tVcS5tPCI2O2QcqdbEoxOvDgb1mWreIQRNHAmbMjLMgtul1AW5E/RZwAORsg3JMFZG0a dxWQ== X-Gm-Message-State: AA+aEWZWBAI7HoOOHwCq54eFepvStIPv3DTwKhe6lHCE9pgTgPB/xwME t3b0M0RcF9tYUuO2b0v658eZpQ== X-Google-Smtp-Source: ALg8bN5eaPeMB6wtGxTyPsVHIjBWbJ3noWa+b7wMn1wFlFQ6EWxGO3Y1wQN6EW3JzLyfmKWVWfrm1g== X-Received: by 2002:a24:878c:: with SMTP id f134mr7405915ite.81.1545601973690; Sun, 23 Dec 2018 13:52:53 -0800 (PST) Received: from yuzhao.bld.corp.google.com ([2620:15c:183:0:a0c3:519e:9276:fc96]) by smtp.gmail.com with ESMTPSA id v74sm10386881ita.27.2018.12.23.13.52.52 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 23 Dec 2018 13:52:53 -0800 (PST) From: Yu Zhao To: David Airlie , Daniel Vetter , =?utf-8?q?Christian_K=C3=B6nig?= , Alex Deucher Subject: [PATCH v4 2/2] drm/amd: validate user GEM object size Date: Sun, 23 Dec 2018 14:52:39 -0700 Message-Id: <20181223215239.173339-2-yuzhao@google.com> X-Mailer: git-send-email 2.20.1.415.g653613c723-goog In-Reply-To: <20181223215239.173339-1-yuzhao@google.com> References: <20181222192712.9420-1-yuzhao@google.com> <20181223215239.173339-1-yuzhao@google.com> MIME-Version: 1.0 X-Mailman-Approved-At: Mon, 24 Dec 2018 10:52:02 +0000 X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Daniel Stone , dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org, amd-gfx@lists.freedesktop.org, Samuel Li , Junwei Zhang , stable@vger.kernel.org, Yu Zhao Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" X-Virus-Scanned: ClamAV using ClamSMTP When creating frame buffer, userspace may request to attach to a previously allocated GEM object that is smaller than what GPU requires. Validation must be done to prevent out-of-bound DMA, which could not only corrupt memory but also reveal sensitive data. This fix is not done in a common code path because individual driver might have different requirement. Cc: stable@vger.kernel.org # v4.2+ Signed-off-by: Yu Zhao --- drivers/gpu/drm/amd/amdgpu/amdgpu_display.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c index af0626a2b528..9aa23cb20873 100644 --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c @@ -527,6 +527,7 @@ amdgpu_display_user_framebuffer_create(struct drm_device *dev, struct drm_gem_object *obj; struct amdgpu_framebuffer *amdgpu_fb; int ret; + int height; struct amdgpu_device *adev = dev->dev_private; int cpp = drm_format_plane_cpp(mode_cmd->pixel_format, 0); int pitch = amdgpu_align_pitch(adev, mode_cmd->width, cpp, false); @@ -550,6 +551,13 @@ amdgpu_display_user_framebuffer_create(struct drm_device *dev, return ERR_PTR(-EINVAL); } + height = ALIGN(mode_cmd->height, 8); + if (obj->size < pitch * height) { + DRM_DEBUG_KMS("Invalid GEM size: expecting >= %d but got %zu\n", + pitch * height, obj->size); + return ERR_PTR(-EINVAL); + } + amdgpu_fb = kzalloc(sizeof(*amdgpu_fb), GFP_KERNEL); if (amdgpu_fb == NULL) { drm_gem_object_put_unlocked(obj);