drm/msm: validate flags, etc

After reading a nice article on LWN[1], I went back and double checked my handling of invalid-input checking. Turns out there were a couple places I had missed. Since the driver is fairly young, and the devices it supports are really only just barely usable for basic stuff (serial console) with an upstream kernel, I think we should fix this now and revert specific parts of this patch later in the unlikely event that a regression is reported. [1] https://lwn.net/Articles/588444/ Signed-off-by: Rob Clark <robdclark@gmail.com>
author: Rob Clark <robdclark@gmail.com> 2014-03-03 09:42:33 -0500
committer: Rob Clark <robdclark@gmail.com> 2014-03-31 10:27:46 -0400
commit: 93ddb0d3b022dfbd963f243bd01741643cebfb28 (patch)
tree: c8493b496943e3f6329847229a75a1d1a82db293
parent: 060530f1ea6740eb767085008d183f89ccdd289c (diff)
3 files changed, 43 insertions, 3 deletions
diff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c
index 7a7421fb02b4..f9de156b9e65 100644
--- a/drivers/gpu/drm/msm/msm_drv.c
+++ b/drivers/gpu/drm/msm/msm_drv.c
@@ -664,6 +664,12 @@ static int msm_ioctl_gem_new(struct drm_device *dev, void *data,
                struct drm_file *file)
 {
        struct drm_msm_gem_new *args = data;
+        if (args->flags & ~MSM_BO_FLAGS) {
+                DRM_ERROR("invalid flags: %08x\n", args->flags);
+                return -EINVAL;
+        }
        return msm_gem_new_handle(dev, file, args->size,
                        args->flags, &args->handle);
 }
@@ -677,6 +683,11 @@ static int msm_ioctl_gem_cpu_prep(struct drm_device *dev, void *data,
        struct drm_gem_object *obj;
        int ret;
+        if (args->op & ~MSM_PREP_FLAGS) {
+                DRM_ERROR("invalid op: %08x\n", args->op);
+                return -EINVAL;
+        }
        obj = drm_gem_object_lookup(dev, file, args->handle);
        if (!obj)
                return -ENOENT;
@@ -731,7 +742,14 @@ static int msm_ioctl_wait_fence(struct drm_device *dev, void *data,
                struct drm_file *file)
 {
        struct drm_msm_wait_fence *args = data;
-        return msm_wait_fence_interruptable(dev, args->fence, &TS(args->timeout));
+        if (args->pad) {
+                DRM_ERROR("invalid pad: %08x\n", args->pad);
+                return -EINVAL;
+        }
+        return msm_wait_fence_interruptable(dev, args->fence,
+                        &TS(args->timeout));
 }
 static const struct drm_ioctl_desc msm_ioctls[] = {
diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c
index 5423e914e491..1f1f4cffdaed 100644
--- a/drivers/gpu/drm/msm/msm_gem_submit.c
+++ b/drivers/gpu/drm/msm/msm_gem_submit.c
@@ -23,7 +23,6 @@
 * Cmdstream submission:
 */
-#define BO_INVALID_FLAGS ~(MSM_SUBMIT_BO_READ | MSM_SUBMIT_BO_WRITE)
 /* make sure these don't conflict w/ MSM_SUBMIT_BO_x */
 #define BO_VALID    0x8000
 #define BO_LOCKED   0x4000
@@ -77,7 +76,7 @@ static int submit_lookup_objects(struct msm_gem_submit *submit,
                        goto out_unlock;
                }
-                if (submit_bo.flags & BO_INVALID_FLAGS) {
+                if (submit_bo.flags & ~MSM_SUBMIT_BO_FLAGS) {
                        DRM_ERROR("invalid flags: %x\n", submit_bo.flags);
                        ret = -EINVAL;
                        goto out_unlock;
@@ -369,6 +368,18 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data,
                        goto out;
                }
+                /* validate input from userspace: */
+                switch (submit_cmd.type) {
+                case MSM_SUBMIT_CMD_BUF:
+                case MSM_SUBMIT_CMD_IB_TARGET_BUF:
+                case MSM_SUBMIT_CMD_CTX_RESTORE_BUF:
+                        break;
+                default:
+                        DRM_ERROR("invalid type: %08x\n", submit_cmd.type);
+                        ret = -EINVAL;
+                        goto out;
+                }
                ret = submit_bo(submit, submit_cmd.submit_idx,
                                &msm_obj, &iova, NULL);
                if (ret)
diff --git a/include/uapi/drm/msm_drm.h b/include/uapi/drm/msm_drm.h
index bf91a78a0b0e..0664c31f010c 100644
--- a/include/uapi/drm/msm_drm.h
+++ b/include/uapi/drm/msm_drm.h
@@ -70,6 +70,12 @@ struct drm_msm_param {
 #define MSM_BO_WC            0x00020000
 #define MSM_BO_UNCACHED      0x00040000
+#define MSM_BO_FLAGS         (MSM_BO_SCANOUT | \
+                              MSM_BO_GPU_READONLY | \
+                              MSM_BO_CACHED | \
+                              MSM_BO_WC | \
+                              MSM_BO_UNCACHED)
 struct drm_msm_gem_new {
        uint64_t size;           /* in */
        uint32_t flags;          /* in, mask of MSM_BO_x */
@@ -86,6 +92,8 @@ struct drm_msm_gem_info {
 #define MSM_PREP_WRITE       0x02
 #define MSM_PREP_NOSYNC      0x04
+#define MSM_PREP_FLAGS       (MSM_PREP_READ | MSM_PREP_WRITE | MSM_PREP_NOSYNC)
 struct drm_msm_gem_cpu_prep {
        uint32_t handle;         /* in */
        uint32_t op;             /* in, mask of MSM_PREP_x */
@@ -153,6 +161,9 @@ struct drm_msm_gem_submit_cmd {
 */
 #define MSM_SUBMIT_BO_READ             0x0001
 #define MSM_SUBMIT_BO_WRITE            0x0002
+#define MSM_SUBMIT_BO_FLAGS            (MSM_SUBMIT_BO_READ | MSM_SUBMIT_BO_WRITE)
 struct drm_msm_gem_submit_bo {
        uint32_t flags;          /* in, mask of MSM_SUBMIT_BO_x */
        uint32_t handle;         /* in, GEM handle */
author	Rob Clark <robdclark@gmail.com>	2014-03-03 09:42:33 -0500
committer	Rob Clark <robdclark@gmail.com>	2014-03-31 10:27:46 -0400
commit	93ddb0d3b022dfbd963f243bd01741643cebfb28 (patch)
tree	c8493b496943e3f6329847229a75a1d1a82db293
parent	060530f1ea6740eb767085008d183f89ccdd289c (diff)

diff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c index 7a7421fb02b4..f9de156b9e65 100644 --- a/drivers/gpu/drm/msm/msm_drv.c +++ b/drivers/gpu/drm/msm/msm_drv.c
@@ -664,6 +664,12 @@ static int msm_ioctl_gem_new(struct drm_device dev, void data,
664	struct drm_file *file)	664	struct drm_file *file)
665	{	665	{
666	struct drm_msm_gem_new *args = data;	666	struct drm_msm_gem_new *args = data;
		667
		668	if (args->flags & ~MSM_BO_FLAGS) {
		669	DRM_ERROR("invalid flags: %08x\n", args->flags);
		670	return -EINVAL;
		671	}
		672
667	return msm_gem_new_handle(dev, file, args->size,	673	return msm_gem_new_handle(dev, file, args->size,
668	args->flags, &args->handle);	674	args->flags, &args->handle);
669	}	675	}
@@ -677,6 +683,11 @@ static int msm_ioctl_gem_cpu_prep(struct drm_device dev, void data,
677	struct drm_gem_object *obj;	683	struct drm_gem_object *obj;
678	int ret;	684	int ret;
679		685
		686	if (args->op & ~MSM_PREP_FLAGS) {
		687	DRM_ERROR("invalid op: %08x\n", args->op);
		688	return -EINVAL;
		689	}
		690
680	obj = drm_gem_object_lookup(dev, file, args->handle);	691	obj = drm_gem_object_lookup(dev, file, args->handle);
681	if (!obj)	692	if (!obj)
682	return -ENOENT;	693	return -ENOENT;
@@ -731,7 +742,14 @@ static int msm_ioctl_wait_fence(struct drm_device dev, void data,
731	struct drm_file *file)	742	struct drm_file *file)
732	{	743	{
733	struct drm_msm_wait_fence *args = data;	744	struct drm_msm_wait_fence *args = data;
734	return msm_wait_fence_interruptable(dev, args->fence, &TS(args->timeout));	745
		746	if (args->pad) {
		747	DRM_ERROR("invalid pad: %08x\n", args->pad);
		748	return -EINVAL;
		749	}
		750
		751	return msm_wait_fence_interruptable(dev, args->fence,
		752	&TS(args->timeout));
735	}	753	}
736		754
737	static const struct drm_ioctl_desc msm_ioctls[] = {	755	static const struct drm_ioctl_desc msm_ioctls[] = {


diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c index 5423e914e491..1f1f4cffdaed 100644 --- a/drivers/gpu/drm/msm/msm_gem_submit.c +++ b/drivers/gpu/drm/msm/msm_gem_submit.c
@@ -23,7 +23,6 @@
23	* Cmdstream submission:	23	* Cmdstream submission:
24	*/	24	*/
25		25
26	#define BO_INVALID_FLAGS ~(MSM_SUBMIT_BO_READ \| MSM_SUBMIT_BO_WRITE)
27	/* make sure these don't conflict w/ MSM_SUBMIT_BO_x */	26	/* make sure these don't conflict w/ MSM_SUBMIT_BO_x */
28	#define BO_VALID 0x8000	27	#define BO_VALID 0x8000
29	#define BO_LOCKED 0x4000	28	#define BO_LOCKED 0x4000
@@ -77,7 +76,7 @@ static int submit_lookup_objects(struct msm_gem_submit *submit,
77	goto out_unlock;	76	goto out_unlock;
78	}	77	}
79		78
80	if (submit_bo.flags & BO_INVALID_FLAGS) {	79	if (submit_bo.flags & ~MSM_SUBMIT_BO_FLAGS) {
81	DRM_ERROR("invalid flags: %x\n", submit_bo.flags);	80	DRM_ERROR("invalid flags: %x\n", submit_bo.flags);
82	ret = -EINVAL;	81	ret = -EINVAL;
83	goto out_unlock;	82	goto out_unlock;
@@ -369,6 +368,18 @@ int msm_ioctl_gem_submit(struct drm_device dev, void data,
369	goto out;	368	goto out;
370	}	369	}
371		370
		371	/* validate input from userspace: */
		372	switch (submit_cmd.type) {
		373	case MSM_SUBMIT_CMD_BUF:
		374	case MSM_SUBMIT_CMD_IB_TARGET_BUF:
		375	case MSM_SUBMIT_CMD_CTX_RESTORE_BUF:
		376	break;
		377	default:
		378	DRM_ERROR("invalid type: %08x\n", submit_cmd.type);
		379	ret = -EINVAL;
		380	goto out;
		381	}
		382
372	ret = submit_bo(submit, submit_cmd.submit_idx,	383	ret = submit_bo(submit, submit_cmd.submit_idx,
373	&msm_obj, &iova, NULL);	384	&msm_obj, &iova, NULL);
374	if (ret)	385	if (ret)


diff --git a/include/uapi/drm/msm_drm.h b/include/uapi/drm/msm_drm.h index bf91a78a0b0e..0664c31f010c 100644 --- a/include/uapi/drm/msm_drm.h +++ b/include/uapi/drm/msm_drm.h
@@ -70,6 +70,12 @@ struct drm_msm_param {
70	#define MSM_BO_WC 0x00020000	70	#define MSM_BO_WC 0x00020000
71	#define MSM_BO_UNCACHED 0x00040000	71	#define MSM_BO_UNCACHED 0x00040000
72		72
		73	#define MSM_BO_FLAGS (MSM_BO_SCANOUT \| \
		74	MSM_BO_GPU_READONLY \| \
		75	MSM_BO_CACHED \| \
		76	MSM_BO_WC \| \
		77	MSM_BO_UNCACHED)
		78
73	struct drm_msm_gem_new {	79	struct drm_msm_gem_new {
74	uint64_t size; /* in */	80	uint64_t size; /* in */
75	uint32_t flags; /* in, mask of MSM_BO_x */	81	uint32_t flags; /* in, mask of MSM_BO_x */
@@ -86,6 +92,8 @@ struct drm_msm_gem_info {
86	#define MSM_PREP_WRITE 0x02	92	#define MSM_PREP_WRITE 0x02
87	#define MSM_PREP_NOSYNC 0x04	93	#define MSM_PREP_NOSYNC 0x04
88		94
		95	#define MSM_PREP_FLAGS (MSM_PREP_READ \| MSM_PREP_WRITE \| MSM_PREP_NOSYNC)
		96
89	struct drm_msm_gem_cpu_prep {	97	struct drm_msm_gem_cpu_prep {
90	uint32_t handle; /* in */	98	uint32_t handle; /* in */
91	uint32_t op; /* in, mask of MSM_PREP_x */	99	uint32_t op; /* in, mask of MSM_PREP_x */
@@ -153,6 +161,9 @@ struct drm_msm_gem_submit_cmd {
153	*/	161	*/
154	#define MSM_SUBMIT_BO_READ 0x0001	162	#define MSM_SUBMIT_BO_READ 0x0001
155	#define MSM_SUBMIT_BO_WRITE 0x0002	163	#define MSM_SUBMIT_BO_WRITE 0x0002
		164
		165	#define MSM_SUBMIT_BO_FLAGS (MSM_SUBMIT_BO_READ \| MSM_SUBMIT_BO_WRITE)
		166
156	struct drm_msm_gem_submit_bo {	167	struct drm_msm_gem_submit_bo {
157	uint32_t flags; /* in, mask of MSM_SUBMIT_BO_x */	168	uint32_t flags; /* in, mask of MSM_SUBMIT_BO_x */
158	uint32_t handle; /* in, GEM handle */	169	uint32_t handle; /* in, GEM handle */