From: Yu Zhao <yuzhao@google.com>
To: "David Airlie" <airlied@linux.ie>,
"Daniel Vetter" <daniel@ffwll.ch>,
"Christian König" <christian.koenig@amd.com>,
"Alex Deucher" <alexander.deucher@amd.com>
Cc: David Zhou <David1.Zhou@amd.com>, Samuel Li <Samuel.Li@amd.com>,
Harry Wentland <harry.wentland@amd.com>,
Junwei Zhang <Jerry.Zhang@amd.com>,
Daniel Stone <daniels@collabora.com>,
amd-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org,
linux-kernel@vger.kernel.org, Yu Zhao <yuzhao@google.com>
Subject: [PATCH 3/3] drm/amd: validate user GEM object size
Date: Thu, 20 Dec 2018 20:10:53 -0700 [thread overview]
Message-ID: <20181221031053.240161-3-yuzhao@google.com> (raw)
In-Reply-To: <20181221031053.240161-1-yuzhao@google.com>
When creating frame buffer, userspace may request to attach to a
previously allocated GEM object that is smaller than what GPU
requires. Validation must be done to prevent out-of-bound DMA,
which could not only corrupt memory but also reveal sensitive data.
This fix is not done in a common code path because individual
driver might have different requirement.
Signed-off-by: Yu Zhao <yuzhao@google.com>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_display.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c
index 755daa332f8a..bb48b016cc68 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c
@@ -527,6 +527,7 @@ amdgpu_display_user_framebuffer_create(struct drm_device *dev,
struct drm_gem_object *obj;
struct amdgpu_framebuffer *amdgpu_fb;
int ret;
+ int height;
struct amdgpu_device *adev = dev->dev_private;
int cpp = drm_format_plane_cpp(mode_cmd->pixel_format, 0);
int pitch = amdgpu_align_pitch(adev, mode_cmd->width, cpp, false);
@@ -550,6 +551,13 @@ amdgpu_display_user_framebuffer_create(struct drm_device *dev,
return ERR_PTR(-EINVAL);
}
+ height = ALIGN(mode_cmd->height, 8);
+ if (obj->size < pitch * height) {
+ dev_err(&dev->pdev->dev, "Invalid GEM size: expecting %d but got %d\n",
+ pitch * height, obj->size);
+ return ERR_PTR(-EINVAL);
+ }
+
amdgpu_fb = kzalloc(sizeof(*amdgpu_fb), GFP_KERNEL);
if (amdgpu_fb == NULL) {
drm_gem_object_put_unlocked(obj);
--
2.20.1.415.g653613c723-goog
next prev parent reply other threads:[~2018-12-21 3:11 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-21 3:10 [PATCH 1/3] drm/amd: fix race in page flip job Yu Zhao
2018-12-21 3:10 ` [PATCH 2/3] drm/amd: validate user pitch alignment Yu Zhao
2018-12-21 9:04 ` Michel Dänzer
2018-12-21 9:04 ` Michel Dänzer
2018-12-21 9:07 ` Michel Dänzer
2018-12-21 9:07 ` Michel Dänzer
2018-12-21 19:41 ` Yu Zhao
2018-12-23 21:44 ` Yu Zhao
2018-12-27 11:54 ` Michel Dänzer
2018-12-27 11:54 ` Michel Dänzer
2018-12-21 19:47 ` [PATCH v2 1/2] " Yu Zhao
2018-12-21 19:47 ` [PATCH v2 2/2] drm/amd: validate user GEM object size Yu Zhao
2018-12-22 9:40 ` kbuild test robot
2018-12-22 9:40 ` kbuild test robot
2018-12-23 7:46 ` kbuild test robot
2018-12-23 7:46 ` kbuild test robot
2018-12-22 19:27 ` [PATCH v3 1/2] drm/amd: validate user pitch alignment Yu Zhao
2018-12-22 19:27 ` [PATCH v3 2/2] drm/amd: validate user GEM object size Yu Zhao
2018-12-23 21:52 ` [PATCH v4 1/2] drm/amd: validate user pitch alignment Yu Zhao
2018-12-23 21:52 ` [PATCH v4 2/2] drm/amd: validate user GEM object size Yu Zhao
2018-12-30 1:00 ` [PATCH v5 1/2] drm/amd: validate user pitch alignment Yu Zhao
2018-12-30 1:00 ` [PATCH v5 2/2] drm/amd: validate user GEM object size Yu Zhao
2019-01-03 16:33 ` [PATCH v5 1/2] drm/amd: validate user pitch alignment Michel Dänzer
2019-01-03 16:33 ` Michel Dänzer
2019-01-07 4:00 ` Yu Zhao
2019-01-07 9:54 ` Michel Dänzer
2019-01-07 9:54 ` Michel Dänzer
2019-01-07 22:51 ` [PATCH v6 " Yu Zhao
2019-01-07 22:51 ` [PATCH v6 2/2] drm/amd: validate user GEM object size Yu Zhao
2019-01-08 15:25 ` [PATCH v6 1/2] drm/amd: validate user pitch alignment Michel Dänzer
2019-01-08 15:25 ` Michel Dänzer
2018-12-21 3:10 ` Yu Zhao [this message]
2018-12-21 9:09 ` [PATCH 3/3] drm/amd: validate user GEM object size Michel Dänzer
2018-12-21 9:09 ` Michel Dänzer
2018-12-22 2:15 ` kbuild test robot
2018-12-22 4:51 ` kbuild test robot
2018-12-22 4:51 ` kbuild test robot
2018-12-21 8:56 ` [PATCH 1/3] drm/amd: fix race in page flip job Michel Dänzer
2018-12-21 8:56 ` Michel Dänzer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181221031053.240161-3-yuzhao@google.com \
--to=yuzhao@google.com \
--cc=David1.Zhou@amd.com \
--cc=Jerry.Zhang@amd.com \
--cc=Samuel.Li@amd.com \
--cc=airlied@linux.ie \
--cc=alexander.deucher@amd.com \
--cc=amd-gfx@lists.freedesktop.org \
--cc=christian.koenig@amd.com \
--cc=daniel@ffwll.ch \
--cc=daniels@collabora.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=harry.wentland@amd.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.