All of lore.kernel.org
 help / color / mirror / Atom feed
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Ofir Bitton <obitton@habana.ai>,
	Oded Gabbay <oded.gabbay@gmail.com>,
	Sasha Levin <sashal@kernel.org>
Subject: [PATCH AUTOSEL 5.8 15/42] habanalabs: validate packet id during CB parse
Date: Mon, 31 Aug 2020 11:29:07 -0400	[thread overview]
Message-ID: <20200831152934.1023912-15-sashal@kernel.org> (raw)
In-Reply-To: <20200831152934.1023912-1-sashal@kernel.org>

From: Ofir Bitton <obitton@habana.ai>

[ Upstream commit bc75be24fa88ef10eecaff2b2a9ada8189e5ab5d ]

During command buffer parsing, driver extracts packet id
from user buffer. Driver must validate this packet id, since it is
being used in order to extract information from internal structures.

Signed-off-by: Ofir Bitton <obitton@habana.ai>
Reviewed-by: Oded Gabbay <oded.gabbay@gmail.com>
Signed-off-by: Oded Gabbay <oded.gabbay@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/misc/habanalabs/gaudi/gaudi.c | 35 +++++++++++++++++++++++++++
 drivers/misc/habanalabs/goya/goya.c   | 31 ++++++++++++++++++++++++
 2 files changed, 66 insertions(+)

diff --git a/drivers/misc/habanalabs/gaudi/gaudi.c b/drivers/misc/habanalabs/gaudi/gaudi.c
index 637a9d608707f..0261f60df5633 100644
--- a/drivers/misc/habanalabs/gaudi/gaudi.c
+++ b/drivers/misc/habanalabs/gaudi/gaudi.c
@@ -154,6 +154,29 @@ static const u16 gaudi_packet_sizes[MAX_PACKET_ID] = {
 	[PACKET_LOAD_AND_EXE]	= sizeof(struct packet_load_and_exe)
 };
 
+static inline bool validate_packet_id(enum packet_id id)
+{
+	switch (id) {
+	case PACKET_WREG_32:
+	case PACKET_WREG_BULK:
+	case PACKET_MSG_LONG:
+	case PACKET_MSG_SHORT:
+	case PACKET_CP_DMA:
+	case PACKET_REPEAT:
+	case PACKET_MSG_PROT:
+	case PACKET_FENCE:
+	case PACKET_LIN_DMA:
+	case PACKET_NOP:
+	case PACKET_STOP:
+	case PACKET_ARB_POINT:
+	case PACKET_WAIT:
+	case PACKET_LOAD_AND_EXE:
+		return true;
+	default:
+		return false;
+	}
+}
+
 static const char * const
 gaudi_tpc_interrupts_cause[GAUDI_NUM_OF_TPC_INTR_CAUSE] = {
 	"tpc_address_exceed_slm",
@@ -3859,6 +3882,12 @@ static int gaudi_validate_cb(struct hl_device *hdev,
 				PACKET_HEADER_PACKET_ID_MASK) >>
 					PACKET_HEADER_PACKET_ID_SHIFT);
 
+		if (!validate_packet_id(pkt_id)) {
+			dev_err(hdev->dev, "Invalid packet id %u\n", pkt_id);
+			rc = -EINVAL;
+			break;
+		}
+
 		pkt_size = gaudi_packet_sizes[pkt_id];
 		cb_parsed_length += pkt_size;
 		if (cb_parsed_length > parser->user_cb_size) {
@@ -4082,6 +4111,12 @@ static int gaudi_patch_cb(struct hl_device *hdev,
 				PACKET_HEADER_PACKET_ID_MASK) >>
 					PACKET_HEADER_PACKET_ID_SHIFT);
 
+		if (!validate_packet_id(pkt_id)) {
+			dev_err(hdev->dev, "Invalid packet id %u\n", pkt_id);
+			rc = -EINVAL;
+			break;
+		}
+
 		pkt_size = gaudi_packet_sizes[pkt_id];
 		cb_parsed_length += pkt_size;
 		if (cb_parsed_length > parser->user_cb_size) {
diff --git a/drivers/misc/habanalabs/goya/goya.c b/drivers/misc/habanalabs/goya/goya.c
index 88460b2138d88..c179085ced7b8 100644
--- a/drivers/misc/habanalabs/goya/goya.c
+++ b/drivers/misc/habanalabs/goya/goya.c
@@ -139,6 +139,25 @@ static u16 goya_packet_sizes[MAX_PACKET_ID] = {
 	[PACKET_STOP]		= sizeof(struct packet_stop)
 };
 
+static inline bool validate_packet_id(enum packet_id id)
+{
+	switch (id) {
+	case PACKET_WREG_32:
+	case PACKET_WREG_BULK:
+	case PACKET_MSG_LONG:
+	case PACKET_MSG_SHORT:
+	case PACKET_CP_DMA:
+	case PACKET_MSG_PROT:
+	case PACKET_FENCE:
+	case PACKET_LIN_DMA:
+	case PACKET_NOP:
+	case PACKET_STOP:
+		return true;
+	default:
+		return false;
+	}
+}
+
 static u64 goya_mmu_regs[GOYA_MMU_REGS_NUM] = {
 	mmDMA_QM_0_GLBL_NON_SECURE_PROPS,
 	mmDMA_QM_1_GLBL_NON_SECURE_PROPS,
@@ -3381,6 +3400,12 @@ static int goya_validate_cb(struct hl_device *hdev,
 				PACKET_HEADER_PACKET_ID_MASK) >>
 					PACKET_HEADER_PACKET_ID_SHIFT);
 
+		if (!validate_packet_id(pkt_id)) {
+			dev_err(hdev->dev, "Invalid packet id %u\n", pkt_id);
+			rc = -EINVAL;
+			break;
+		}
+
 		pkt_size = goya_packet_sizes[pkt_id];
 		cb_parsed_length += pkt_size;
 		if (cb_parsed_length > parser->user_cb_size) {
@@ -3616,6 +3641,12 @@ static int goya_patch_cb(struct hl_device *hdev,
 				PACKET_HEADER_PACKET_ID_MASK) >>
 					PACKET_HEADER_PACKET_ID_SHIFT);
 
+		if (!validate_packet_id(pkt_id)) {
+			dev_err(hdev->dev, "Invalid packet id %u\n", pkt_id);
+			rc = -EINVAL;
+			break;
+		}
+
 		pkt_size = goya_packet_sizes[pkt_id];
 		cb_parsed_length += pkt_size;
 		if (cb_parsed_length > parser->user_cb_size) {
-- 
2.25.1


  parent reply	other threads:[~2020-08-31 15:38 UTC|newest]

Thread overview: 81+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-08-31 15:28 [PATCH AUTOSEL 5.8 01/42] hwmon: (pmbus/isl68137) remove READ_TEMPERATURE_1 telemetry for RAA228228 Sasha Levin
2020-08-31 15:28 ` [PATCH AUTOSEL 5.8 02/42] HID: quirks: Always poll three more Lenovo PixArt mice Sasha Levin
2020-08-31 15:28 ` [PATCH AUTOSEL 5.8 03/42] HID: hiddev: Fix slab-out-of-bounds write in hiddev_ioctl_usage() Sasha Levin
2020-08-31 15:28 ` [PATCH AUTOSEL 5.8 04/42] drm/msm/dpu: Fix reservation failures in modeset Sasha Levin
2020-08-31 15:28   ` Sasha Levin
2020-08-31 15:28 ` [PATCH AUTOSEL 5.8 05/42] drm/msm/dpu: Fix scale params in plane validation Sasha Levin
2020-08-31 15:28   ` Sasha Levin
2020-08-31 15:28 ` [PATCH AUTOSEL 5.8 06/42] drm/msm/dpu: fix unitialized variable error Sasha Levin
2020-08-31 15:28   ` Sasha Levin
2020-08-31 15:28 ` [PATCH AUTOSEL 5.8 07/42] speakup: Fix wait_for_xmitr for ttyio case Sasha Levin
2020-08-31 15:28   ` Sasha Levin
2020-08-31 15:33   ` Greg Kroah-Hartman
2020-08-31 15:33     ` Greg Kroah-Hartman
2020-09-05 12:02     ` Sasha Levin
2020-09-05 12:02       ` Sasha Levin
2020-08-31 15:29 ` [PATCH AUTOSEL 5.8 08/42] tty: serial: qcom_geni_serial: Drop __init from qcom_geni_console_setup Sasha Levin
2020-08-31 15:29 ` [PATCH AUTOSEL 5.8 09/42] drm/msm: add shutdown support for display platform_driver Sasha Levin
2020-08-31 15:29   ` Sasha Levin
2020-08-31 15:29 ` [PATCH AUTOSEL 5.8 10/42] hwmon: (applesmc) check status earlier Sasha Levin
2020-08-31 15:29 ` [PATCH AUTOSEL 5.8 11/42] nvme: skip noiob for zoned devices Sasha Levin
2020-08-31 15:29   ` Sasha Levin
2020-08-31 15:38   ` Keith Busch
2020-08-31 15:38     ` Keith Busch
2020-09-05 12:03     ` Sasha Levin
2020-09-05 12:03       ` Sasha Levin
2020-08-31 15:29 ` [PATCH AUTOSEL 5.8 12/42] nvmet: Disable keep-alive timer when kato is cleared to 0h Sasha Levin
2020-08-31 15:29   ` Sasha Levin
2020-08-31 15:29 ` [PATCH AUTOSEL 5.8 13/42] drm/msm: enable vblank during atomic commits Sasha Levin
2020-08-31 15:29   ` Sasha Levin
2020-08-31 15:29 ` [PATCH AUTOSEL 5.8 14/42] habanalabs: unmap PCI bars upon iATU failure Sasha Levin
2020-08-31 15:29 ` Sasha Levin [this message]
2020-08-31 15:29 ` [PATCH AUTOSEL 5.8 16/42] habanalabs: set clock gating according to mask Sasha Levin
2020-08-31 15:29 ` [PATCH AUTOSEL 5.8 17/42] habanalabs: proper handling of alloc size in coresight Sasha Levin
2020-08-31 15:29 ` [PATCH AUTOSEL 5.8 18/42] habanalabs: set max power according to card type Sasha Levin
2020-08-31 15:29 ` [PATCH AUTOSEL 5.8 19/42] habanalabs: validate FW file size Sasha Levin
2020-08-31 15:29 ` [PATCH AUTOSEL 5.8 20/42] habanalabs: check correct vmalloc return code Sasha Levin
2020-08-31 15:29 ` [PATCH AUTOSEL 5.8 21/42] drm/msm/a6xx: fix gmu start on newer firmware Sasha Levin
2020-08-31 15:29   ` Sasha Levin
2020-08-31 15:29 ` [PATCH AUTOSEL 5.8 22/42] gfs2: add some much needed cleanup for log flushes that fail Sasha Levin
2020-08-31 15:29   ` [Cluster-devel] " Sasha Levin
2020-08-31 15:29 ` [PATCH AUTOSEL 5.8 23/42] hv_utils: return error if host timesysnc update is stale Sasha Levin
2020-08-31 15:29 ` [PATCH AUTOSEL 5.8 24/42] hv_utils: drain the timesync packets on onchannelcallback Sasha Levin
2020-08-31 15:29 ` [PATCH AUTOSEL 5.8 25/42] ceph: fix inode number handling on arches with 32-bit ino_t Sasha Levin
2020-08-31 16:08   ` Ilya Dryomov
2020-09-05 12:04     ` Sasha Levin
2020-08-31 15:29 ` [PATCH AUTOSEL 5.8 26/42] ceph: don't allow setlease on cephfs Sasha Levin
2020-08-31 15:29 ` [PATCH AUTOSEL 5.8 27/42] i2c: iproc: Fix shifting 31 bits Sasha Levin
2020-08-31 15:29   ` Sasha Levin
2020-08-31 15:29 ` [PATCH AUTOSEL 5.8 28/42] drm/omap: fix incorrect lock state Sasha Levin
2020-08-31 15:29   ` Sasha Levin
2020-08-31 15:29 ` [PATCH AUTOSEL 5.8 29/42] irqchip/ingenic: Leave parent IRQ unmasked on suspend Sasha Levin
2020-08-31 15:29 ` [PATCH AUTOSEL 5.8 30/42] cpuidle: Fixup IRQ state Sasha Levin
2020-08-31 15:29 ` [PATCH AUTOSEL 5.8 31/42] nbd: restore default timeout when setting it to zero Sasha Levin
2020-08-31 15:29 ` [PATCH AUTOSEL 5.8 32/42] s390: don't trace preemption in percpu macros Sasha Levin
2020-08-31 15:29 ` [PATCH AUTOSEL 5.8 33/42] drm/amd/display: should check error using DC_OK Sasha Levin
2020-08-31 15:29   ` Sasha Levin
2020-08-31 15:29   ` Sasha Levin
2020-08-31 15:29 ` [PATCH AUTOSEL 5.8 34/42] drm/amd/display: Reject overlay plane configurations in multi-display scenarios Sasha Levin
2020-08-31 15:29   ` Sasha Levin
2020-08-31 15:29   ` Sasha Levin
2020-08-31 15:29 ` [PATCH AUTOSEL 5.8 35/42] drivers: gpu: amd: Initialize amdgpu_dm_backlight_caps object to 0 in amdgpu_dm_update_backlight_caps Sasha Levin
2020-08-31 15:29   ` Sasha Levin
2020-08-31 15:29   ` Sasha Levin
2020-08-31 15:29 ` [PATCH AUTOSEL 5.8 36/42] drm/amd/display: Revert HDCP disable sequence change Sasha Levin
2020-08-31 15:29   ` Sasha Levin
2020-08-31 15:29   ` Sasha Levin
2020-08-31 15:29 ` [PATCH AUTOSEL 5.8 37/42] drm/amd/display: Fix passive dongle mistaken as active dongle in EDID emulation Sasha Levin
2020-08-31 15:29   ` Sasha Levin
2020-08-31 15:29   ` Sasha Levin
2020-08-31 15:29 ` [PATCH AUTOSEL 5.8 38/42] drm/amd/display: Keep current gain when ABM disable immediately Sasha Levin
2020-08-31 15:29   ` Sasha Levin
2020-08-31 15:29   ` Sasha Levin
2020-08-31 15:29 ` [PATCH AUTOSEL 5.8 39/42] drm/amd/display: Retry AUX write when fail occurs Sasha Levin
2020-08-31 15:29   ` Sasha Levin
2020-08-31 15:29   ` Sasha Levin
2020-08-31 15:29 ` [PATCH AUTOSEL 5.8 40/42] drm/amd/display: Fix memleak in amdgpu_dm_mode_config_init Sasha Levin
2020-08-31 15:29   ` Sasha Levin
2020-08-31 15:29   ` Sasha Levin
2020-08-31 15:29 ` [PATCH AUTOSEL 5.8 41/42] xen/xenbus: Fix granting of vmalloc'd memory Sasha Levin
2020-08-31 15:29 ` [PATCH AUTOSEL 5.8 42/42] fsldma: fix very broken 32-bit ppc ioread64 functionality Sasha Levin
2020-08-31 15:29   ` Sasha Levin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200831152934.1023912-15-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=obitton@habana.ai \
    --cc=oded.gabbay@gmail.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.