Linux-ARM-MSM Archive on lore.kernel.org
 help / color / Atom feed
From: Steve Cohen <cohens@codeaurora.org>
To: dri-devel@lists.freedesktop.org, freedreno@lists.freedesktop.org,
	linux-arm-msm@vger.kernel.org
Cc: pdhaval@codeaurora.org, seanpaul@chromium.org, adelva@google.com,
	Steve Cohen <cohens@codeaurora.org>
Subject: [PATCH 3/3] drm/msm/dpu: check blob limitations during create blob ioctl
Date: Thu,  7 Nov 2019 14:39:14 -0500
Message-ID: <1573155554-16248-4-git-send-email-cohens@codeaurora.org> (raw)
In-Reply-To: <1573155554-16248-1-git-send-email-cohens@codeaurora.org>

Limit the blob size and number of blobs that can be allocated
by a client. This prevents fuzzers from abusing this ioctl and
exhausting the system memory.

Signed-off-by: Steve Cohen <cohens@codeaurora.org>
---
 drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c
index 6c92f0f..5fbb7c3 100644
--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c
+++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c
@@ -41,6 +41,8 @@
  */
 #define DPU_DEBUGFS_DIR "msm_dpu"
 #define DPU_DEBUGFS_HWMASKNAME "hw_log_mask"
+#define MAX_BLOB_PROP_SIZE	(PAGE_SIZE * 30)
+#define MAX_BLOB_PROP_COUNT	250
 
 static int dpu_kms_hw_init(struct msm_kms *kms);
 static void _dpu_kms_mmu_destroy(struct dpu_kms *dpu_kms);
@@ -544,6 +546,17 @@ static int _dpu_kms_drm_obj_init(struct dpu_kms *dpu_kms)
 	return ret;
 }
 
+static int dpu_kms_createblob_check(unsigned int count, size_t length)
+{
+	if (count >= MAX_BLOB_PROP_COUNT)
+		return -EINVAL;
+
+	if (length > MAX_BLOB_PROP_SIZE)
+		return -EINVAL;
+
+	return 0;
+}
+
 static long dpu_kms_round_pixclk(struct msm_kms *kms, unsigned long rate,
 		struct drm_encoder *encoder)
 {
@@ -683,6 +696,7 @@ static const struct msm_kms_funcs kms_funcs = {
 #ifdef CONFIG_DEBUG_FS
 	.debugfs_init    = dpu_kms_debugfs_init,
 #endif
+	.createblob_check = dpu_kms_createblob_check,
 };
 
 static void _dpu_kms_mmu_destroy(struct dpu_kms *dpu_kms)
-- 
The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum,
a Linux Foundation Collaborative Project


  parent reply index

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-11-07 19:39 [PATCH 0/3] allow DRM drivers to limit creation of blobs Steve Cohen
2019-11-07 19:39 ` [PATCH 1/3] drm: add driver hook for create blob limitations Steve Cohen
2019-11-07 19:39 ` [PATCH 2/3] drm/msm: add support for createblob_check driver hook Steve Cohen
2019-11-07 19:39 ` Steve Cohen [this message]
2019-11-08  8:34 ` [PATCH 0/3] allow DRM drivers to limit creation of blobs Daniel Vetter
2019-11-09  0:01   ` cohens
2019-11-10 20:57     ` Daniel Vetter

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1573155554-16248-4-git-send-email-cohens@codeaurora.org \
    --to=cohens@codeaurora.org \
    --cc=adelva@google.com \
    --cc=dri-devel@lists.freedesktop.org \
    --cc=freedreno@lists.freedesktop.org \
    --cc=linux-arm-msm@vger.kernel.org \
    --cc=pdhaval@codeaurora.org \
    --cc=seanpaul@chromium.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-ARM-MSM Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-arm-msm/0 linux-arm-msm/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-arm-msm linux-arm-msm/ https://lore.kernel.org/linux-arm-msm \
		linux-arm-msm@vger.kernel.org
	public-inbox-index linux-arm-msm

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-arm-msm


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git