Re: [PATCH 7/7] drm/msm: validate flags, etc

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jordan Crouse <jcrouse@codeaurora.org>
To: Rob Clark <robdclark@gmail.com>
Cc: dri-devel@lists.freedesktop.org, linux-arm-msm@vger.kernel.org
Subject: Re: [PATCH 7/7] drm/msm: validate flags, etc
Date: Mon, 10 Mar 2014 14:22:15 -0600	[thread overview]
Message-ID: <531E1EF7.6010207@codeaurora.org> (raw)
In-Reply-To: <1394470062-27442-8-git-send-email-robdclark@gmail.com>

On 03/10/2014 10:47 AM, Rob Clark wrote:
> After reading a nice article on LWN[1], I went back and double checked
> my handling of invalid-input checking.  Turns out there were a couple
> places I had missed.
>
> Since the driver is fairly young, and the devices it supports are really
> only just barely usable for basic stuff (serial console) with an
> upstream kernel, I think we should fix this now and revert specific
> parts of this patch later in the unlikely event that a regression is
> reported.
>
> [1] https://lwn.net/Articles/588444/
>
> Signed-off-by: Rob Clark <robdclark@gmail.com>

Acked-by: Jordan Crouse <jcrouse@codeaurora.org>
> ---
>   drivers/gpu/drm/msm/msm_drv.c        | 20 +++++++++++++++++++-
>   drivers/gpu/drm/msm/msm_gem_submit.c | 15 +++++++++++++--
>   include/uapi/drm/msm_drm.h           | 11 +++++++++++
>   3 files changed, 43 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c
> index 9ffc275..eee8d37 100644
> --- a/drivers/gpu/drm/msm/msm_drv.c
> +++ b/drivers/gpu/drm/msm/msm_drv.c
> @@ -664,6 +664,12 @@ static int msm_ioctl_gem_new(struct drm_device *dev, void *data,
>   		struct drm_file *file)
>   {
>   	struct drm_msm_gem_new *args = data;
> +
> +	if (args->flags & ~MSM_BO_FLAGS) {
> +		DRM_ERROR("invalid flags: %08x\n", args->flags);
> +		return -EINVAL;
> +	}
> +
>   	return msm_gem_new_handle(dev, file, args->size,
>   			args->flags, &args->handle);
>   }
> @@ -677,6 +683,11 @@ static int msm_ioctl_gem_cpu_prep(struct drm_device *dev, void *data,
>   	struct drm_gem_object *obj;
>   	int ret;
>
> +	if (args->op & ~MSM_PREP_FLAGS) {
> +		DRM_ERROR("invalid op: %08x\n", args->op);
> +		return -EINVAL;
> +	}
> +
>   	obj = drm_gem_object_lookup(dev, file, args->handle);
>   	if (!obj)
>   		return -ENOENT;
> @@ -731,7 +742,14 @@ static int msm_ioctl_wait_fence(struct drm_device *dev, void *data,
>   		struct drm_file *file)
>   {
>   	struct drm_msm_wait_fence *args = data;
> -	return msm_wait_fence_interruptable(dev, args->fence, &TS(args->timeout));
> +
> +	if (args->pad) {
> +		DRM_ERROR("invalid pad: %08x\n", args->pad);
> +		return -EINVAL;
> +	}
> +
> +	return msm_wait_fence_interruptable(dev, args->fence,
> +			&TS(args->timeout));
>   }
>
>   static const struct drm_ioctl_desc msm_ioctls[] = {
> diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c
> index 5423e91..1f1f4cf 100644
> --- a/drivers/gpu/drm/msm/msm_gem_submit.c
> +++ b/drivers/gpu/drm/msm/msm_gem_submit.c
> @@ -23,7 +23,6 @@
>    * Cmdstream submission:
>    */
>
> -#define BO_INVALID_FLAGS ~(MSM_SUBMIT_BO_READ | MSM_SUBMIT_BO_WRITE)
>   /* make sure these don't conflict w/ MSM_SUBMIT_BO_x */
>   #define BO_VALID    0x8000
>   #define BO_LOCKED   0x4000
> @@ -77,7 +76,7 @@ static int submit_lookup_objects(struct msm_gem_submit *submit,
>   			goto out_unlock;
>   		}
>
> -		if (submit_bo.flags & BO_INVALID_FLAGS) {
> +		if (submit_bo.flags & ~MSM_SUBMIT_BO_FLAGS) {
>   			DRM_ERROR("invalid flags: %x\n", submit_bo.flags);
>   			ret = -EINVAL;
>   			goto out_unlock;
> @@ -369,6 +368,18 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data,
>   			goto out;
>   		}
>
> +		/* validate input from userspace: */
> +		switch (submit_cmd.type) {
> +		case MSM_SUBMIT_CMD_BUF:
> +		case MSM_SUBMIT_CMD_IB_TARGET_BUF:
> +		case MSM_SUBMIT_CMD_CTX_RESTORE_BUF:
> +			break;
> +		default:
> +			DRM_ERROR("invalid type: %08x\n", submit_cmd.type);
> +			ret = -EINVAL;
> +			goto out;
> +		}
> +
>   		ret = submit_bo(submit, submit_cmd.submit_idx,
>   				&msm_obj, &iova, NULL);
>   		if (ret)
> diff --git a/include/uapi/drm/msm_drm.h b/include/uapi/drm/msm_drm.h
> index bf91a78..0664c31 100644
> --- a/include/uapi/drm/msm_drm.h
> +++ b/include/uapi/drm/msm_drm.h
> @@ -70,6 +70,12 @@ struct drm_msm_param {
>   #define MSM_BO_WC            0x00020000
>   #define MSM_BO_UNCACHED      0x00040000
>
> +#define MSM_BO_FLAGS         (MSM_BO_SCANOUT | \
> +                              MSM_BO_GPU_READONLY | \
> +                              MSM_BO_CACHED | \
> +                              MSM_BO_WC | \
> +                              MSM_BO_UNCACHED)
> +
>   struct drm_msm_gem_new {
>   	uint64_t size;           /* in */
>   	uint32_t flags;          /* in, mask of MSM_BO_x */
> @@ -86,6 +92,8 @@ struct drm_msm_gem_info {
>   #define MSM_PREP_WRITE       0x02
>   #define MSM_PREP_NOSYNC      0x04
>
> +#define MSM_PREP_FLAGS       (MSM_PREP_READ | MSM_PREP_WRITE | MSM_PREP_NOSYNC)
> +
>   struct drm_msm_gem_cpu_prep {
>   	uint32_t handle;         /* in */
>   	uint32_t op;             /* in, mask of MSM_PREP_x */
> @@ -153,6 +161,9 @@ struct drm_msm_gem_submit_cmd {
>    */
>   #define MSM_SUBMIT_BO_READ             0x0001
>   #define MSM_SUBMIT_BO_WRITE            0x0002
> +
> +#define MSM_SUBMIT_BO_FLAGS            (MSM_SUBMIT_BO_READ | MSM_SUBMIT_BO_WRITE)
> +
>   struct drm_msm_gem_submit_bo {
>   	uint32_t flags;          /* in, mask of MSM_SUBMIT_BO_x */
>   	uint32_t handle;         /* in, GEM handle */
>


-- 
The Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum,
hosted by The Linux Foundation

     prev parent reply	other threads:[~2014-03-10 20:22 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-03-10 16:47 [PATCH 0/7] drm/msm: what's in store for 3.15 Rob Clark
2014-03-10 16:47 ` [PATCH 1/7] drm/msm: hdmi audio support Rob Clark
2014-03-10 16:47 ` [PATCH 2/7] drm/msm: add hang_debug module param Rob Clark
2014-03-10 20:17   ` Jordan Crouse
2014-03-10 20:27     ` Rob Clark
2014-03-10 16:47 ` [PATCH 3/7] drm/msm: spin helper Rob Clark
2014-03-10 20:27   ` Jordan Crouse
2014-03-10 16:47 ` [PATCH 4/7] drm/msm: crank down gpu when inactive Rob Clark
2014-03-10 20:24   ` Jordan Crouse
2014-03-10 20:39     ` Rob Clark
2014-03-10 16:47 ` [PATCH 5/7] drm/msm: add chip-id param Rob Clark
2014-03-10 20:20   ` Jordan Crouse
2014-03-10 16:47 ` [PATCH 6/7] drm/msm: use componentised device support Rob Clark
2014-03-10 16:47 ` [PATCH 7/7] drm/msm: validate flags, etc Rob Clark
2014-03-10 20:22   ` Jordan Crouse [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=531E1EF7.6010207@codeaurora.org \
    --to=jcrouse@codeaurora.org \
    --cc=dri-devel@lists.freedesktop.org \
    --cc=linux-arm-msm@vger.kernel.org \
    --cc=robdclark@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.