tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

drm/msm: fix cmdstream size check

Need to check size+offset against bo size (duh!).. now we have a test
case to make sure I've done it right:

https://github.com/freedreno/msmtest/blob/master/submittest.c

Also, use DRM_ERROR() for error case traces, which makes debugging
userspace easier when enabling debug traces is too much.

Signed-off-by: Rob Clark <robdclark@gmail.com>

Rob Clark 19872533 26791c48

+13 -11
+13 -11
drivers/gpu/drm/msm/msm_gem_submit.c
··· 78 78 } 79 79 80 80 if (submit_bo.flags & BO_INVALID_FLAGS) { 81 - DBG("invalid flags: %x", submit_bo.flags); 81 + DRM_ERROR("invalid flags: %x\n", submit_bo.flags); 82 82 ret = -EINVAL; 83 83 goto out_unlock; 84 84 } ··· 92 92 */ 93 93 obj = idr_find(&file->object_idr, submit_bo.handle); 94 94 if (!obj) { 95 - DBG("invalid handle %u at index %u", submit_bo.handle, i); 95 + DRM_ERROR("invalid handle %u at index %u\n", submit_bo.handle, i); 96 96 ret = -EINVAL; 97 97 goto out_unlock; 98 98 } ··· 100 100 msm_obj = to_msm_bo(obj); 101 101 102 102 if (!list_empty(&msm_obj->submit_entry)) { 103 - DBG("handle %u at index %u already on submit list", 103 + DRM_ERROR("handle %u at index %u already on submit list\n", 104 104 submit_bo.handle, i); 105 105 ret = -EINVAL; 106 106 goto out_unlock; ··· 216 216 struct msm_gem_object **obj, uint32_t *iova, bool *valid) 217 217 { 218 218 if (idx >= submit->nr_bos) { 219 - DBG("invalid buffer index: %u (out of %u)", idx, submit->nr_bos); 220 - return EINVAL; 219 + DRM_ERROR("invalid buffer index: %u (out of %u)\n", 220 + idx, submit->nr_bos); 221 + return -EINVAL; 221 222 } 222 223 223 224 if (obj) ··· 240 239 int ret; 241 240 242 241 if (offset % 4) { 243 - DBG("non-aligned cmdstream buffer: %u", offset); 242 + DRM_ERROR("non-aligned cmdstream buffer: %u\n", offset); 244 243 return -EINVAL; 245 244 } 246 245 ··· 267 266 return -EFAULT; 268 267 269 268 if (submit_reloc.submit_offset % 4) { 270 - DBG("non-aligned reloc offset: %u", 269 + DRM_ERROR("non-aligned reloc offset: %u\n", 271 270 submit_reloc.submit_offset); 272 271 return -EINVAL; 273 272 } ··· 277 276 278 277 if ((off >= (obj->base.size / 4)) || 279 278 (off < last_offset)) { 280 - DBG("invalid offset %u at reloc %u", off, i); 279 + DRM_ERROR("invalid offset %u at reloc %u\n", off, i); 281 280 return -EINVAL; 282 281 } 283 282 ··· 375 374 goto out; 376 375 377 376 if (submit_cmd.size % 4) { 378 - DBG("non-aligned cmdstream buffer size: %u", 377 + DRM_ERROR("non-aligned cmdstream buffer size: %u\n", 379 378 submit_cmd.size); 380 379 ret = -EINVAL; 381 380 goto out; 382 381 } 383 382 384 - if (submit_cmd.size >= msm_obj->base.size) { 385 - DBG("invalid cmdstream size: %u", submit_cmd.size); 383 + if ((submit_cmd.size + submit_cmd.submit_offset) >= 384 + msm_obj->base.size) { 385 + DRM_ERROR("invalid cmdstream size: %u\n", submit_cmd.size); 386 386 ret = -EINVAL; 387 387 goto out; 388 388 }