Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp1996523imu;
        Sat, 22 Dec 2018 09:46:08 -0800 (PST)
X-Google-Smtp-Source: AFSGD/VvyZOQtHchA/xgiIuweop5VHP6jDBk9Pw/C766FCRghcjNWAvrttSIhPyovxHSt9gOsmS6
X-Received: by 2002:a62:824c:: with SMTP id w73mr7223836pfd.150.1545500768444;
        Sat, 22 Dec 2018 09:46:08 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1545500768; cv=none;
        d=google.com; s=arc-20160816;
        b=dZS88weyUVvQ3vA6lDcamJHEGcsBKWKiVqSSBBJEjIxn+fhP3dxYTskyF2CtyGZ9vB
         uLwaqRriq7IJGVIPBHeEM09uDg0hM6Hlw/M4j7z9FKoLtJNuvFv+vpnFB+zYq0MAh6yP
         QA5qqVUeGXz+Z6zPZdJvXg4CoGM8FwYQQmJ9GA+Nru3wskGiYuHABOs/owUTZhGr5YAv
         8bOC2c8xH/ZUlGOg94v3rwKUm1gPkQ1HzpEkpCaNjVnn2RCNqUF53gCEnT6WIgCAq210
         gqjBKb7qLioHOxQpWVX0MncbdJjMwJalKICYpfVzsmCxhVrqHmgWuzI3IccU7dZKtMvQ
         Yvcw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=OVSHWNk4j44/NEJZil+PbDIgCZZhA/ex4ZcaIDuIdNg=;
        b=NqxvQN3Im5b1W/DpxiCuhmDIKzn4aQA2ph7Zyc7KGv416U5Al8gqUtFe54OrHfqF7c
         hgwEFmnJogZrQjZCNRHGOLCGvlHykgW93nSH5w7Fg7Bz+LkEhDfSyjOgla/p1UD0+94O
         clgl+c0XRjFlhB0hEjtRqzfoTi4R4xGCi7h+RQKHriITblfwnwR/LHYySIBp51VTis2C
         uhUCRqmsQ1kA5s2PT1cKbHh7t8IApbkZ1IVkgZZvUumeiunhR/DdXv+jbI9ToWOgLsYF
         ZVnReh8XtZuBQ6FhBvxlkFUM94avUicXqy32fBh6Y1e6NcOXJk4vFjELweIhrqn9Iffs
         l8YQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=JCaGiSFY;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id k125si4942340pfc.21.2018.12.22.09.45.51;
        Sat, 22 Dec 2018 09:46:08 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=JCaGiSFY;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2391783AbeLUTsi (ORCPT <rfc822;mahoosoft4you@gmail.com>
        + 99 others); Fri, 21 Dec 2018 14:48:38 -0500
Received: from mail-io1-f66.google.com ([209.85.166.66]:34630 "EHLO
        mail-io1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1730231AbeLUTsi (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 21 Dec 2018 14:48:38 -0500
Received: by mail-io1-f66.google.com with SMTP id l22so1410152ioh.1
        for <linux-kernel@vger.kernel.org>; Fri, 21 Dec 2018 11:48:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=OVSHWNk4j44/NEJZil+PbDIgCZZhA/ex4ZcaIDuIdNg=;
        b=JCaGiSFYD9ft5Lkz7OBzPHNtnRTBR4/G5K64IYtqPYdKrKFhZulOfM/WRr0UhGqJr8
         kOb+bGv6ZcT6p5P8P41uZDNAcxFE6ujqz5DglMfxaWF+JGk7cBLudFRjFTGQqf4cEImf
         k17piPpEIFQaGyMyp7Z5FXtLkY8zZW781kDGeYg4JtEiSets/Uv0tzbvySl5tlqFKGZz
         81dZbkKZgxNodLiK8la3gOi0dXGU+DRB6w/qH5GK9d15/04l88bfrEUKiNun874uaGm6
         arSdRhxlp42FW5xQCzZ3g0xWTA6HY/5bfoA8UAeVNpaFYUSahR3ZHCX3fc2n7F8EofN2
         K+KA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=OVSHWNk4j44/NEJZil+PbDIgCZZhA/ex4ZcaIDuIdNg=;
        b=Q0J1xF9RdKJWkDQ6LXqTisH9OBo6Qm13J5P/EOBmgNo7poeOx676D9+DBepQQJ5MPZ
         meibvVxIPoeY5R7j/ejnTCEG8MIRwvQ15gYjhb8gL2ghdQkoRax5KRseyGNYqJh5+mN0
         3uYPbyGjQUaqG26+/F1QLDpF2LgphedrTjHxhRTiHtQMra8QQLISVDhvq34q6XC/HEWa
         MKn9JmY5Jb7D/q0lFjvFp2ryOsN/NzQHTS3bSGtRu7QJwZ4thi841hGLGLHiNYVEpjNo
         24BtHOqFil4awWGBynhFhs9yNddDLBLGUPXRMWJjGnTm2pNLxsloUVhnHrE1b98pehPo
         h2sQ==
X-Gm-Message-State: AJcUukcDJJflKkB6MjfwDQyVNtw+6Af91Y5/T0ESA32RzBPiN9RTg8Iy
        mg/o4iNLsDMpmIi807yC829JOQ==
X-Received: by 2002:a6b:8d11:: with SMTP id p17mr2611416iod.74.1545421717331;
        Fri, 21 Dec 2018 11:48:37 -0800 (PST)
Received: from yuzhao.bld.corp.google.com ([2620:15c:183:0:a0c3:519e:9276:fc96])
        by smtp.gmail.com with ESMTPSA id h14sm11157581ior.41.2018.12.21.11.48.36
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 21 Dec 2018 11:48:36 -0800 (PST)
From:   Yu Zhao <yuzhao@google.com>
To:     David Airlie <airlied@linux.ie>, Daniel Vetter <daniel@ffwll.ch>,
        =?UTF-8?q?Christian=20K=C3=B6nig?= <christian.koenig@amd.com>,
        Alex Deucher <alexander.deucher@amd.com>
Cc:     David Zhou <David1.Zhou@amd.com>, Samuel Li <Samuel.Li@amd.com>,
        Harry Wentland <harry.wentland@amd.com>,
        Junwei Zhang <Jerry.Zhang@amd.com>,
        Daniel Stone <daniels@collabora.com>,
        Joerg Roedel <joro@8bytes.org>, amd-gfx@lists.freedesktop.org,
        dri-devel@lists.freedesktop.org, linux-kernel@vger.kernel.org,
        Yu Zhao <yuzhao@google.com>
Subject: [PATCH v2 1/2] drm/amd: validate user pitch alignment
Date:   Fri, 21 Dec 2018 12:47:38 -0700
Message-Id: <20181221194739.25523-1-yuzhao@google.com>
X-Mailer: git-send-email 2.20.1.415.g653613c723-goog
In-Reply-To: <20181221031053.240161-2-yuzhao@google.com>
References: <20181221031053.240161-2-yuzhao@google.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Userspace may request pitch alignment that is not supported by GPU.
Some requests 32, but GPU ignores it and uses default 64 when cpp is
4. If GEM object is allocated based on the smaller alignment, GPU
DMA will go out of bound.

For GPU that does frame buffer compression, DMA writing out of bound
memory will cause memory corruption.

Signed-off-by: Yu Zhao <yuzhao@google.com>
---
 drivers/gpu/drm/amd/amdgpu/amdgpu_display.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c
index 686a26de50f9..883a4df2386d 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c
@@ -527,6 +527,15 @@ amdgpu_display_user_framebuffer_create(struct drm_device *dev,
 	struct drm_gem_object *obj;
 	struct amdgpu_framebuffer *amdgpu_fb;
 	int ret;
+	struct amdgpu_device *adev = dev->dev_private;
+	int cpp = drm_format_plane_cpp(mode_cmd->pixel_format, 0);
+	int pitch = amdgpu_align_pitch(adev, mode_cmd->pitches[0], cpp, false);
+
+	if (mode_cmd->pitches[0] != pitch) {
+		DRM_DEBUG_KMS("Invalid pitch: expecting %d but got %d\n",
+			      pitch, mode_cmd->pitches[0]);
+		return ERR_PTR(-EINVAL);
+	}
 
 	obj = drm_gem_object_lookup(file_priv, mode_cmd->handles[0]);
 	if (obj ==  NULL) {
-- 
2.20.1.415.g653613c723-goog