Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3027868imu;
        Sun, 23 Dec 2018 13:53:55 -0800 (PST)
X-Google-Smtp-Source: ALg8bN5aW9sj/WKXhRtVSbphyRTvwkVdAvCclKEJip9uXZU4DUPnOoAp+lbTyQX+Wjl3GJ4Wsz1K
X-Received: by 2002:a63:ef04:: with SMTP id u4mr10388273pgh.197.1545602035416;
        Sun, 23 Dec 2018 13:53:55 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1545602035; cv=none;
        d=google.com; s=arc-20160816;
        b=LwBNmTCUaYGjFd+dp70FwB1fg+AGYMy06cAx0FLQcQKEP9orsJbQtgSaOOMCHrpBcw
         C3iEK7npD3le+zv+ZDGGXWDOuEhW5i4GXitwSEOFO4yX2M0H7/KINu0LPOxFJkwhzMeO
         R3o5S0d6sv1p201SlE0zrrI6hyvOWDJEiCTFar3IfsX6McWbg74wh7XoCpWlXVBSz+et
         kiDG5GeldzjYY9M7BoDApGW3xJRFCmiaWqmZvJUfxHxT6m/9xgneWoI53xtgv/rczdte
         quVtyLNaY3KRElZK+HA5dTMV72HtF9U4YGcUU5HHArTKn2c+ajHscN8Dcj30exP5B9gX
         y+1A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=XygzaLnlh8fA4HxjIg+gRtTOPZSyENnxsvJMnBxmHwE=;
        b=Wi9klvgxbbcfFKVGK93kFz75ySj4Usttn+Al2hlADnXHoGJxgYJ0SlitLkBJHoRQK0
         e4Pqrlqc+2vxd9nKCgcZJX5WDgCrPNwDh97+kF9uCrD/k17NBkaXUQxR/hWJ5ukqRYk0
         WY+GIVoqYJlSxoh2Mdpbp8Mk5Rg4U4ehb+VmEY84tQWR7X8jAMyeR7ftdMfrehfNTQey
         57vUwfuYJ4jfXprcNsT8AJkus+hNjNwZDE/Y7lREjL86dMjJRPAeeU2aRmPQv7MZ2rgx
         9kp9UlPENDjRxJ5csdA3vwjPGUSRfCNbWmxlK5FOJoNgkge89Al9T1klBEBjuW7cgIHp
         nu6g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=ev6bRFMp;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id m78si19804401pfj.48.2018.12.23.13.53.39;
        Sun, 23 Dec 2018 13:53:55 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=ev6bRFMp;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1725894AbeLWVwr (ORCPT <rfc822;xiaochao379261131@gmail.com>
        + 99 others); Sun, 23 Dec 2018 16:52:47 -0500
Received: from mail-io1-f66.google.com ([209.85.166.66]:43569 "EHLO
        mail-io1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1725828AbeLWVwr (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 23 Dec 2018 16:52:47 -0500
Received: by mail-io1-f66.google.com with SMTP id q17so4436184ior.10
        for <linux-kernel@vger.kernel.org>; Sun, 23 Dec 2018 13:52:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=XygzaLnlh8fA4HxjIg+gRtTOPZSyENnxsvJMnBxmHwE=;
        b=ev6bRFMpf8JJPHuT6xoVyte6dSoRD6ARYbZSs0YjusLUeTtHzXH2qH7+90BFNfoqZN
         uqWtHfbKDarjHd2ygI1IWBau43OpTPn9YWa5ptSyh1k3aGjWFmcJz/17wBm1Hobx+PNg
         DVY6QIaSHlLE9ifi2NbJq2IRCVj41mPFZrtJfWyt8IOWRsUoH+xMqK544PWRq0V0fzbS
         xrMFbn2AgTd+970gcNKp3RK5Gv8OlXKteDZv7T2IcnWz178vBeg4vLHokWBUy+Il479N
         XhzPb597bS9fGcNQKrQRfwsLI4/RkVHeTF4LFtMTPC3eLvVPzRSNYjxH+Gf9tSKLqHGF
         vsSw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=XygzaLnlh8fA4HxjIg+gRtTOPZSyENnxsvJMnBxmHwE=;
        b=kzXQoqpLxRnSZ8wAgwKh1OiNqwuucXdts+fgRCaLr3VNxsmK0EaJjktx651Rz5ne1h
         eVAXsjye0+eBet2iRZKnvq/3SMrKzVT2k9jm3tu6a61fnlBHSlGiby4Iagl5dG9Y9aqn
         u3ZZgomW1pDAaXVOFEnSc9KkJf3o5//8/Aes+31y+TwSPBR6+vD7xSjJ4dKo8dgt1g+m
         wPUSY7sHiLU4/crSpHDyKPBhH9MmzqY68Qan4gCN5mUXariuZBGmt7LfnlhRgs6ZRc4h
         WB9sAlzGbVP8n2G4JMik6EeyHaLjAJoKUFq39J9nBgHsCxMVLtUHAV1Lyb+1PYQEApe7
         Y2qQ==
X-Gm-Message-State: AJcUukeuUvuGs2b97sD+Ek4BDcI6/mpiktPIiyfMWTC2qYFncs0WGolN
        GVYqjb3nFD37FnmUL1iaPZNIXA==
X-Received: by 2002:a6b:ee16:: with SMTP id i22mr7203946ioh.124.1545601966020;
        Sun, 23 Dec 2018 13:52:46 -0800 (PST)
Received: from yuzhao.bld.corp.google.com ([2620:15c:183:0:a0c3:519e:9276:fc96])
        by smtp.gmail.com with ESMTPSA id v74sm10386881ita.27.2018.12.23.13.52.44
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Sun, 23 Dec 2018 13:52:45 -0800 (PST)
From:   Yu Zhao <yuzhao@google.com>
To:     David Airlie <airlied@linux.ie>, Daniel Vetter <daniel@ffwll.ch>,
        =?UTF-8?q?Christian=20K=C3=B6nig?= <christian.koenig@amd.com>,
        Alex Deucher <alexander.deucher@amd.com>
Cc:     David Zhou <David1.Zhou@amd.com>, Samuel Li <Samuel.Li@amd.com>,
        Harry Wentland <harry.wentland@amd.com>,
        Junwei Zhang <Jerry.Zhang@amd.com>,
        Daniel Stone <daniels@collabora.com>,
        amd-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org,
        linux-kernel@vger.kernel.org, Yu Zhao <yuzhao@google.com>,
        stable@vger.kernel.org
Subject: [PATCH v4 1/2] drm/amd: validate user pitch alignment
Date:   Sun, 23 Dec 2018 14:52:38 -0700
Message-Id: <20181223215239.173339-1-yuzhao@google.com>
X-Mailer: git-send-email 2.20.1.415.g653613c723-goog
In-Reply-To: <20181222192712.9420-1-yuzhao@google.com>
References: <20181222192712.9420-1-yuzhao@google.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Userspace may request pitch alignment that is not supported by GPU.
Some requests 32, but GPU ignores it and uses default 64 when cpp is
4. If GEM object is allocated based on the smaller alignment, GPU
DMA will go out of bound.

For GPU that does frame buffer compression, DMA writing out of bound
memory will cause memory corruption.

Cc: stable@vger.kernel.org # v4.2+
Signed-off-by: Yu Zhao <yuzhao@google.com>
---
 drivers/gpu/drm/amd/amdgpu/amdgpu_display.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c
index 686a26de50f9..af0626a2b528 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c
@@ -527,6 +527,15 @@ amdgpu_display_user_framebuffer_create(struct drm_device *dev,
 	struct drm_gem_object *obj;
 	struct amdgpu_framebuffer *amdgpu_fb;
 	int ret;
+	struct amdgpu_device *adev = dev->dev_private;
+	int cpp = drm_format_plane_cpp(mode_cmd->pixel_format, 0);
+	int pitch = amdgpu_align_pitch(adev, mode_cmd->width, cpp, false);
+
+	if (mode_cmd->pitches[0] != pitch) {
+		DRM_DEBUG_KMS("Invalid pitch: expecting %d but got %d\n",
+			      pitch, mode_cmd->pitches[0]);
+		return ERR_PTR(-EINVAL);
+	}
 
 	obj = drm_gem_object_lookup(file_priv, mode_cmd->handles[0]);
 	if (obj ==  NULL) {
-- 
2.20.1.415.g653613c723-goog