Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp1057896pxk; Mon, 31 Aug 2020 08:40:56 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx0/yJfMO3KWV2DaQeOE/RBDH7Ntc+49L3uYd+uVStOwkBaqnJSLh7RgziOO4G8oJQE+ExV X-Received: by 2002:a50:8f44:: with SMTP id 62mr1843850edy.3.1598888456253; Mon, 31 Aug 2020 08:40:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1598888456; cv=none; d=google.com; s=arc-20160816; b=JRGDyDT5RBujdP0IEgFiWWUGYM6c6UmaxXCT2HSn4S3/Z0jGGpz9+AEB1E15uNWp+U TWLp5/4JsxNVWYAtfdfO99QTGc8tUIB5wIWP8eHmF/oOyiQ3uRlIWXC09X2bkogT4bwM T4WKauoGO8SOMnAyEg+5D1zKdN37YsJeIzForawkxRvJc7yEcMse4RWwqrbxicmMe+AT LaNdIMcSKX7Vhb8z2Ry6lhOJade81VOOkEK1tW0k82OGoRkMx0jEy6hT0N4tsxNHMzLz Hcfp75CzjkggtSXdym4/cH3XoujOcRcFM1vRIP25G05XuhjFAo7oe/DY/8YmV/MxLUjt +Hww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=8samR28O9P9uSqShW30T+EeU1ZDZhraK+yrDTRcwELU=; b=pTqcJ0HV/1dZ5KgqzoQi2X5dAs0y6z8psqVXzVUBG6z087nYC4UyhrIDqeJ5HiNR2y cuv62EwOfEkUgTHqjVOX1GrTv9ULwqvX40sGq2r1M6s91TvBq9QMoSj3wMPk2Nra5S0e MUWjVMO84VFfjLmbpmwQ08b+m3vyZ6IyYqoKENAYhYyz8F6miCMAV5J+d84R7JtrckB6 jW5Z8wh8eRyStKChMmkvq3MHBArfZy53cyF4pMtD3BFzgiCRetSqfIZpfqPW57dkssYU TP0jcuOAKZ1lNnlOfN8L01DU+T8PTtE6NPgoP8iCW2f3n2iTvhvAQsjyh46RpTUeNkEf GNIQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=bN+Z5Y7E; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id u20si4803696ejz.602.2020.08.31.08.40.33; Mon, 31 Aug 2020 08:40:56 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=bN+Z5Y7E; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728165AbgHaPaS (ORCPT + 99 others); Mon, 31 Aug 2020 11:30:18 -0400 Received: from mail.kernel.org ([198.145.29.99]:39074 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728466AbgHaP37 (ORCPT ); Mon, 31 Aug 2020 11:29:59 -0400 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id F23132151B; Mon, 31 Aug 2020 15:29:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1598887799; bh=IEa2006O3n8PmfNmAyzY7CaL01uzQV8tXZR6GUr7JOA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=bN+Z5Y7E7RxBzPS7iCSV74AMbIoFNvHuHmz/hhVI1NFnqsxYvQ9pMmK2Buwku3/ey BLbFccFb7OXhpw28OjjWi2gYBqlRvAh1TJ8bWTsBw+KKLMVOc9AQY72NmtDNUxcSmA wtQlvaqG374kHxsO7MQrw9Ua1XdLYCYXz8EXSM9k= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Ofir Bitton , Oded Gabbay , Sasha Levin Subject: [PATCH AUTOSEL 5.8 15/42] habanalabs: validate packet id during CB parse Date: Mon, 31 Aug 2020 11:29:07 -0400 Message-Id: <20200831152934.1023912-15-sashal@kernel.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200831152934.1023912-1-sashal@kernel.org> References: <20200831152934.1023912-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Ofir Bitton [ Upstream commit bc75be24fa88ef10eecaff2b2a9ada8189e5ab5d ] During command buffer parsing, driver extracts packet id from user buffer. Driver must validate this packet id, since it is being used in order to extract information from internal structures. Signed-off-by: Ofir Bitton Reviewed-by: Oded Gabbay Signed-off-by: Oded Gabbay Signed-off-by: Sasha Levin --- drivers/misc/habanalabs/gaudi/gaudi.c | 35 +++++++++++++++++++++++++++ drivers/misc/habanalabs/goya/goya.c | 31 ++++++++++++++++++++++++ 2 files changed, 66 insertions(+) diff --git a/drivers/misc/habanalabs/gaudi/gaudi.c b/drivers/misc/habanalabs/gaudi/gaudi.c index 637a9d608707f..0261f60df5633 100644 --- a/drivers/misc/habanalabs/gaudi/gaudi.c +++ b/drivers/misc/habanalabs/gaudi/gaudi.c @@ -154,6 +154,29 @@ static const u16 gaudi_packet_sizes[MAX_PACKET_ID] = { [PACKET_LOAD_AND_EXE] = sizeof(struct packet_load_and_exe) }; +static inline bool validate_packet_id(enum packet_id id) +{ + switch (id) { + case PACKET_WREG_32: + case PACKET_WREG_BULK: + case PACKET_MSG_LONG: + case PACKET_MSG_SHORT: + case PACKET_CP_DMA: + case PACKET_REPEAT: + case PACKET_MSG_PROT: + case PACKET_FENCE: + case PACKET_LIN_DMA: + case PACKET_NOP: + case PACKET_STOP: + case PACKET_ARB_POINT: + case PACKET_WAIT: + case PACKET_LOAD_AND_EXE: + return true; + default: + return false; + } +} + static const char * const gaudi_tpc_interrupts_cause[GAUDI_NUM_OF_TPC_INTR_CAUSE] = { "tpc_address_exceed_slm", @@ -3859,6 +3882,12 @@ static int gaudi_validate_cb(struct hl_device *hdev, PACKET_HEADER_PACKET_ID_MASK) >> PACKET_HEADER_PACKET_ID_SHIFT); + if (!validate_packet_id(pkt_id)) { + dev_err(hdev->dev, "Invalid packet id %u\n", pkt_id); + rc = -EINVAL; + break; + } + pkt_size = gaudi_packet_sizes[pkt_id]; cb_parsed_length += pkt_size; if (cb_parsed_length > parser->user_cb_size) { @@ -4082,6 +4111,12 @@ static int gaudi_patch_cb(struct hl_device *hdev, PACKET_HEADER_PACKET_ID_MASK) >> PACKET_HEADER_PACKET_ID_SHIFT); + if (!validate_packet_id(pkt_id)) { + dev_err(hdev->dev, "Invalid packet id %u\n", pkt_id); + rc = -EINVAL; + break; + } + pkt_size = gaudi_packet_sizes[pkt_id]; cb_parsed_length += pkt_size; if (cb_parsed_length > parser->user_cb_size) { diff --git a/drivers/misc/habanalabs/goya/goya.c b/drivers/misc/habanalabs/goya/goya.c index 88460b2138d88..c179085ced7b8 100644 --- a/drivers/misc/habanalabs/goya/goya.c +++ b/drivers/misc/habanalabs/goya/goya.c @@ -139,6 +139,25 @@ static u16 goya_packet_sizes[MAX_PACKET_ID] = { [PACKET_STOP] = sizeof(struct packet_stop) }; +static inline bool validate_packet_id(enum packet_id id) +{ + switch (id) { + case PACKET_WREG_32: + case PACKET_WREG_BULK: + case PACKET_MSG_LONG: + case PACKET_MSG_SHORT: + case PACKET_CP_DMA: + case PACKET_MSG_PROT: + case PACKET_FENCE: + case PACKET_LIN_DMA: + case PACKET_NOP: + case PACKET_STOP: + return true; + default: + return false; + } +} + static u64 goya_mmu_regs[GOYA_MMU_REGS_NUM] = { mmDMA_QM_0_GLBL_NON_SECURE_PROPS, mmDMA_QM_1_GLBL_NON_SECURE_PROPS, @@ -3381,6 +3400,12 @@ static int goya_validate_cb(struct hl_device *hdev, PACKET_HEADER_PACKET_ID_MASK) >> PACKET_HEADER_PACKET_ID_SHIFT); + if (!validate_packet_id(pkt_id)) { + dev_err(hdev->dev, "Invalid packet id %u\n", pkt_id); + rc = -EINVAL; + break; + } + pkt_size = goya_packet_sizes[pkt_id]; cb_parsed_length += pkt_size; if (cb_parsed_length > parser->user_cb_size) { @@ -3616,6 +3641,12 @@ static int goya_patch_cb(struct hl_device *hdev, PACKET_HEADER_PACKET_ID_MASK) >> PACKET_HEADER_PACKET_ID_SHIFT); + if (!validate_packet_id(pkt_id)) { + dev_err(hdev->dev, "Invalid packet id %u\n", pkt_id); + rc = -EINVAL; + break; + } + pkt_size = goya_packet_sizes[pkt_id]; cb_parsed_length += pkt_size; if (cb_parsed_length > parser->user_cb_size) { -- 2.25.1