| From a1b403da70e038ca6c6c6fe434d1d873546873a3 Mon Sep 17 00:00:00 2001 |
| From: =?UTF-8?q?Christian=20K=C3=B6nig?= <christian.koenig@amd.com> |
| Date: Thu, 7 May 2015 15:19:23 +0200 |
| Subject: drm/radeon: make UVD handle checking more strict |
| MIME-Version: 1.0 |
| Content-Type: text/plain; charset=UTF-8 |
| Content-Transfer-Encoding: 8bit |
| |
| From: =?UTF-8?q?Christian=20K=C3=B6nig?= <christian.koenig@amd.com> |
| |
| commit a1b403da70e038ca6c6c6fe434d1d873546873a3 upstream. |
| |
| Invalid messages can crash the hw otherwise. |
| |
| Signed-off-by: Christian Kรถnig <christian.koenig@amd.com> |
| Signed-off-by: Alex Deucher <alexander.deucher@amd.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/gpu/drm/radeon/radeon_uvd.c | 72 +++++++++++++++++++++--------------- |
| 1 file changed, 43 insertions(+), 29 deletions(-) |
| |
| --- a/drivers/gpu/drm/radeon/radeon_uvd.c |
| +++ b/drivers/gpu/drm/radeon/radeon_uvd.c |
| @@ -436,50 +436,64 @@ static int radeon_uvd_cs_msg(struct rade |
| return -EINVAL; |
| } |
| |
| - if (msg_type == 1) { |
| + switch (msg_type) { |
| + case 0: |
| + /* it's a create msg, calc image size (width * height) */ |
| + img_size = msg[7] * msg[8]; |
| + radeon_bo_kunmap(bo); |
| + |
| + /* try to alloc a new handle */ |
| + for (i = 0; i < RADEON_MAX_UVD_HANDLES; ++i) { |
| + if (atomic_read(&p->rdev->uvd.handles[i]) == handle) { |
| + DRM_ERROR("Handle 0x%x already in use!\n", handle); |
| + return -EINVAL; |
| + } |
| + |
| + if (!atomic_cmpxchg(&p->rdev->uvd.handles[i], 0, handle)) { |
| + p->rdev->uvd.filp[i] = p->filp; |
| + p->rdev->uvd.img_size[i] = img_size; |
| + return 0; |
| + } |
| + } |
| + |
| + DRM_ERROR("No more free UVD handles!\n"); |
| + return -EINVAL; |
| + |
| + case 1: |
| /* it's a decode msg, calc buffer sizes */ |
| r = radeon_uvd_cs_msg_decode(msg, buf_sizes); |
| - /* calc image size (width * height) */ |
| - img_size = msg[6] * msg[7]; |
| radeon_bo_kunmap(bo); |
| if (r) |
| return r; |
| |
| - } else if (msg_type == 2) { |
| + /* validate the handle */ |
| + for (i = 0; i < RADEON_MAX_UVD_HANDLES; ++i) { |
| + if (atomic_read(&p->rdev->uvd.handles[i]) == handle) { |
| + if (p->rdev->uvd.filp[i] != p->filp) { |
| + DRM_ERROR("UVD handle collision detected!\n"); |
| + return -EINVAL; |
| + } |
| + return 0; |
| + } |
| + } |
| + |
| + DRM_ERROR("Invalid UVD handle 0x%x!\n", handle); |
| + return -ENOENT; |
| + |
| + case 2: |
| /* it's a destroy msg, free the handle */ |
| for (i = 0; i < RADEON_MAX_UVD_HANDLES; ++i) |
| atomic_cmpxchg(&p->rdev->uvd.handles[i], handle, 0); |
| radeon_bo_kunmap(bo); |
| return 0; |
| - } else { |
| - /* it's a create msg, calc image size (width * height) */ |
| - img_size = msg[7] * msg[8]; |
| - radeon_bo_kunmap(bo); |
| - |
| - if (msg_type != 0) { |
| - DRM_ERROR("Illegal UVD message type (%d)!\n", msg_type); |
| - return -EINVAL; |
| - } |
| |
| - /* it's a create msg, no special handling needed */ |
| - } |
| - |
| - /* create or decode, validate the handle */ |
| - for (i = 0; i < RADEON_MAX_UVD_HANDLES; ++i) { |
| - if (atomic_read(&p->rdev->uvd.handles[i]) == handle) |
| - return 0; |
| - } |
| + default: |
| |
| - /* handle not found try to alloc a new one */ |
| - for (i = 0; i < RADEON_MAX_UVD_HANDLES; ++i) { |
| - if (!atomic_cmpxchg(&p->rdev->uvd.handles[i], 0, handle)) { |
| - p->rdev->uvd.filp[i] = p->filp; |
| - p->rdev->uvd.img_size[i] = img_size; |
| - return 0; |
| - } |
| + DRM_ERROR("Illegal UVD message type (%d)!\n", msg_type); |
| + return -EINVAL; |
| } |
| |
| - DRM_ERROR("No more free UVD handles!\n"); |
| + BUG(); |
| return -EINVAL; |
| } |
| |