linux/drivers/gpu/drm/tegra
Dmitry Osipenko 368f622c0d drm/tegra: Check for malformed offsets and sizes in the 'submit' IOCTL
If commands buffer claims a number of words that is higher than its BO can
fit, a kernel OOPS will be fired on the out-of-bounds BO access. This was
triggered by an opentegra Xorg driver that erroneously pushed too many
commands to the pushbuf.

The CDMA commands buffer address is 4 bytes aligned, so check its
alignment.

The maximum number of the CDMA gather fetches is 16383, add a check for
it.

Add a sanity check for the relocations in a same way.

[   46.829393] Unable to handle kernel paging request at virtual address f09b2000
...
[<c04a3ba4>] (host1x_job_pin) from [<c04dfcd0>] (tegra_drm_submit+0x474/0x510)
[<c04dfcd0>] (tegra_drm_submit) from [<c04deea0>] (tegra_submit+0x50/0x6c)
[<c04deea0>] (tegra_submit) from [<c04c07c0>] (drm_ioctl+0x1e4/0x3ec)
[<c04c07c0>] (drm_ioctl) from [<c02541a0>] (do_vfs_ioctl+0x9c/0x8e4)
[<c02541a0>] (do_vfs_ioctl) from [<c0254a1c>] (SyS_ioctl+0x34/0x5c)
[<c0254a1c>] (SyS_ioctl) from [<c0107640>] (ret_fast_syscall+0x0/0x3c)

Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
Reviewed-by: Erik Faye-Lund <kusmabite@gmail.com>
Reviewed-by: Mikko Perttunen <mperttunen@nvidia.com>
Signed-off-by: Thierry Reding <treding@nvidia.com>
2017-06-15 14:16:07 +02:00
..
dc.c drm/tegra: Don't use modeset_lock_crtc 2017-03-27 17:50:47 +02:00
dc.h drm/tegra: sor: Add HDMI support 2015-08-13 13:49:37 +02:00
dpaux.c drm/tegra: dpaux: Fix error handling 2016-11-07 12:58:12 +01:00
dpaux.h drm/tegra: dpaux: Configure pads as I2C by default 2015-08-13 13:47:47 +02:00
drm.c drm/tegra: Check for malformed offsets and sizes in the 'submit' IOCTL 2017-06-15 14:16:07 +02:00
drm.h drm/tegra: Changes for v4.12-rc1 2017-05-05 11:47:01 +10:00
dsi.c drm/tegra: dsi: Enhance runtime power management 2016-08-24 15:58:57 +02:00
dsi.h drm/tegra: dsi: Add Tegra210 support 2015-08-13 13:47:45 +02:00
falcon.c drm/tegra: Add falcon helper library 2017-04-05 18:11:47 +02:00
falcon.h drm/tegra: Add falcon helper library 2017-04-05 18:11:47 +02:00
fb.c drm/tegra: Changes for v4.12-rc1 2017-05-05 11:47:01 +10:00
gem.c drm/tegra: Check for malformed offsets and sizes in the 'submit' IOCTL 2017-06-15 14:16:07 +02:00
gem.h drm/tegra: Check for malformed offsets and sizes in the 'submit' IOCTL 2017-06-15 14:16:07 +02:00
gr2d.c drm/tegra: add MODULE_DEVICE_TABLEs 2014-08-04 10:07:39 +02:00
gr2d.h drm/tegra: Use symbolic names for gr2d registers 2013-10-31 09:55:44 +01:00
gr3d.c drm/tegra: Fix error handling 2016-11-07 13:01:42 +01:00
gr3d.h drm/tegra: Add 3D support 2013-10-31 09:55:45 +01:00
hdmi.c drm/tegra: Changes for v4.8-rc1 2016-07-16 11:23:50 +10:00
hdmi.h drm/tegra: hdmi: Enable audio over HDMI 2016-07-04 11:34:31 +02:00
Kconfig drm/tegra: Enable IOVA API when IOMMU support is enabled 2017-04-05 18:11:43 +02:00
Makefile drm/tegra: Add VIC support 2017-04-05 18:11:48 +02:00
mipi-phy.c drm/tegra: dsi: Adjust D-PHY timing 2015-01-27 10:14:40 +01:00
mipi-phy.h drm/tegra: Relicense under GPL v2 2014-04-04 09:12:51 +02:00
output.c drm/tegra: Changes for v4.8-rc1 2016-07-16 11:23:50 +10:00
rgb.c drm: tegra: Rely on the default ->best_encoder() behavior 2016-06-10 17:24:48 +02:00
sor.c drm/tegra: sor: No need to free devm_ allocated memory 2016-11-07 13:03:41 +01:00
sor.h drm/tegra: sor: Do not support deep color modes 2016-07-04 11:33:21 +02:00
vic.c drm/tegra: Add VIC support 2017-04-05 18:11:48 +02:00
vic.h drm/tegra: Add VIC support 2017-04-05 18:11:48 +02:00