Commit 1799c761 authored by Christopher Snowhill's avatar Christopher Snowhill Committed by Rodrigo Vivi
Browse files

drm/xe: Validate uAPI padding and reserved fields 



Padding and reserved fields are declared such that they must be
zeroed, so verify that they're all zero in the respective ioctl
functions.

Derived from original patch by mlankhorst.

v2:
	Removed extensions checks where there were none originally. (José)
	Moved extraneous parentheses to the correct places. (Lucas)

Signed-off-by: default avatarMaarten Lankhorst <maarten.lankhorst@linux.intel.com>
Signed-off-by: default avatarChristopher Snowhill <kode54@gmail.com>
Reviewed-by: default avatarJosé Roberto de Souza <jose.souza@intel.com>
Signed-off-by: default avatarLucas De Marchi <lucas.demarchi@intel.com>
Signed-off-by: default avatarRodrigo Vivi <rodrigo.vivi@intel.com>
parent e2bd81af

drivers/gpu/drm/xe/xe_bo.c

+4 −2
Original line number Diff line number Diff line
@@ -1646,7 +1646,8 @@ int xe_gem_create_ioctl(struct drm_device *dev, void *data, 
	u32 handle;

	int err;



	if (XE_IOCTL_ERR(xe, args->extensions))

	if (XE_IOCTL_ERR(xe, args->extensions) || XE_IOCTL_ERR(xe, args->pad) ||

	    XE_IOCTL_ERR(xe, args->reserved[0] || args->reserved[1]))

		return -EINVAL;



	if (XE_IOCTL_ERR(xe, args->flags &
@@ -1716,7 +1717,8 @@ int xe_gem_mmap_offset_ioctl(struct drm_device *dev, void *data, 
	struct drm_xe_gem_mmap_offset *args = data;

	struct drm_gem_object *gem_obj;



	if (XE_IOCTL_ERR(xe, args->extensions))

	if (XE_IOCTL_ERR(xe, args->extensions) ||

	    XE_IOCTL_ERR(xe, args->reserved[0] || args->reserved[1]))

		return -EINVAL;



	if (XE_IOCTL_ERR(xe, args->flags))

drivers/gpu/drm/xe/xe_engine.c

+14 −4
Original line number Diff line number Diff line
@@ -348,7 +348,8 @@ static int engine_user_ext_set_property(struct xe_device *xe, 
		return -EFAULT;



	if (XE_IOCTL_ERR(xe, ext.property >=

			 ARRAY_SIZE(engine_set_property_funcs)))

			 ARRAY_SIZE(engine_set_property_funcs)) ||

	    XE_IOCTL_ERR(xe, ext.pad))

		return -EINVAL;



	idx = array_index_nospec(ext.property, ARRAY_SIZE(engine_set_property_funcs));
@@ -380,7 +381,8 @@ static int engine_user_extensions(struct xe_device *xe, struct xe_engine *e, 
	if (XE_IOCTL_ERR(xe, err))

		return -EFAULT;



	if (XE_IOCTL_ERR(xe, ext.name >=

	if (XE_IOCTL_ERR(xe, ext.pad) ||

	    XE_IOCTL_ERR(xe, ext.name >=

			 ARRAY_SIZE(engine_user_extension_funcs)))

		return -EINVAL;
@@ -523,7 +525,8 @@ int xe_engine_create_ioctl(struct drm_device *dev, void *data, 
	int len;

	int err;



	if (XE_IOCTL_ERR(xe, args->flags))

	if (XE_IOCTL_ERR(xe, args->flags) ||

	    XE_IOCTL_ERR(xe, args->reserved[0] || args->reserved[1]))

		return -EINVAL;



	len = args->width * args->num_placements;
@@ -639,6 +642,9 @@ int xe_engine_get_property_ioctl(struct drm_device *dev, void *data, 
	struct drm_xe_engine_get_property *args = data;

	struct xe_engine *e;



	if (XE_IOCTL_ERR(xe, args->reserved[0] || args->reserved[1]))

		return -EINVAL;



	mutex_lock(&xef->engine.lock);

	e = xa_load(&xef->engine.xa, args->engine_id);

	mutex_unlock(&xef->engine.lock);
@@ -718,7 +724,8 @@ int xe_engine_destroy_ioctl(struct drm_device *dev, void *data, 
	struct drm_xe_engine_destroy *args = data;

	struct xe_engine *e;



	if (XE_IOCTL_ERR(xe, args->pad))

	if (XE_IOCTL_ERR(xe, args->pad) ||

	    XE_IOCTL_ERR(xe, args->reserved[0] || args->reserved[1]))

		return -EINVAL;



	mutex_lock(&xef->engine.lock);
@@ -748,6 +755,9 @@ int xe_engine_set_property_ioctl(struct drm_device *dev, void *data, 
	int ret;

	u32 idx;



	if (XE_IOCTL_ERR(xe, args->reserved[0] || args->reserved[1]))

		return -EINVAL;



	e = xe_engine_lookup(xef, args->engine_id);

	if (XE_IOCTL_ERR(xe, !e))

		return -ENOENT;

drivers/gpu/drm/xe/xe_exec.c

+3 −1
Original line number Diff line number Diff line
@@ -181,7 +181,9 @@ int xe_exec_ioctl(struct drm_device *dev, void *data, struct drm_file *file) 
	bool write_locked;

	int err = 0;



	if (XE_IOCTL_ERR(xe, args->extensions))

	if (XE_IOCTL_ERR(xe, args->extensions) ||

	    XE_IOCTL_ERR(xe, args->pad[0] || args->pad[1] || args->pad[2]) ||

	    XE_IOCTL_ERR(xe, args->reserved[0] || args->reserved[1]))

		return -EINVAL;



	engine = xe_engine_lookup(xef, args->engine_id);

drivers/gpu/drm/xe/xe_mmio.c

+2 −1
Original line number Diff line number Diff line
@@ -404,7 +404,8 @@ int xe_mmio_ioctl(struct drm_device *dev, void *data, 
	bool allowed;

	int ret = 0;



	if (XE_IOCTL_ERR(xe, args->extensions))

	if (XE_IOCTL_ERR(xe, args->extensions) ||

	    XE_IOCTL_ERR(xe, args->reserved[0] || args->reserved[1]))

		return -EINVAL;



	if (XE_IOCTL_ERR(xe, args->flags & ~VALID_MMIO_FLAGS))

drivers/gpu/drm/xe/xe_query.c

+2 −1
Original line number Diff line number Diff line
@@ -374,7 +374,8 @@ int xe_query_ioctl(struct drm_device *dev, void *data, struct drm_file *file) 
	struct drm_xe_device_query *query = data;

	u32 idx;



	if (XE_IOCTL_ERR(xe, query->extensions != 0))

	if (XE_IOCTL_ERR(xe, query->extensions) ||

	    XE_IOCTL_ERR(xe, query->reserved[0] || query->reserved[1]))

		return -EINVAL;



	if (XE_IOCTL_ERR(xe, query->query > ARRAY_SIZE(xe_query_funcs)))