mirror of https://gitee.com/openkylin/linux.git
drm/radeon: make VCE handle check more strict
Invalid handles can crash the hw. Signed-off-by: Christian König <christian.koenig@amd.com> CC: stable@vger.kernel.org Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
This commit is contained in:
Christian König
Alex Deucher
parent
247c405098
commit
29c63fe22a
|
|
@ -493,18 +493,27 @@ int radeon_vce_cs_reloc(struct radeon_cs_parser *p, int lo, int hi,
|
||||||
*
|
*
|
||||||
* @p: parser context
|
* @p: parser context
|
||||||
* @handle: handle to validate
|
* @handle: handle to validate
|
||||||
|
* @allocated: allocated a new handle?
|
||||||
*
|
*
|
||||||
* Validates the handle and return the found session index or -EINVAL
|
* Validates the handle and return the found session index or -EINVAL
|
||||||
* we we don't have another free session index.
|
* we we don't have another free session index.
|
||||||
*/
|
*/
|
||||||
int radeon_vce_validate_handle(struct radeon_cs_parser *p, uint32_t handle)
|
static int radeon_vce_validate_handle(struct radeon_cs_parser *p,
|
||||||
|
uint32_t handle, bool *allocated)
|
||||||
{
|
{
|
||||||
unsigned i;
|
unsigned i;
|
||||||
|
|
||||||
|
*allocated = false;
|
||||||
|
|
||||||
/* validate the handle */
|
/* validate the handle */
|
||||||
for (i = 0; i < RADEON_MAX_VCE_HANDLES; ++i) {
|
for (i = 0; i < RADEON_MAX_VCE_HANDLES; ++i) {
|
||||||
if (atomic_read(&p->rdev->vce.handles[i]) == handle)
|
if (atomic_read(&p->rdev->vce.handles[i]) == handle) {
|
||||||
|
if (p->rdev->vce.filp[i] != p->filp) {
|
||||||
|
DRM_ERROR("VCE handle collision detected!\n");
|
||||||
|
return -EINVAL;
|
||||||
|
}
|
||||||
return i;
|
return i;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/* handle not found try to alloc a new one */
|
/* handle not found try to alloc a new one */
|
||||||
|
|
@ -512,6 +521,7 @@ int radeon_vce_validate_handle(struct radeon_cs_parser *p, uint32_t handle)
|
||||||
if (!atomic_cmpxchg(&p->rdev->vce.handles[i], 0, handle)) {
|
if (!atomic_cmpxchg(&p->rdev->vce.handles[i], 0, handle)) {
|
||||||
p->rdev->vce.filp[i] = p->filp;
|
p->rdev->vce.filp[i] = p->filp;
|
||||||
p->rdev->vce.img_size[i] = 0;
|
p->rdev->vce.img_size[i] = 0;
|
||||||
|
*allocated = true;
|
||||||
return i;
|
return i;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -529,10 +539,10 @@ int radeon_vce_validate_handle(struct radeon_cs_parser *p, uint32_t handle)
|
||||||
int radeon_vce_cs_parse(struct radeon_cs_parser *p)
|
int radeon_vce_cs_parse(struct radeon_cs_parser *p)
|
||||||
{
|
{
|
||||||
int session_idx = -1;
|
int session_idx = -1;
|
||||||
bool destroyed = false;
|
bool destroyed = false, created = false, allocated = false;
|
||||||
uint32_t tmp, handle = 0;
|
uint32_t tmp, handle = 0;
|
||||||
uint32_t *size = &tmp;
|
uint32_t *size = &tmp;
|
||||||
int i, r;
|
int i, r = 0;
|
||||||
|
|
||||||
while (p->idx < p->chunk_ib->length_dw) {
|
while (p->idx < p->chunk_ib->length_dw) {
|
||||||
uint32_t len = radeon_get_ib_value(p, p->idx);
|
uint32_t len = radeon_get_ib_value(p, p->idx);
|
||||||
|
|
@ -540,18 +550,21 @@ int radeon_vce_cs_parse(struct radeon_cs_parser *p)
|
||||||
|
|
||||||
if ((len < 8) || (len & 3)) {
|
if ((len < 8) || (len & 3)) {
|
||||||
DRM_ERROR("invalid VCE command length (%d)!\n", len);
|
DRM_ERROR("invalid VCE command length (%d)!\n", len);
|
||||||
return -EINVAL;
|
r = -EINVAL;
|
||||||
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (destroyed) {
|
if (destroyed) {
|
||||||
DRM_ERROR("No other command allowed after destroy!\n");
|
DRM_ERROR("No other command allowed after destroy!\n");
|
||||||
return -EINVAL;
|
r = -EINVAL;
|
||||||
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
switch (cmd) {
|
switch (cmd) {
|
||||||
case 0x00000001: // session
|
case 0x00000001: // session
|
||||||
handle = radeon_get_ib_value(p, p->idx + 2);
|
handle = radeon_get_ib_value(p, p->idx + 2);
|
||||||
session_idx = radeon_vce_validate_handle(p, handle);
|
session_idx = radeon_vce_validate_handle(p, handle,
|
||||||
|
&allocated);
|
||||||
if (session_idx < 0)
|
if (session_idx < 0)
|
||||||
return session_idx;
|
return session_idx;
|
||||||
size = &p->rdev->vce.img_size[session_idx];
|
size = &p->rdev->vce.img_size[session_idx];
|
||||||
|
|
@ -561,6 +574,13 @@ int radeon_vce_cs_parse(struct radeon_cs_parser *p)
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case 0x01000001: // create
|
case 0x01000001: // create
|
||||||
|
created = true;
|
||||||
|
if (!allocated) {
|
||||||
|
DRM_ERROR("Handle already in use!\n");
|
||||||
|
r = -EINVAL;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
*size = radeon_get_ib_value(p, p->idx + 8) *
|
*size = radeon_get_ib_value(p, p->idx + 8) *
|
||||||
radeon_get_ib_value(p, p->idx + 10) *
|
radeon_get_ib_value(p, p->idx + 10) *
|
||||||
8 * 3 / 2;
|
8 * 3 / 2;
|
||||||
|
|
@ -578,12 +598,12 @@ int radeon_vce_cs_parse(struct radeon_cs_parser *p)
|
||||||
r = radeon_vce_cs_reloc(p, p->idx + 10, p->idx + 9,
|
r = radeon_vce_cs_reloc(p, p->idx + 10, p->idx + 9,
|
||||||
*size);
|
*size);
|
||||||
if (r)
|
if (r)
|
||||||
return r;
|
goto out;
|
||||||
|
|
||||||
r = radeon_vce_cs_reloc(p, p->idx + 12, p->idx + 11,
|
r = radeon_vce_cs_reloc(p, p->idx + 12, p->idx + 11,
|
||||||
*size / 3);
|
*size / 3);
|
||||||
if (r)
|
if (r)
|
||||||
return r;
|
goto out;
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case 0x02000001: // destroy
|
case 0x02000001: // destroy
|
||||||
|
|
@ -594,7 +614,7 @@ int radeon_vce_cs_parse(struct radeon_cs_parser *p)
|
||||||
r = radeon_vce_cs_reloc(p, p->idx + 3, p->idx + 2,
|
r = radeon_vce_cs_reloc(p, p->idx + 3, p->idx + 2,
|
||||||
*size * 2);
|
*size * 2);
|
||||||
if (r)
|
if (r)
|
||||||
return r;
|
goto out;
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case 0x05000004: // video bitstream buffer
|
case 0x05000004: // video bitstream buffer
|
||||||
|
|
@ -602,36 +622,47 @@ int radeon_vce_cs_parse(struct radeon_cs_parser *p)
|
||||||
r = radeon_vce_cs_reloc(p, p->idx + 3, p->idx + 2,
|
r = radeon_vce_cs_reloc(p, p->idx + 3, p->idx + 2,
|
||||||
tmp);
|
tmp);
|
||||||
if (r)
|
if (r)
|
||||||
return r;
|
goto out;
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case 0x05000005: // feedback buffer
|
case 0x05000005: // feedback buffer
|
||||||
r = radeon_vce_cs_reloc(p, p->idx + 3, p->idx + 2,
|
r = radeon_vce_cs_reloc(p, p->idx + 3, p->idx + 2,
|
||||||
4096);
|
4096);
|
||||||
if (r)
|
if (r)
|
||||||
return r;
|
goto out;
|
||||||
break;
|
break;
|
||||||
|
|
||||||
default:
|
default:
|
||||||
DRM_ERROR("invalid VCE command (0x%x)!\n", cmd);
|
DRM_ERROR("invalid VCE command (0x%x)!\n", cmd);
|
||||||
return -EINVAL;
|
r = -EINVAL;
|
||||||
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (session_idx == -1) {
|
if (session_idx == -1) {
|
||||||
DRM_ERROR("no session command at start of IB\n");
|
DRM_ERROR("no session command at start of IB\n");
|
||||||
return -EINVAL;
|
r = -EINVAL;
|
||||||
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
p->idx += len / 4;
|
p->idx += len / 4;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (destroyed) {
|
if (allocated && !created) {
|
||||||
/* IB contains a destroy msg, free the handle */
|
DRM_ERROR("New session without create command!\n");
|
||||||
|
r = -ENOENT;
|
||||||
|
}
|
||||||
|
|
||||||
|
out:
|
||||||
|
if ((!r && destroyed) || (r && allocated)) {
|
||||||
|
/*
|
||||||
|
* IB contains a destroy msg or we have allocated an
|
||||||
|
* handle and got an error, anyway free the handle
|
||||||
|
*/
|
||||||
for (i = 0; i < RADEON_MAX_VCE_HANDLES; ++i)
|
for (i = 0; i < RADEON_MAX_VCE_HANDLES; ++i)
|
||||||
atomic_cmpxchg(&p->rdev->vce.handles[i], handle, 0);
|
atomic_cmpxchg(&p->rdev->vce.handles[i], handle, 0);
|
||||||
}
|
}
|
||||||
|
|
||||||
return 0;
|
return r;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue