Google Git
Sign in
chromium / chromiumos / third_party / kernel / refs/heads/stabilize-13856.B-chromeos-4.19^! / .
commit5ffb3b8aee6bb6686ea1c1721478492537e658d7[log] [tgz]
authorLuigi Santivetti <luigi.santivetti@imagination.corp-partner.google.com>Thu Feb 25 23:43:08 2021
committerCommit Bot <commit-bot@chromium.org>Tue Mar 16 00:18:57 2021
tree5dc83e00a367e9fce330e2fe2ec47b4011c792b1
parentf2803b2d0d111c35aebfb435b90b97d35250c07d [diff]
CHROMIUM: img-rogue: check invalid annotation size in PMRs

This change adds a check for annotation pointer and size
passed from the client driver to PhysmemNewRamBackedPMR()
function. We are expecting for the annotation to be always
passed from the user space.

It also added a missing check if both ui32NumPhysChunks and
ui32NumVirtChunks are 0. If both those values are 0 the
function call doesn't make sense as it would mean that we're
trying to allocate memory of size 0.

BUG=b:180769981
TEST=Run syzkaller

Change-Id: Ie71d4b36e61fe1b29d8114b8621fa773518b35e3
Signed-off-by: Luigi Santivetti <luigi.santivetti@imagination.corp-partner.google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/2720329
Reviewed-by: Hsin-Yi Wang <hsinyi@chromium.org>
Commit-Queue: Hsin-Yi Wang <hsinyi@chromium.org>

diff --git a/drivers/gpu/drm/img-rogue/1.13/physmem.c b/drivers/gpu/drm/img-rogue/1.13/physmem.c
index c4cbf43..03e1d09 100644
--- a/drivers/gpu/drm/img-rogue/1.13/physmem.c
+++ b/drivers/gpu/drm/img-rogue/1.13/physmem.c

@@ -278,6 +278,16 @@
 	IMG_BOOL bIsSparse = (ui32NumVirtChunks != ui32NumPhysChunks ||
 			ui32NumVirtChunks > 1) ? IMG_TRUE : IMG_FALSE;
 
+	if (ui32NumPhysChunks == 0 && ui32NumVirtChunks == 0)
+	{
+		PVR_DPF((PVR_DBG_ERROR,
+			 "%s: Number of physical chunks and number of virtual chunks "
+			 "cannot be both 0",
+			 __func__));
+
+		return PVRSRV_ERROR_INVALID_PARAMS;
+	}
+
 	/* Protect against ridiculous page sizes */
 	if (uiLog2AllocPageSize > RGX_HEAP_2MB_PAGE_SHIFT)
 	{
@@ -420,7 +430,8 @@
 	PFN_SYS_DEV_CHECK_MEM_ALLOC_SIZE pfnCheckMemAllocSize =
 		psDevNode->psDevConfig->pfnCheckMemAllocSize;
 
-	PVR_UNREFERENCED_PARAMETER(uiAnnotationLength);
+	PVR_LOG_RETURN_IF_INVALID_PARAM(uiAnnotationLength != 0, "uiAnnotationLength");
+	PVR_LOG_RETURN_IF_INVALID_PARAM(pszAnnotation != NULL, "pszAnnotation");
 
 	eError = _ValidateParams(ui32NumPhysChunks,
 	                         ui32NumVirtChunks,

diff --git a/drivers/gpu/drm/img-rogue/1.13/pmr.c b/drivers/gpu/drm/img-rogue/1.13/pmr.c
index 4747520..e64c6bc 100644
--- a/drivers/gpu/drm/img-rogue/1.13/pmr.c
+++ b/drivers/gpu/drm/img-rogue/1.13/pmr.c

@@ -593,6 +593,8 @@
 	PMR *psPMR = NULL;
 	PVRSRV_ERROR eError;
 
+	PVR_LOG_RETURN_IF_INVALID_PARAM(pszAnnotation != NULL, "pszAnnotation");
+
 	eError = _PMRCreate(uiLogicalSize,
 	                    uiChunkSize,
 	                    ui32NumPhysChunks,