From nobody Sat Oct 4 05:02:43 2025 Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com [205.220.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C8E0925A324 for ; Tue, 19 Aug 2025 23:29:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.180.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755646156; cv=none; b=fDTXQ5dQT0B12TSnd8gAlc8pGgSsGmD9d4S+JV71AtpkrVT9voJBgrDjr/DIjWsiQ3+6R2gVs2qomlKpxXdivzq8KYCwuVJvLGap2i6tPK7xWds9zsDlrmaBiughYnXXN0M6ndET7FAPEwsrFTAxp+WlCADcajO+BYWKoYeKTK4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755646156; c=relaxed/simple; bh=m2DbnQlqqNwwlNIxvhEoRGGpqQjDYvvlU9SkRZl+16o=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=UBLkPcZIz+39iOpJ6d7JGqHTGEvGKvq3eBCJi7AfDnwvCSMtJG7AYIiC4CD865ZSjhHL4fjEvh4oQh0CwwBp+1Hw6jfCFp9YEomSww3bpql0aYH5+MPNJKNf8onyfJ0PsRZYusURLif4oYiWtuzBcpGY61WwAcndDNz0rttF+4Q= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com; spf=pass smtp.mailfrom=oss.qualcomm.com; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b=c+Xj5hQW; arc=none smtp.client-ip=205.220.180.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b="c+Xj5hQW" Received: from pps.filterd (m0279871.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 57JL0xDc027478 for ; Tue, 19 Aug 2025 23:29:12 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qualcomm.com; h= cc:content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=qcppdkim1; bh=xOD0sf9vQpA 36mr+XQVQk/HHckfya/iFMlPBFmcVO/4=; b=c+Xj5hQWU3OWNtFeY0EHlKy7/ml S5tMQOrEHcmUMpdv+G4YQ5XWvQhTgo3wTJrCQz0TERZCWS5l6cwsz9Pes32RY4mu 4BVg1rBeIEYOHYEiA3N3TUUEkAb90GKegGLkICDjxMVENSQEmCtSiHuOq4R7InsT yNlzeqmnH16fGQ2kB9kLaGWDaCHiO9FeFbRxNy7RyBlKj2f37IgTuqfxdane2Oxv gXrtV/CuROTQJBmIgAbnk0BIP7Y+W3fpWu3+72+mSAsZHhOn39tbKZAuPvq6Q2lI WccOypGE5S0vUDt3l6gTG4944c8FflWWc+pcA3YVZfECyDjRkobPnIn5UHQ== Received: from mail-pg1-f199.google.com (mail-pg1-f199.google.com [209.85.215.199]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 48n0th08fu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Tue, 19 Aug 2025 23:29:12 +0000 (GMT) Received: by mail-pg1-f199.google.com with SMTP id 41be03b00d2f7-b47630f9aa7so376390a12.1 for ; Tue, 19 Aug 2025 16:29:12 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1755646151; x=1756250951; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=xOD0sf9vQpA36mr+XQVQk/HHckfya/iFMlPBFmcVO/4=; b=Acgbnn+CTXZWbV6RxvgGhWE3v5JX+6KoIVyfbKpBEfvbTaKaKTUx6xSCQZRvi/a0Dy 4r6YiPXWw0XT43rlJcfg05vWQGnt8pvhSnq4srY1hZ1ZqGiyO5Wy6Fi8SEKw3BTn2itm PqoaALL1e7HCdwxqgZr6Yk3RHfeS9lwR1sRQemkhiVEpuusH4sjS4cIe0OWobm0FSNcT VGVSH5j8y2/RotPw9tbTDTIIiXu2xPvjXrg4ttTWi0Ru2+XYUcybdCChF/lTB50tW/Mo 4CKPMmYbe3qrEy0GFMuOKML8mZfTw0EH15NGQSbt6kTKxG/82nFoQLEICFPwpXfXhYpr MGyQ== X-Forwarded-Encrypted: i=1; AJvYcCUxaCQd4ts90pQOGQlbvWEbiIMF3NFLRMXT0qj4cOuYQgkyeaMDuatiR8KWRxn7Pyz/0OcfwXb4zHfXMTs=@vger.kernel.org X-Gm-Message-State: AOJu0YyeqIy6Qe+fR3d+ZM4WBLwsppXNy2qbyRcUQEAIzhEPjh3itKQ5 vzZon74QgyqjFDTmlE1YM7XxnlJK1e2yCLPbShpzl5T1OdFMh/2Jr1g2cO50E3d60jRp+f74v0r ZPFyU2VXkIRvjktqX5Sa/bU88E9xTjPBUiJlAnAXbJngybdHwQhkqmFlg49vINyl80UU= X-Gm-Gg: ASbGncvYyIIiUljSYa2D2lrlnGQ1hFHWdZGuP8M97DfncEUmSwdF7aFsTa/b0fhPNXI 53nlVPgQhTkqJjrSNUUYX0ujUn1iWf6BhwhUIAcnKt0/0XMU+GYSPtoEXl6iC/r9uMLZqqgSldj rqhtynyZ62wbg58WNjhWV5D45Ib4GtG5WWKI054IkwNcbZvC32tsTMyjkrhH57uYyQ78yTdYU7e lQfJ8R3rihbTphTRYp/YySulbL0l/NzdgP9ZrISZWIFmk0aDW3LhcBBFy1F4iOYe1xallXlfEqa L+/asvqnp3uDlt1oeN1ipr26klNfVZy+cXejEuhrkqEeKZyrE70= X-Received: by 2002:a17:903:1983:b0:242:3105:1787 with SMTP id d9443c01a7336-245ef278bd6mr8125155ad.50.1755646151400; Tue, 19 Aug 2025 16:29:11 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEBNouQd1WNy02GNK10dJCaNN0bn7eGUl0jW23JNcTKuITpIN2aFC9d99JUYmsh8MwZPEEokA== X-Received: by 2002:a17:903:1983:b0:242:3105:1787 with SMTP id d9443c01a7336-245ef278bd6mr8124815ad.50.1755646151013; Tue, 19 Aug 2025 16:29:11 -0700 (PDT) Received: from localhost ([2601:1c0:5000:d5c:5b3e:de60:4fda:e7b1]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-245ed33df68sm8352945ad.21.2025.08.19.16.29.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 19 Aug 2025 16:29:10 -0700 (PDT) From: Rob Clark To: dri-devel@lists.freedesktop.org Cc: linux-arm-msm@vger.kernel.org, freedreno@lists.freedesktop.org, Akhil P Oommen , Connor Abbott , Rob Clark , Dmitry Baryshkov , Abhinav Kumar , Jessica Zhang , Sean Paul , Marijn Suijten , David Airlie , Simona Vetter , linux-kernel@vger.kernel.org (open list) Subject: [PATCH 1/3] drm/msm: Fix obj leak in VM_BIND error path Date: Tue, 19 Aug 2025 16:29:01 -0700 Message-ID: <20250819232905.207547-2-robin.clark@oss.qualcomm.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250819232905.207547-1-robin.clark@oss.qualcomm.com> References: <20250819232905.207547-1-robin.clark@oss.qualcomm.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwODE5MDE5NiBTYWx0ZWRfX10/6f1IBSuMe W1U09z5ByzPOyrOb0PMAY4dfdPTE58REpe8KM/2Tna4Wf18sBn46ZUb3hlpKWhnW2FW4c1+8pZh fQ9Gqh6ZM/6ffPJ+GJU2Ujg7q7Ykkwp8nuF2fSGAHZ1cFbMwwobHZpqCyftw2bPboM7bmwAmXQ3 H09xjERHbiCDj9orwwAqu1sXQviILQ1j+AusBzzFJJzQVjZBV1Y+op0MFduNqCXowLxcpFxeYpX P8PKcTwwN+mv8CXosVbi0O5zoqAqjCAwDGtvBYyFntWAh2YVpzm4I9Kt+yLQ1m/LRNyweWAnaZz qWuKHMEUk247SkeIgycT4zaWd93vpi1XGTMpnTzRFkYqJYrqT4aK7U4Gkl2fThZoTl/kcyhOmAq oFUBlQefpzJ3qCID6VL4GrDheNGUYA== X-Authority-Analysis: v=2.4 cv=dI7/WOZb c=1 sm=1 tr=0 ts=68a508c8 cx=c_pps a=Oh5Dbbf/trHjhBongsHeRQ==:117 a=xqWC_Br6kY4A:10 a=2OwXVqhp2XgA:10 a=EUspDBNiAAAA:8 a=hfQrMx_BsErUUvjcJTYA:9 a=_Vgx9l1VpLgwpw_dHYaR:22 X-Proofpoint-ORIG-GUID: DKjC_gdinXYeTC97OLNW4KwXKBWsUlsC X-Proofpoint-GUID: DKjC_gdinXYeTC97OLNW4KwXKBWsUlsC X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-08-19_04,2025-08-14_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 malwarescore=0 suspectscore=0 phishscore=0 adultscore=0 clxscore=1015 priorityscore=1501 spamscore=0 bulkscore=0 impostorscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2508110000 definitions=main-2508190196 Content-Type: text/plain; charset="utf-8" If we fail a handle-lookup part way thru, we need to drop the already obtained obj references. Fixes: 2e6a8a1fe2b2 ("drm/msm: Add VM_BIND ioctl") Signed-off-by: Rob Clark Tested-by: Connor Abbott --- drivers/gpu/drm/msm/msm_gem_vma.c | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/drivers/gpu/drm/msm/msm_gem_vma.c b/drivers/gpu/drm/msm/msm_ge= m_vma.c index 00d0f3b7ba32..209154be5efc 100644 --- a/drivers/gpu/drm/msm/msm_gem_vma.c +++ b/drivers/gpu/drm/msm/msm_gem_vma.c @@ -1023,6 +1023,7 @@ vm_bind_job_lookup_ops(struct msm_vm_bind_job *job, s= truct drm_msm_vm_bind *args struct drm_device *dev =3D job->vm->drm; int ret =3D 0; int cnt =3D 0; + int i =3D -1; =20 if (args->nr_ops =3D=3D 1) { /* Single op case, the op is inlined: */ @@ -1056,11 +1057,12 @@ vm_bind_job_lookup_ops(struct msm_vm_bind_job *job,= struct drm_msm_vm_bind *args =20 spin_lock(&file->table_lock); =20 - for (unsigned i =3D 0; i < args->nr_ops; i++) { + for (i =3D 0; i < args->nr_ops; i++) { + struct msm_vm_bind_op *op =3D &job->ops[i]; struct drm_gem_object *obj; =20 - if (!job->ops[i].handle) { - job->ops[i].obj =3D NULL; + if (!op->handle) { + op->obj =3D NULL; continue; } =20 @@ -1068,15 +1070,15 @@ vm_bind_job_lookup_ops(struct msm_vm_bind_job *job,= struct drm_msm_vm_bind *args * normally use drm_gem_object_lookup(), but for bulk lookup * all under single table_lock just hit object_idr directly: */ - obj =3D idr_find(&file->object_idr, job->ops[i].handle); + obj =3D idr_find(&file->object_idr, op->handle); if (!obj) { - ret =3D UERR(EINVAL, dev, "invalid handle %u at index %u\n", job->ops[i= ].handle, i); + ret =3D UERR(EINVAL, dev, "invalid handle %u at index %u\n", op->handle= , i); goto out_unlock; } =20 drm_gem_object_get(obj); =20 - job->ops[i].obj =3D obj; + op->obj =3D obj; cnt++; } =20 @@ -1085,6 +1087,17 @@ vm_bind_job_lookup_ops(struct msm_vm_bind_job *job, = struct drm_msm_vm_bind *args out_unlock: spin_unlock(&file->table_lock); =20 + if (ret) { + for (; i >=3D 0; i--) { + struct msm_vm_bind_op *op =3D &job->ops[i]; + + if (!op->obj) + continue; + + drm_gem_object_put(op->obj); + op->obj =3D NULL; + } + } out: return ret; } --=20 2.50.1 From nobody Sat Oct 4 05:02:43 2025 Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com [205.220.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0ED7B261581 for ; Tue, 19 Aug 2025 23:29:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.180.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755646156; cv=none; b=A8rVM8AR2Pl3Ebrkb3RMX1qxlbug3Wm0pcgdGiQOpwCbpbDSqKGzOggYv/UTdeBAR+OmRan7SP1lSPqX3GJuEGVatpx3eMEg0HhMdcTLTY43wxsX9HJAeVk3KIL0KftAd69rwdKOup5gqklv/fyxnbhULceiWPPmeYM0ZbZ/A78= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755646156; c=relaxed/simple; bh=LjENvcqs3jA0omFU5up+rd8ZRQO9PVI4Y2VMj5m+6FI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=K+5+nAu49MczlkmmoeH/6NU17lVoiBFH6En5MKVX/tdQQRW/m86FDvoptf/qfOpvOkA4gEDQb/pjcRL3XExicvKNwSqOj5zdQIa73hKE8tfXKkwPz5Yrb0YfPXYt0G/4hGI7j5opiuYVSegN/dcmYP75mwYjDO6edZGtvz7f/Gs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com; spf=pass smtp.mailfrom=oss.qualcomm.com; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b=Jirj354E; arc=none smtp.client-ip=205.220.180.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b="Jirj354E" Received: from pps.filterd (m0279872.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 57JL10kR026212 for ; Tue, 19 Aug 2025 23:29:14 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qualcomm.com; h= cc:content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=qcppdkim1; bh=a+ZaKXx/xL/ u7Q7T4LDwvQWGaQFWySGiqB6JfEfEJwE=; b=Jirj354E7t9/WYXwpWkvWD4WCn5 dpa/J7/+4TNVg8H2Lm/r0XJ393CQ8TPYNODaVYKMUxDVyAZjq5CGqRiYjtxBpQnd McbHaNFmVX3RVySxqIuihWfl94LBgw41JLqxpGan/r72dTZ4DsB65XSkROp/sEoP EKZATlStJRu+O5zmofpSgNBUmmeqVmOXLGkNTy92dtPcIgtay5EuV/FX04GQUZ69 VdTlijBW+IbtWggczmzhhHJ0d6++C7FsjG6jJDfJXN8I7S4uuDS2qUbN+xowy/gJ 4ttwVJohJRbttq6r6NTSILxPFJJdON+3uAHauTBZb5R8a0RHZQfDqcAnnzw== Received: from mail-pf1-f200.google.com (mail-pf1-f200.google.com [209.85.210.200]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 48n0tf88sk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Tue, 19 Aug 2025 23:29:13 +0000 (GMT) Received: by mail-pf1-f200.google.com with SMTP id d2e1a72fcca58-76e7ef21d52so3193605b3a.1 for ; Tue, 19 Aug 2025 16:29:13 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1755646153; x=1756250953; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=a+ZaKXx/xL/u7Q7T4LDwvQWGaQFWySGiqB6JfEfEJwE=; b=FTvMK9m2nmPJdkvL+2iR6W7xNZrdhChuD+UHogmI6RzYDePlgCaVV44wUOgOYVM1rc GfLB3/65dGVJbRXJiEEk3wXZeON1ntc4Xj5xZDIXyIbpKVBH6I+6gAUBCs5KE7MedPh6 SKEuYtAdPCz/xrVkOPggDa2pRPvYms9yu6S4V0+6F7hm9Jmkkcu72OiAFSQ1NiI2zD4T fKxltx3pnYnC18sC1iA/nubU6GRoEOjU2U+wi3pHk1eLxXRdWvVCZMp/yqi4N/ylRXjT UFraW73n9sTDbHEStYYHVj0vdEPdvaMheb+KDk9xBcirmlh/7ABBF8vtQotoVbx1iPR6 knxQ== X-Forwarded-Encrypted: i=1; AJvYcCUcbZXY/YaUBbe3SULyF1sHTkj6MQgte2J7X+5BxKqKrqBTd9g4xqfZ6rGVlC5fhVHZ1GL2MMq9X3j8JWc=@vger.kernel.org X-Gm-Message-State: AOJu0YxpFFLkUZPG+c7LEYxrdJ6CtcmNP1Tavy6nUayweZ1GUBCPv9qx UMkHQZllR1uTAFMbE3wjj4ApfX4c9PW6/lnIKaJC6/P/wtdssn6GmYb3W5hTOPPMHfoS/dOzVAC pbomVmKx7NT1PvE6+w859x/Pl39+t2cYeoYfwK3hlO+C2P5z+wwcBbTtCe0QSmq4wisg= X-Gm-Gg: ASbGncvG/nfpeq4HgZ0DIx1ubDl6t3zZeeH4W2ZT1vC6l2YcgUegYGNCfOzCbDQkRbs TbiCiKcG/HQ22ahihHFqHC9eC06+pXNH9yOE9ARjLU3Mb0G82j7c5uu4wCtV8JdCfKpXNTww1Za 3zlsHmCaWi9oDCjXj5wVDPIW1ZEf8AFLbfkGlB8HRrQMjp09prHc6ZCuRRQoBTXZycgvCXRHSED IobqQIZ0sFyb/RR3GVizrSZUNsAdYF+zh/mXjdQyVeou1MqXedcuzQN11BswhabQTFTcYto4Bis ISQn1Q8I/DwWAfWC0baASRrKPLcOBAYB6GuwW9B1KWqpClrb4NA= X-Received: by 2002:a05:6a00:2e92:b0:76b:f0ac:e7b2 with SMTP id d2e1a72fcca58-76e8dbac1a1mr1258732b3a.13.1755646152730; Tue, 19 Aug 2025 16:29:12 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEXuuxWQ9CNWJW9SCXTPxi43/HrmCwC3mMsHGIjwm8ubVSa4o5saby5u8uLerY0CGPltJ3xIw== X-Received: by 2002:a05:6a00:2e92:b0:76b:f0ac:e7b2 with SMTP id d2e1a72fcca58-76e8dbac1a1mr1258702b3a.13.1755646152306; Tue, 19 Aug 2025 16:29:12 -0700 (PDT) Received: from localhost ([2601:1c0:5000:d5c:5b3e:de60:4fda:e7b1]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-76e7f0b4f60sm3423813b3a.86.2025.08.19.16.29.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 19 Aug 2025 16:29:11 -0700 (PDT) From: Rob Clark To: dri-devel@lists.freedesktop.org Cc: linux-arm-msm@vger.kernel.org, freedreno@lists.freedesktop.org, Akhil P Oommen , Connor Abbott , Rob Clark , Dmitry Baryshkov , Abhinav Kumar , Jessica Zhang , Sean Paul , Marijn Suijten , David Airlie , Simona Vetter , linux-kernel@vger.kernel.org (open list) Subject: [PATCH 2/3] drm/msm: Fix missing VM_BIND offset/range validation Date: Tue, 19 Aug 2025 16:29:02 -0700 Message-ID: <20250819232905.207547-3-robin.clark@oss.qualcomm.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250819232905.207547-1-robin.clark@oss.qualcomm.com> References: <20250819232905.207547-1-robin.clark@oss.qualcomm.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Proofpoint-ORIG-GUID: 0b573KcLfpxXc-d5uDA9zC-iwYyeYxnv X-Proofpoint-GUID: 0b573KcLfpxXc-d5uDA9zC-iwYyeYxnv X-Authority-Analysis: v=2.4 cv=H5mCA+Yi c=1 sm=1 tr=0 ts=68a508c9 cx=c_pps a=mDZGXZTwRPZaeRUbqKGCBw==:117 a=xqWC_Br6kY4A:10 a=2OwXVqhp2XgA:10 a=pGLkceISAAAA:8 a=EUspDBNiAAAA:8 a=xd9qGtD1qYZMgD9OdIwA:9 a=zc0IvFSfCIW2DFIPzwfm:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwODE5MDE5NiBTYWx0ZWRfX7pmqsWHpcA/Q pVCoMLXVLrFMqJ4JwVPE2JC1fwTnb+PxZDyR4R2CFNecUMNaFmNrrqAEXgEFz1587gNtvw7VIMQ zVRLtVxfnPsICHci4Q4UDpM4CC7nJ9XmcfhDMrYSUtonqBpWcuE43met9WhdXT3OlAGihtoMFv3 fafOeUhAVLUTpUChYH587Xc1g02FlD0zsZX0tmwt9+DExiLI52vb3JuNT7LFUrGiE2ls/Rn7S2I LM/SMkyAeI1L4OtmMWzVRqbkM9rv0HknXtv6t+GEU3erHzU195ktN3N2V55/bG3aaVeM0pgIn4k IZoVNzjEm3Ky9Tx48bhG4XleSEczZq0N8aUUQLlIFFvSmg7SAycX2rIiZ2rLTIrHEWlCcs3UwIF p/KTWdJuxCRX8YoxE6eIVg4ZxV1BaQ== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-08-19_04,2025-08-14_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 lowpriorityscore=0 malwarescore=0 clxscore=1015 impostorscore=0 bulkscore=0 priorityscore=1501 adultscore=0 phishscore=0 spamscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2508110000 definitions=main-2508190196 Content-Type: text/plain; charset="utf-8" We need to reject the MAP op if offset+range is larger than the BO size. Reported-by: Connor Abbott Fixes: 2e6a8a1fe2b2 ("drm/msm: Add VM_BIND ioctl") Signed-off-by: Rob Clark Tested-by: Connor Abbott --- drivers/gpu/drm/msm/msm_gem_vma.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/gpu/drm/msm/msm_gem_vma.c b/drivers/gpu/drm/msm/msm_ge= m_vma.c index 209154be5efc..381a0853c05b 100644 --- a/drivers/gpu/drm/msm/msm_gem_vma.c +++ b/drivers/gpu/drm/msm/msm_gem_vma.c @@ -1080,6 +1080,12 @@ vm_bind_job_lookup_ops(struct msm_vm_bind_job *job, = struct drm_msm_vm_bind *args =20 op->obj =3D obj; cnt++; + + if ((op->range + op->obj_offset) > obj->size) { + ret =3D UERR(EINVAL, dev, "invalid range: %016llx + %016llx > %016zx\n", + op->range, op->obj_offset, obj->size); + goto out_unlock; + } } =20 *nr_bos =3D cnt; --=20 2.50.1 From nobody Sat Oct 4 05:02:43 2025 Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com [205.220.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AFD8A270EAB for ; Tue, 19 Aug 2025 23:29:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.180.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755646158; cv=none; b=t9OUZql0bUxRxEZLKpqmEgpVAMJnE2g3RUFJN7PePjvlAkkxr808lTmPf1Fz1IJXCudCbhO/4uUysgocSyAXsfu5B2PKUbK4RwAvPMyGGYj7wVYF/bBHh8BKO+qQkowZ0of50y1htkmHACyeFHvHomClJofU+O/S368aopac/+w= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755646158; c=relaxed/simple; bh=TZW3VxvhUM24qUwSzazaXCqg9DEgEYWXWf+PtMArXF4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=QRjQRWlAfA/Po6WK72xe2Qcu2gimmJjQ22cr4fiHBk5B0pN141ivZC63Raobhe3p9iE0d9VK960kT3guZgzmW+nz0/4S0bCCw9ALPFYelFi8/d6WGaiLZT2ONewZS7vBKAZNEau05Aq6EOlXbDf6oE4Y6fAcUZvvHip5AR8L6zc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com; spf=pass smtp.mailfrom=oss.qualcomm.com; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b=PrRQ4pbQ; arc=none smtp.client-ip=205.220.180.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b="PrRQ4pbQ" Received: from pps.filterd (m0279871.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 57JL139Z027571 for ; Tue, 19 Aug 2025 23:29:15 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qualcomm.com; h= cc:content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=qcppdkim1; bh=eorQnuKwFmy 2NP3qxzCVt5IHD0p6HNwhfpue4EH5fbo=; b=PrRQ4pbQgGU3zIbwI6WUS/i+lbb QwgBCdLHKiuGmdVJhDU70Kzzp1XfZraBmqmhhuYi6zCCV8p1KjAyWLGclhjWB/NR 49KOhpakQ1bvvAAUukhZBfOjZNt9pI+k9qjqiWuVu3GnPxCp7+5/Vioha3slOf0h GlyrLJyPTiSlG8ekygsd1yierTJ5YcC5KVA3X9lGADoFh++EbH9lAQHNea+GI6us HW/TtS8ePp56MxRIUYSF5obBvHOoW6DzXUhH3jZqnRgxTr+q9ByMpj7HR5ms32h/ 7MsxoC5x6smZzogi+ola7robDSTkdSki1Tsg6TvaF1LLqBinpE8iKJ8wuCw== Received: from mail-pl1-f198.google.com (mail-pl1-f198.google.com [209.85.214.198]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 48n0th08g2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Tue, 19 Aug 2025 23:29:15 +0000 (GMT) Received: by mail-pl1-f198.google.com with SMTP id d9443c01a7336-2445806b18aso64855985ad.1 for ; Tue, 19 Aug 2025 16:29:15 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1755646154; x=1756250954; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=eorQnuKwFmy2NP3qxzCVt5IHD0p6HNwhfpue4EH5fbo=; b=ISUYNJlicN2BVRolY3HATffsAvz4JsIY8Zi7J0vD03By//v2/+SCW1etjQVW1RyAPF i6jDmMnwEfcbYaWILCCL15I1XSvlAHryk//7u1cARCvsFbjeQIVOy7zBMzU58ZnTn55D 84kGJlFBDmVkHns9eseAYm+ViJ9hXHwNQ3W5nZhh+DbGoqOk8eNDwFYVP61jsuSEOfMb NIQyYVYtmpzAf6xhiLVFUtSma/hfZNm/5XYroVGaKfBGRI8ftsMrGUemJKkypXY1mWql 7KE2oUHhwlBg4I5hvdwdm5CMadd0EUh+wnZFz+kCZwcGAZwmvcAT23zbpqe0vbd9wFV/ wFGw== X-Forwarded-Encrypted: i=1; AJvYcCXwdZaac7RpdAWI1wFfp7f3JkeoK4XQfLCdG/reXRBNj78dE9Owaocik8+IGUkNEz0L/OOy6wN2yVxvh2Q=@vger.kernel.org X-Gm-Message-State: AOJu0YxsJ+hQMcCtsHv3CQc5++pk6gafVgg/z3M7UFdRC6Tzgjts7+8b czNaaK2qaK3gN9P4Akh1OtULlTZhuA8V5cX25OWxESoJTA8JulgCXcrl9FrJBHc9V2Q8WN5ai7u u2u0xSwS8gMdlTBM7flaD/VHgYX3oLpeAEFCB/9KO1jT4JcvgMl6WQfIEtAH9xGukUZyPBJZtqQ Q= X-Gm-Gg: ASbGnctX6hcsSpCRxxZ12oh4tP+jQeNIVn0q8z6UdBWqcqGkMJetXp3aE+wFOimMkCw 8dcrLo/T9yAaDB7UAswTvRAGrQX8b6vkYP9qYlaRWU10V313XYMrU3UMzu7MSEvgD6iry30uyi9 RYQKy1LWK5DccKXcI/u4Y4ziatQj5N4dTWrKT8raQvM/2rbfOM6/oq80jL5A6eluamrBSqQkaHi pZGqXBvXrP+EPCxZKrMEHg6YfOoxwPaavEuvpNdw2tsUZPi4714R5NWg6DSMq96MZ9RC5GGbzMo eteaGIC6+q8Upfhk4EcpRwobsxdA/0D+UDjJRqacdvzzRwR1Nlc= X-Received: by 2002:a17:903:234e:b0:243:963:2a70 with SMTP id d9443c01a7336-245ef156358mr8027595ad.25.1755646154004; Tue, 19 Aug 2025 16:29:14 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHlmpOombDfq8VbEjWHWMgGH5Q1/mKcc7dH8Jm6GIHXrGX0qRiaR2T3uKoERFwvEKAF5ww/Bg== X-Received: by 2002:a17:903:234e:b0:243:963:2a70 with SMTP id d9443c01a7336-245ef156358mr8027425ad.25.1755646153561; Tue, 19 Aug 2025 16:29:13 -0700 (PDT) Received: from localhost ([2601:1c0:5000:d5c:5b3e:de60:4fda:e7b1]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-245ed4ebc4esm8040925ad.115.2025.08.19.16.29.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 19 Aug 2025 16:29:13 -0700 (PDT) From: Rob Clark To: dri-devel@lists.freedesktop.org Cc: linux-arm-msm@vger.kernel.org, freedreno@lists.freedesktop.org, Akhil P Oommen , Connor Abbott , Rob Clark , Dmitry Baryshkov , Abhinav Kumar , Jessica Zhang , Sean Paul , Marijn Suijten , David Airlie , Simona Vetter , linux-kernel@vger.kernel.org (open list) Subject: [PATCH 3/3] drm/msm: Fix 32b size truncation Date: Tue, 19 Aug 2025 16:29:03 -0700 Message-ID: <20250819232905.207547-4-robin.clark@oss.qualcomm.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250819232905.207547-1-robin.clark@oss.qualcomm.com> References: <20250819232905.207547-1-robin.clark@oss.qualcomm.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwODE5MDE5NiBTYWx0ZWRfX1E9L1dmLsY46 fEgfLAdPGsQtE1MNnrGbOkM/jwZqzp/+D0Gy9Cd71GmSTZIlD+AMNtdoAoqQcjLD5DJRGjvujWT 1irBOGFpLFp7SdgMfGx4kUiyaSWFM0QvNqkph2VM5sREGcVM5dvNwkIu970n+0GAFUgSVrv2r+C nkW2Qukl7oFG/ZPzaEGz2IEswa6M1toO4rYMd+4F6+EfynqgG8XDdDrh507nnqWGa6453vI3v56 /pVyncbdDq6gBx8ZVsFAstydPewk9iPtgmE5tXY424v+rYDGGpiu1jADNbwXLtUCu41sTcBD4JO Xnb11u1yNOZaZQUaKw0IyFYIth/NYU+UEiTgBqBE6yGTLP9YfYXZMiJ4Ez7zXm95TNh9hQ85wrP KY6/eP3KNiMM99ogQmINIAn2GW1w8g== X-Authority-Analysis: v=2.4 cv=dI7/WOZb c=1 sm=1 tr=0 ts=68a508cb cx=c_pps a=MTSHoo12Qbhz2p7MsH1ifg==:117 a=xqWC_Br6kY4A:10 a=2OwXVqhp2XgA:10 a=EUspDBNiAAAA:8 a=Zku5-IFyaxskcEPfeVAA:9 a=GvdueXVYPmCkWapjIL-Q:22 X-Proofpoint-ORIG-GUID: zjaePvF83kTzHCj-GaYqIZWeFtpfg8Uc X-Proofpoint-GUID: zjaePvF83kTzHCj-GaYqIZWeFtpfg8Uc X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-08-19_04,2025-08-14_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 malwarescore=0 suspectscore=0 phishscore=0 adultscore=0 clxscore=1015 priorityscore=1501 spamscore=0 bulkscore=0 impostorscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2508110000 definitions=main-2508190196 Content-Type: text/plain; charset="utf-8" Somehow we never noticed this when arm64 became a thing, many years ago. Signed-off-by: Rob Clark Tested-by: Connor Abbott --- drivers/gpu/drm/msm/msm_gem.c | 17 ++++++++--------- drivers/gpu/drm/msm/msm_gem.h | 6 +++--- 2 files changed, 11 insertions(+), 12 deletions(-) diff --git a/drivers/gpu/drm/msm/msm_gem.c b/drivers/gpu/drm/msm/msm_gem.c index 958bac4e2768..9a935650e5e3 100644 --- a/drivers/gpu/drm/msm/msm_gem.c +++ b/drivers/gpu/drm/msm/msm_gem.c @@ -1142,7 +1142,7 @@ static int msm_gem_object_mmap(struct drm_gem_object = *obj, struct vm_area_struct =20 /* convenience method to construct a GEM buffer object, and userspace hand= le */ int msm_gem_new_handle(struct drm_device *dev, struct drm_file *file, - uint32_t size, uint32_t flags, uint32_t *handle, + size_t size, uint32_t flags, uint32_t *handle, char *name) { struct drm_gem_object *obj; @@ -1208,9 +1208,8 @@ static const struct drm_gem_object_funcs msm_gem_obje= ct_funcs =3D { .vm_ops =3D &vm_ops, }; =20 -static int msm_gem_new_impl(struct drm_device *dev, - uint32_t size, uint32_t flags, - struct drm_gem_object **obj) +static int msm_gem_new_impl(struct drm_device *dev, uint32_t flags, + struct drm_gem_object **obj) { struct msm_drm_private *priv =3D dev->dev_private; struct msm_gem_object *msm_obj; @@ -1244,7 +1243,7 @@ static int msm_gem_new_impl(struct drm_device *dev, return 0; } =20 -struct drm_gem_object *msm_gem_new(struct drm_device *dev, uint32_t size, = uint32_t flags) +struct drm_gem_object *msm_gem_new(struct drm_device *dev, size_t size, ui= nt32_t flags) { struct msm_drm_private *priv =3D dev->dev_private; struct msm_gem_object *msm_obj; @@ -1259,7 +1258,7 @@ struct drm_gem_object *msm_gem_new(struct drm_device = *dev, uint32_t size, uint32 if (size =3D=3D 0) return ERR_PTR(-EINVAL); =20 - ret =3D msm_gem_new_impl(dev, size, flags, &obj); + ret =3D msm_gem_new_impl(dev, flags, &obj); if (ret) return ERR_PTR(ret); =20 @@ -1299,12 +1298,12 @@ struct drm_gem_object *msm_gem_import(struct drm_de= vice *dev, struct msm_drm_private *priv =3D dev->dev_private; struct msm_gem_object *msm_obj; struct drm_gem_object *obj; - uint32_t size; + size_t size; int ret, npages; =20 size =3D PAGE_ALIGN(dmabuf->size); =20 - ret =3D msm_gem_new_impl(dev, size, MSM_BO_WC, &obj); + ret =3D msm_gem_new_impl(dev, MSM_BO_WC, &obj); if (ret) return ERR_PTR(ret); =20 @@ -1347,7 +1346,7 @@ struct drm_gem_object *msm_gem_import(struct drm_devi= ce *dev, return ERR_PTR(ret); } =20 -void *msm_gem_kernel_new(struct drm_device *dev, uint32_t size, uint32_t f= lags, +void *msm_gem_kernel_new(struct drm_device *dev, size_t size, uint32_t fla= gs, struct drm_gpuvm *vm, struct drm_gem_object **bo, uint64_t *iova) { diff --git a/drivers/gpu/drm/msm/msm_gem.h b/drivers/gpu/drm/msm/msm_gem.h index 751c3b4965bc..a4cf31853c50 100644 --- a/drivers/gpu/drm/msm/msm_gem.h +++ b/drivers/gpu/drm/msm/msm_gem.h @@ -297,10 +297,10 @@ bool msm_gem_active(struct drm_gem_object *obj); int msm_gem_cpu_prep(struct drm_gem_object *obj, uint32_t op, ktime_t *tim= eout); int msm_gem_cpu_fini(struct drm_gem_object *obj); int msm_gem_new_handle(struct drm_device *dev, struct drm_file *file, - uint32_t size, uint32_t flags, uint32_t *handle, char *name); + size_t size, uint32_t flags, uint32_t *handle, char *name); struct drm_gem_object *msm_gem_new(struct drm_device *dev, - uint32_t size, uint32_t flags); -void *msm_gem_kernel_new(struct drm_device *dev, uint32_t size, uint32_t f= lags, + size_t size, uint32_t flags); +void *msm_gem_kernel_new(struct drm_device *dev, size_t size, uint32_t fla= gs, struct drm_gpuvm *vm, struct drm_gem_object **bo, uint64_t *iova); void msm_gem_kernel_put(struct drm_gem_object *bo, struct drm_gpuvm *vm); --=20 2.50.1