From nobody Sat Oct 4 03:17:17 2025 Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com [205.220.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 07C07139D for ; Thu, 21 Aug 2025 00:04:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.180.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755734678; cv=none; b=SlFl8qN/yVCf/8JigxBam+43L/zjxy4mXZWCueOqUHbzMxLIOfMD8MBPJ/69uXwCC+TB/FeVLohVX7r4hqk6ySJZ/EHhA0pshHLtFRVGvSzkp3TiPW4rY13iMBaxo6mFJV6JZGADAJLk/mUN7xEVSyM7VvVlVk/Db2YrutYxehk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755734678; c=relaxed/simple; bh=aJAOWN0ijFMS0Vkkf/yh1HfO36czNE64NzzeczFKSWE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Y1OMBFxBMvVVERfjw2kfHORcTrfIU0NS68Q26WMnQOHEFYKsrTQcN0dXh7W2HTnxVX/nwXpmlw94lrDAzqwnKXfe1vRDu+KB64Ufrk1YrljcMBBg3qOZtg4Jj/cwyqfs1y5IDLRTpWVf4htvnK3z9rkRNUNqw5wjnjSQ922kIdo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com; spf=pass smtp.mailfrom=oss.qualcomm.com; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b=bnO3TDYv; arc=none smtp.client-ip=205.220.180.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b="bnO3TDYv" Received: from pps.filterd (m0279869.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 57KKkslg031528 for ; Thu, 21 Aug 2025 00:04:36 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qualcomm.com; h= cc:content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=qcppdkim1; bh=UUeZ954T0o+ UR5vuNiqg0BBHjNOT7Hd/arRfZ79Ap5Y=; b=bnO3TDYveWTOLQkrfm5KcRB8buo 9/wxJEHtJNuR4gVm924oFrvDt4dqX8QBrtQ4wfPF3ZkFOIbppnEeavSg0/NR5KcB nJeyjRuQRB7DplRV9XFwpxFA9rNRv0R1ajpcvmihLg2KNTZO6rintJ6vtBJe9m4w vxHlDVsFcV55q52w5k+wiY1jHQ4ZUlJQ/kwhPl6yssTnNL/iFqVFfTK+KiiMfreG Z70qJTUF0LRPC5Arcq4cUgww6QFylMX1L8yLKH5qppU5Hg0e8eh60SJMnVJK2PeG 7maKAnXNkVHXES43FarV9w0IYni2Ys9b0wUmkGQJ3naZpHGyx774r56lZJQ== Received: from mail-pg1-f197.google.com (mail-pg1-f197.google.com [209.85.215.197]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 48n52dkb35-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Thu, 21 Aug 2025 00:04:36 +0000 (GMT) Received: by mail-pg1-f197.google.com with SMTP id 41be03b00d2f7-b47173bb3daso274551a12.1 for ; Wed, 20 Aug 2025 17:04:35 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1755734675; x=1756339475; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=UUeZ954T0o+UR5vuNiqg0BBHjNOT7Hd/arRfZ79Ap5Y=; b=KO1l+jsOO9CQlC6X8pb9C3SHWkuo+D9p85nnHuXNxHB+8gTO9dEMV3kwYxffo96Tsn 4sVCQGA6XAe+gsQGnH9FeYQo8I89XLcgddr1Mi85aU8x4WCMNUfstEofbN524sYSJu1e VVwSqU1CSUb4mWppDSNd0jxyKeECT4uaOg+XI341Xf2DANWoiB41+gfivUL1MULfW5UY ozOJ5kc/Yz5CPa75neE2gSQVY83otRreIlVSiW9wAjiik+bw35wrDNVHKSSC0o6GhmvJ t98tS8yRGMSE8yqL0L3QNggSGdSnCSyrnl6w6G6rEDbxygFy7OO8q3TjcyS0iBKZUrSK lYbg== X-Forwarded-Encrypted: i=1; AJvYcCVtDxqQlcEo6Xj5VaNnoQXesut/sxplcvHc+yVcaEsvK67Nw8C6uEkJUeYuHVsoLeK/fylQ4XAkPGs9nm0=@vger.kernel.org X-Gm-Message-State: AOJu0YzN4Xuxqp330ylCJQ6cBC3I3I7xdNGB2CHBfifJ5gRfwQRogBpJ yPAxGtYVGJBvlY7YqxeM1crv3SIvVEE4UlEXWjPaZoYcyB2m6xAdyIhK7n81XwMbu7zyEzrmt/n xFSoUlkwnhzSSEDEnpHf/8fxBmAx/nVp5Bg8KulpCqAbqxGqaSJkBt1b7Gn7y1zlU/yulGM8NG/ Y= X-Gm-Gg: ASbGncvy5O9cFeXlk38R3jp99NAwrsrLkuJTx+ux96WcqePhO1oEssS6c21mddLSUn0 86MkvBgp+lDz72gfFck54C92VYFdC2k70mVRqEA78ZoNlBD8tDMaaJRkDMfl9JfezVeGxv3hawf +Ah8nugTT0KvU1n4e73zK6j7ritN8gemHfK77tnLRnodaLSYFtRf0ot52LefocIHgE7FxfIzOnt jU9qHst52DOVM+ID/jTVpdJbJEOx/raqYD8j0tbAR60mUx0PSFzvGeR+2YYklDahiEmQykndA8n rV32LRGMj32l2h6yeM7TjOiLJxyyEoEylhy0xvX2NxTSQJblLG4= X-Received: by 2002:a05:6a20:2589:b0:240:750:58f with SMTP id adf61e73a8af0-24330a38b92mr513549637.30.1755734674626; Wed, 20 Aug 2025 17:04:34 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFlUnW8lxbe7CPRYj4ZEmunFvuRSStPlf00u91BAFQGx6Z5Mg65P2yj1AhS1x6n8d3UR7v6+g== X-Received: by 2002:a05:6a20:2589:b0:240:750:58f with SMTP id adf61e73a8af0-24330a38b92mr513507637.30.1755734674129; Wed, 20 Aug 2025 17:04:34 -0700 (PDT) Received: from localhost ([2601:1c0:5000:d5c:5b3e:de60:4fda:e7b1]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-76e8f20c7dbsm3229516b3a.68.2025.08.20.17.04.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Aug 2025 17:04:33 -0700 (PDT) From: Rob Clark To: dri-devel@lists.freedesktop.org Cc: linux-arm-msm@vger.kernel.org, freedreno@lists.freedesktop.org, Akhil P Oommen , Connor Abbott , Rob Clark , Dmitry Baryshkov , Abhinav Kumar , Jessica Zhang , Sean Paul , Marijn Suijten , David Airlie , Simona Vetter , linux-kernel@vger.kernel.org (open list) Subject: [PATCH v2 1/3] drm/msm: Fix obj leak in VM_BIND error path Date: Wed, 20 Aug 2025 17:04:25 -0700 Message-ID: <20250821000429.303628-2-robin.clark@oss.qualcomm.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250821000429.303628-1-robin.clark@oss.qualcomm.com> References: <20250821000429.303628-1-robin.clark@oss.qualcomm.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwODIwMDAxMyBTYWx0ZWRfX5nz7Y8ckcNzD s7FaK/UmQko4zl2eIJepM63Qjdb6QawGRqcWhMu0e6b63pqqL53lEtHkKKbZLgfK9yhTkXh1T+r tMaSyVvGlH/Nk3thl1eaABU/2isWtWB3BjVcOTjxKtxBoeXPnvu51HxS2bKcr+0fhMBPEj88A2o AWDehRfY8dY3UK0YpuNf+2nADrJZTNLiKb2HhQVPYLdNjBWmr7IlgzH0Yo4gejVKNy9O+MySFuQ TIK3KZt3xwhGo042DGe6KJL5nrL8qv2HPJJy99gBPFtXRiBB3tLSJdiPNy8T1gaHS0OLHnr9Pgl Fnmo/nyAoATMA85he3YvpgE7KJjOcLo2j4AhY+DOIfY6Fh20iQqBjbqW9Y4z/du99a3F5IHPLWV 95VNlf/vvfhKgSEdcvoJsB3ggqkrDg== X-Proofpoint-ORIG-GUID: jXyoWFH_esUve0nFNkvfDN0j6gJdrK8S X-Proofpoint-GUID: jXyoWFH_esUve0nFNkvfDN0j6gJdrK8S X-Authority-Analysis: v=2.4 cv=SoXJKPO0 c=1 sm=1 tr=0 ts=68a66294 cx=c_pps a=rz3CxIlbcmazkYymdCej/Q==:117 a=xqWC_Br6kY4A:10 a=2OwXVqhp2XgA:10 a=EUspDBNiAAAA:8 a=pGLkceISAAAA:8 a=hfQrMx_BsErUUvjcJTYA:9 a=bFCP_H2QrGi7Okbo017w:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-08-20_06,2025-08-20_03,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 spamscore=0 adultscore=0 lowpriorityscore=0 bulkscore=0 priorityscore=1501 suspectscore=0 malwarescore=0 phishscore=0 clxscore=1015 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2508110000 definitions=main-2508200013 Content-Type: text/plain; charset="utf-8" If we fail a handle-lookup part way thru, we need to drop the already obtained obj references. Fixes: 2e6a8a1fe2b2 ("drm/msm: Add VM_BIND ioctl") Signed-off-by: Rob Clark Tested-by: Connor Abbott --- drivers/gpu/drm/msm/msm_gem_vma.c | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/drivers/gpu/drm/msm/msm_gem_vma.c b/drivers/gpu/drm/msm/msm_ge= m_vma.c index 00d0f3b7ba32..209154be5efc 100644 --- a/drivers/gpu/drm/msm/msm_gem_vma.c +++ b/drivers/gpu/drm/msm/msm_gem_vma.c @@ -1023,6 +1023,7 @@ vm_bind_job_lookup_ops(struct msm_vm_bind_job *job, s= truct drm_msm_vm_bind *args struct drm_device *dev =3D job->vm->drm; int ret =3D 0; int cnt =3D 0; + int i =3D -1; =20 if (args->nr_ops =3D=3D 1) { /* Single op case, the op is inlined: */ @@ -1056,11 +1057,12 @@ vm_bind_job_lookup_ops(struct msm_vm_bind_job *job,= struct drm_msm_vm_bind *args =20 spin_lock(&file->table_lock); =20 - for (unsigned i =3D 0; i < args->nr_ops; i++) { + for (i =3D 0; i < args->nr_ops; i++) { + struct msm_vm_bind_op *op =3D &job->ops[i]; struct drm_gem_object *obj; =20 - if (!job->ops[i].handle) { - job->ops[i].obj =3D NULL; + if (!op->handle) { + op->obj =3D NULL; continue; } =20 @@ -1068,15 +1070,15 @@ vm_bind_job_lookup_ops(struct msm_vm_bind_job *job,= struct drm_msm_vm_bind *args * normally use drm_gem_object_lookup(), but for bulk lookup * all under single table_lock just hit object_idr directly: */ - obj =3D idr_find(&file->object_idr, job->ops[i].handle); + obj =3D idr_find(&file->object_idr, op->handle); if (!obj) { - ret =3D UERR(EINVAL, dev, "invalid handle %u at index %u\n", job->ops[i= ].handle, i); + ret =3D UERR(EINVAL, dev, "invalid handle %u at index %u\n", op->handle= , i); goto out_unlock; } =20 drm_gem_object_get(obj); =20 - job->ops[i].obj =3D obj; + op->obj =3D obj; cnt++; } =20 @@ -1085,6 +1087,17 @@ vm_bind_job_lookup_ops(struct msm_vm_bind_job *job, = struct drm_msm_vm_bind *args out_unlock: spin_unlock(&file->table_lock); =20 + if (ret) { + for (; i >=3D 0; i--) { + struct msm_vm_bind_op *op =3D &job->ops[i]; + + if (!op->obj) + continue; + + drm_gem_object_put(op->obj); + op->obj =3D NULL; + } + } out: return ret; } --=20 2.50.1 From nobody Sat Oct 4 03:17:17 2025 Received: from mx0a-0031df01.pphosted.com (mx0a-0031df01.pphosted.com [205.220.168.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 27FA78F54 for ; Thu, 21 Aug 2025 00:04:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.168.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755734680; cv=none; b=kIqFSC3CFHf+/lt3OaIkG/ryeoGaRVrRoQNI8g/BCBvOPxv6ycMVawS/gVsBUWwLZLrvF0qr8vbqTTH4hsupKiuHKaEdZJTn27f4rxWz2AIDkMJoCNmMuP6T7ZrEKf8uQp1tn3tjIhHZho00uxzrE6ZcCNYw5B6YDEtGqDGYhsQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755734680; c=relaxed/simple; bh=FTfonb6H2UF2nVmZnazTx3PEb2S6ZWHLTuGTK0lDTo4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=qEHOgSGPsa8p7CZqc18hLRZC77G5RHPdwRayZ2tdTHZXwGaTMn8/vD6BVSs0yLgIRzMYWhWgLaDvAfq8+FPRDatd9WGgyP1HvsSC6tALY1b2AXZMbT/Dug25K+RS6M/eo9OiSVrqQb1Xc3tKtRrG5hboI02TmSVVi/lwDafjfFc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com; spf=pass smtp.mailfrom=oss.qualcomm.com; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b=oGm/QCW+; arc=none smtp.client-ip=205.220.168.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b="oGm/QCW+" Received: from pps.filterd (m0279863.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 57KI3sQe024699 for ; Thu, 21 Aug 2025 00:04:37 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qualcomm.com; h= cc:content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=qcppdkim1; bh=7GonE0I4O86 IMbS9YwA1nRfKE7NxszsWoTIBBuaYOXQ=; b=oGm/QCW+yDsDLwFUlm0BTzAsCYm Q3CdZT4IjuaTN2G6iLwc6GW7VGglHZmkUZukV92bpXX4V5kbGIC76Cu9ZyHPWlmH DuGjCb+i//M4OxZdUvRD1pL5ypAUeD8M5AjOxq99w7eCKNNsIOsiEVghoMtWOkRO UsWIDXmuauwZPcQlh/xrHB6izFBDSdwBu+lAk/C9SkLgvc9/WtnBb7VDLGHORcjI XEHLWzbMzTZKuh6Fd8kuddbByOwqHQJVpnobWTOqftGoy1X1qwk9FfbwSZKoinQ4 O6rEKr672qi1+tVLsEDEZ3NCRbVZMiSvz3A307bdxB0VdjWoB36PWgWuBxQ== Received: from mail-pj1-f72.google.com (mail-pj1-f72.google.com [209.85.216.72]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 48n5293ebg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Thu, 21 Aug 2025 00:04:37 +0000 (GMT) Received: by mail-pj1-f72.google.com with SMTP id 98e67ed59e1d1-323266d8396so461372a91.0 for ; Wed, 20 Aug 2025 17:04:37 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1755734676; x=1756339476; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=7GonE0I4O86IMbS9YwA1nRfKE7NxszsWoTIBBuaYOXQ=; b=AYF5h/enuilhSCOVwXt1g8RF5laKEpaiSlKIsYQZexKAfko5Zaq4jShS8pKBQqHLR8 t/otzsD+8Xbg7NVE+8phWhaLFPqOHbHYPjpJr0Af41qR2xvYcS1TL4cK9dvucvTo92r2 NK8zCE0rh6zAkHOOa/LdMtANtTrYqmlePwXHUIPLQzxLIR3mgfL3+lk8bDtNECTEP0zD pIuNlMTB+BNm1L9JOW/xaYcRNZjAIBgDWqPz/p8DeyqcGO1dSGKvgvNeVGOn2cOi7mjc 2oARDNballu50OC3WteZmly4t+ELzneZSX5SWoDd1X6LjcpbeDTkz7+wM4jCy2WRODn9 Byjw== X-Forwarded-Encrypted: i=1; AJvYcCUMbPBXnnRo9Ifv0PsQ7oDl0XxogUaChKAXs2SXjSmYeW8qxdTXsIJ2Tpd2q5KaWTt6BusBUOzbORVNLhc=@vger.kernel.org X-Gm-Message-State: AOJu0YzVegNitR/doouNkWmWwNPT9bSH9iGpE3iKoTrNPp+UjTMrsPxj Rg0eYQGB4gKxewVcGUVP74CV2lewQ8/LmmKT5KmGtTfjNHzvZT2Tcv5vwzijcBWoND3vwu4NDPW zWMHcmeWoADnCV9jBQxgBSmoe6F88KM1Z+71lnPtzsM8C08733y2cSR06PMWdL73WcLg= X-Gm-Gg: ASbGncu12CvNdTvgp7K8zPOQNZrFAdpNaAysdZI8MyA4VLRIDF5og7RSj93VJ+BHAAp ztUfhXQEYhkscnnBV21QG3h3/2EeaNppayhKYixemPyzuZfct3LWaYbIMqL7KN+mgOUH9PezgLh yGvASYKk+CqYy0gU9Nn2HIiFAm4C8JO9cIvzMmiFjBeW7t8BODvNCpFwcx+rhSGk736T8bDiMc5 m/2ZryzxuPDkii2RsKpIm6hoZiK9Wx9xhHPu/VHtRGrHKR2M8xPQShib69UmTlLpLEmbwiiHKP3 jIWlZ6krARap828t3Wm9ne5GQ52T2HyDfGjjc4Z+qcj8U7SfG3s= X-Received: by 2002:a17:90a:c890:b0:321:c8e1:82e with SMTP id 98e67ed59e1d1-324ed1bfb25mr758857a91.26.1755734676233; Wed, 20 Aug 2025 17:04:36 -0700 (PDT) X-Google-Smtp-Source: AGHT+IENGaAHhgimor5pJiOH4MjaweNyjNHnC1m6WbGg+qru+W8Qt7ZVMax/uq24M3YIwwpqMOR0CQ== X-Received: by 2002:a17:90a:c890:b0:321:c8e1:82e with SMTP id 98e67ed59e1d1-324ed1bfb25mr758824a91.26.1755734675703; Wed, 20 Aug 2025 17:04:35 -0700 (PDT) Received: from localhost ([2601:1c0:5000:d5c:5b3e:de60:4fda:e7b1]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-b47640d3e3fsm3201333a12.56.2025.08.20.17.04.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Aug 2025 17:04:35 -0700 (PDT) From: Rob Clark To: dri-devel@lists.freedesktop.org Cc: linux-arm-msm@vger.kernel.org, freedreno@lists.freedesktop.org, Akhil P Oommen , Connor Abbott , Rob Clark , Dmitry Baryshkov , Abhinav Kumar , Jessica Zhang , Sean Paul , Marijn Suijten , David Airlie , Simona Vetter , linux-kernel@vger.kernel.org (open list) Subject: [PATCH v2 2/3] drm/msm: Fix missing VM_BIND offset/range validation Date: Wed, 20 Aug 2025 17:04:26 -0700 Message-ID: <20250821000429.303628-3-robin.clark@oss.qualcomm.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250821000429.303628-1-robin.clark@oss.qualcomm.com> References: <20250821000429.303628-1-robin.clark@oss.qualcomm.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Authority-Analysis: v=2.4 cv=ZJKOWX7b c=1 sm=1 tr=0 ts=68a66295 cx=c_pps a=RP+M6JBNLl+fLTcSJhASfg==:117 a=xqWC_Br6kY4A:10 a=2OwXVqhp2XgA:10 a=pGLkceISAAAA:8 a=EUspDBNiAAAA:8 a=xd9qGtD1qYZMgD9OdIwA:9 a=iS9zxrgQBfv6-_F4QbHw:22 X-Proofpoint-ORIG-GUID: gQk8NFPVagtyCWAc1n-TK7yf2jsFBwH6 X-Proofpoint-GUID: gQk8NFPVagtyCWAc1n-TK7yf2jsFBwH6 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwODIwMDAxMyBTYWx0ZWRfXye+uKoAIUsHH /nt8hOPF49PHqSoMrUQKAJSHMKfuE5T2xne9ws0/DfKPu/fFlp1d7ROf+rOSGUbwDMRET3uXdIM cg5cHbzXHVHSjB/F8YskidSjeLQ2GRcg0fzkWxeBOoqvwmwFZyMdUXK04jyQ1j7OPNxl1CPEVbW YfDepdXSzZxenfJviOhToBZCkrYmcf8tWsemUOjmB3Fs/GGWBVW8ulTB8hetwgPFqshKxRNdu7t pfcYHIzkczmEcUK5eZp8C3UWtcE8RGMPtRs9/BXsfAaI5H40r23Hn83ycvRQOQIpdNqpzebpSE2 9qFqA4juUmYXA8QGMX7PcoTgg8VO12MzroBO7uL+reEZ+sHJi6OJ93e2DaBME68hwDKZvuj623A 3q9CzZUx1bZqpcdL7GVuY3Poap+nNg== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-08-20_06,2025-08-20_03,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 priorityscore=1501 malwarescore=0 adultscore=0 suspectscore=0 lowpriorityscore=0 impostorscore=0 phishscore=0 clxscore=1015 spamscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2508110000 definitions=main-2508200013 Content-Type: text/plain; charset="utf-8" We need to reject the MAP op if offset+range is larger than the BO size. Reported-by: Connor Abbott Fixes: 2e6a8a1fe2b2 ("drm/msm: Add VM_BIND ioctl") Signed-off-by: Rob Clark Tested-by: Connor Abbott --- drivers/gpu/drm/msm/msm_gem_vma.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/gpu/drm/msm/msm_gem_vma.c b/drivers/gpu/drm/msm/msm_ge= m_vma.c index 209154be5efc..381a0853c05b 100644 --- a/drivers/gpu/drm/msm/msm_gem_vma.c +++ b/drivers/gpu/drm/msm/msm_gem_vma.c @@ -1080,6 +1080,12 @@ vm_bind_job_lookup_ops(struct msm_vm_bind_job *job, = struct drm_msm_vm_bind *args =20 op->obj =3D obj; cnt++; + + if ((op->range + op->obj_offset) > obj->size) { + ret =3D UERR(EINVAL, dev, "invalid range: %016llx + %016llx > %016zx\n", + op->range, op->obj_offset, obj->size); + goto out_unlock; + } } =20 *nr_bos =3D cnt; --=20 2.50.1 From nobody Sat Oct 4 03:17:17 2025 Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com [205.220.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 03B5D76C61 for ; Thu, 21 Aug 2025 00:04:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.180.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755734681; cv=none; b=XY/efdN2/IbG6RiDTZ0fuhZ/ohIhQHIW0yceS3kckaUlCUvKjVlhO32aq1YBt6g1XHTTyFDkEj9QH1XBdHJeuSME1LZ9jyQpfzfPFD5IBpQ6Rn1pIQ+xA0k275yz+84A2enZoIX2dwBWU6lINiOctNmzvkOs1DWSETpj6FS2GIs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1755734681; c=relaxed/simple; bh=Q+iv3Gx4AwJ4uL7gAQ5BVjYAf5nK2oKipZP3EVLxtRg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=bGWHY03KKmVxgnTOYFx43O+WyRuRJfnXcNRD4qYc5/myE2t53QD2mPeT0mjQQHYmP2zc6/aagsrhzCfjgXXIjf5rvYPho3vhOAyhZ0EdMX8fvhGBU/qs0SZcxaBx02IrG7Zh4NBz2BTjbToVKzQWZRIpb5x4NnWRHy3PwPyC78o= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com; spf=pass smtp.mailfrom=oss.qualcomm.com; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b=dnNH4hbQ; arc=none smtp.client-ip=205.220.180.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b="dnNH4hbQ" Received: from pps.filterd (m0279871.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 57KJhxJA014392 for ; Thu, 21 Aug 2025 00:04:39 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qualcomm.com; h= cc:content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=qcppdkim1; bh=Qp/A80ntMQW zKIpfCuvJC05mBAON98quijLhbVW9wZM=; b=dnNH4hbQwF1dp70I1AK4GDd7LPD QA6H48WypGfAO9OmxYlws9xAzKsvDrZsDs8jJkSat/QdWkh/nLRYnarZ8SgaJohJ eIrOwL5ntNZphB8gylta/McpcLVfYzkF/gvlgEnbB3R2r6pjLkWRAN+WmvmyTP5F 0yUGEqhSxD6QuzpVmDwJEn7hAqRYnYmURnKKVDpibhlJ2kqwjvvpPy1Pj0WWJ2+E UPWMXKfyE090ZF09g9H3VAvUOUjN7TrpFAVQYvh03l6H2x+bUpwHoQiApghNZtxJ A+oXiSWFzPJ8NoJau9GorVIqtxtgN+9KFqBzUA6g/LeBN4GHrFgMcbRkbBA== Received: from mail-pl1-f197.google.com (mail-pl1-f197.google.com [209.85.214.197]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 48ngt897rn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Thu, 21 Aug 2025 00:04:38 +0000 (GMT) Received: by mail-pl1-f197.google.com with SMTP id d9443c01a7336-24458121274so4234205ad.2 for ; Wed, 20 Aug 2025 17:04:38 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1755734678; x=1756339478; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Qp/A80ntMQWzKIpfCuvJC05mBAON98quijLhbVW9wZM=; b=n+pI0Z2htIpWRnL5aS7X4jI1OnDIQaJDJ6tcrWTxtG3UPukCuselt8nK0bl4R5PCfv 5hOpORmZCPWd2KosJNBumuaq1Wta+JncukDccHvUZEezC+M+DioKjtJcMijKumG8Dwlq PvopHjqw9Kh/hFWwW1cvwES7ipb6mXlFJ7bbiEcaxk2RTLdwu6eGXh2pkxycqlBLXKB2 Q0sSrucdzxrPvIW/qxkU5vgnWH7SYfpoDq+XlrnoEI4gBoo/SP4d+WMLx1DJaGfHTNUN ffCM51UUlawH4WRddsS1t4uth1eCZI5RJ9hcnVBf/lJ16eZ0LvVZXWF1pxkDrtDIMqo1 YBMw== X-Forwarded-Encrypted: i=1; AJvYcCXq3gT8Up8h228pgriu8nHzIzE09fbOW/VGqg9NiExXGEbQSGTAbxVcNLiDlkM268/nvcn3QNAlgdyW9Ew=@vger.kernel.org X-Gm-Message-State: AOJu0Yzv5LNejPYv6nOUsYV68fMnUVpJ/TXgy6S8fp8q8f5V68mZRQ6j 7OjuT5rclv599hEjS5wS4ZthWQAjCDixTP1EmruhxcOIJoLRzuwDqYHN4muGZMRz8+vBb/c/QNc TWWrBYVJufqIuaDD9VISTuYg9Dx8Cyvs0SP3kVIp/2QhRNHtWonjwHHGNHulMuYflJgQ= X-Gm-Gg: ASbGncumCQw4NmrU4wK8RswdNo47WdwApfNnzkvdcadSLXPyIJMou9xGzO6fmBYVQ0b ZAazDlaR5fY+NjS5b5slH1pQRM5YD2do2nYT89gvExpN7RZZA8eg7CA9kLQ80Z668pskh2fQMPv vJgdSUSugfJ80ky0wBpDlfFxum1C1W10U39ilSYxeY8/75EyPePguNoeiFfldCv9WGa36bBQt88 SvfTYQbCpWXoI5dCrRldSLcJ5C8DMeK3Dt+ilhOGFU5nK1uZpBNIxqB2xhz4QwcpDabuFeVHfhp 8heiIvKCggsmejw6LgtFUqSK+koQ7pdezB3G4iAF8KzpFpdiXsE= X-Received: by 2002:a17:902:ce11:b0:240:9f9:46a0 with SMTP id d9443c01a7336-245fedb7bcfmr7679345ad.38.1755734677492; Wed, 20 Aug 2025 17:04:37 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEP5tsfZ6UJAKOwZ9VJcJCpxgsE7IAQWoLU/G9aFnHsuF58zIqAfzhOOeqY/ioG4KuVujNrLA== X-Received: by 2002:a17:902:ce11:b0:240:9f9:46a0 with SMTP id d9443c01a7336-245fedb7bcfmr7678895ad.38.1755734677061; Wed, 20 Aug 2025 17:04:37 -0700 (PDT) Received: from localhost ([2601:1c0:5000:d5c:5b3e:de60:4fda:e7b1]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2460273cba9sm2170355ad.63.2025.08.20.17.04.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Aug 2025 17:04:36 -0700 (PDT) From: Rob Clark To: dri-devel@lists.freedesktop.org Cc: linux-arm-msm@vger.kernel.org, freedreno@lists.freedesktop.org, Akhil P Oommen , Connor Abbott , Rob Clark , Dmitry Baryshkov , Abhinav Kumar , Jessica Zhang , Sean Paul , Marijn Suijten , David Airlie , Simona Vetter , linux-kernel@vger.kernel.org (open list) Subject: [PATCH v2 3/3] drm/msm: Fix 32b size truncation Date: Wed, 20 Aug 2025 17:04:27 -0700 Message-ID: <20250821000429.303628-4-robin.clark@oss.qualcomm.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250821000429.303628-1-robin.clark@oss.qualcomm.com> References: <20250821000429.303628-1-robin.clark@oss.qualcomm.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwODIwMDEzNCBTYWx0ZWRfX6Z2/JRao8amq /rgdlw1F0RAP212y9zI5EMSd9BCD9pJyWC6z1kdcDOd+VcCS/3yzORS97AmPKiN3tMhNCDGbOue xW4Bi0wLLMArkPdOPjlCy3p5QgKhUYMMuOW2rqw3mZ/W/qg5mYhjq9f6uVVgqGMM4PmVM6w7qr+ UBoadIeosbm62Ao3egv93SzWcZbvcftSaY+B3sXeNOUhZxhH/jBV3YTW2Uy47Sn0kopL02c7xBD VFlhXe6vsxsgjvEV3/xtvGsM0nWdHj+Lvdx18JhwbwsEiphqnzQsMroYKtzhXZ4/AmbENjxh6Mo HP/OrH3hhbNfd1fA24KixDQZhFE+cmej95T4/zU+zJY+6Lw3qBRrPJZXa7oMNXbAbZjAf3U82jT 7qKKRPG1IaRgCPFFLJHV18ol10qpyQ== X-Authority-Analysis: v=2.4 cv=c/fygR9l c=1 sm=1 tr=0 ts=68a66296 cx=c_pps a=cmESyDAEBpBGqyK7t0alAg==:117 a=xqWC_Br6kY4A:10 a=2OwXVqhp2XgA:10 a=EUspDBNiAAAA:8 a=pGLkceISAAAA:8 a=ZgH9EFzBAD-oDO0bpbcA:9 a=1OuFwYUASf3TG4hYMiVC:22 X-Proofpoint-GUID: IGRd6UdpXmf9-bXvzNoSL945azdc0Goo X-Proofpoint-ORIG-GUID: IGRd6UdpXmf9-bXvzNoSL945azdc0Goo X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-08-20_06,2025-08-20_03,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 adultscore=0 priorityscore=1501 bulkscore=0 lowpriorityscore=0 phishscore=0 spamscore=0 impostorscore=0 clxscore=1015 suspectscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2508110000 definitions=main-2508200134 Content-Type: text/plain; charset="utf-8" Somehow we never noticed this when arm64 became a thing, many years ago. v2: also fix npages Signed-off-by: Rob Clark Tested-by: Connor Abbott --- drivers/gpu/drm/msm/msm_gem.c | 21 ++++++++++----------- drivers/gpu/drm/msm/msm_gem.h | 6 +++--- drivers/gpu/drm/msm/msm_gem_prime.c | 2 +- 3 files changed, 14 insertions(+), 15 deletions(-) diff --git a/drivers/gpu/drm/msm/msm_gem.c b/drivers/gpu/drm/msm/msm_gem.c index 958bac4e2768..aefc82184eec 100644 --- a/drivers/gpu/drm/msm/msm_gem.c +++ b/drivers/gpu/drm/msm/msm_gem.c @@ -189,7 +189,7 @@ static struct page **get_pages(struct drm_gem_object *o= bj) if (!msm_obj->pages) { struct drm_device *dev =3D obj->dev; struct page **p; - int npages =3D obj->size >> PAGE_SHIFT; + size_t npages =3D obj->size >> PAGE_SHIFT; =20 p =3D drm_gem_get_pages(obj); =20 @@ -1142,7 +1142,7 @@ static int msm_gem_object_mmap(struct drm_gem_object = *obj, struct vm_area_struct =20 /* convenience method to construct a GEM buffer object, and userspace hand= le */ int msm_gem_new_handle(struct drm_device *dev, struct drm_file *file, - uint32_t size, uint32_t flags, uint32_t *handle, + size_t size, uint32_t flags, uint32_t *handle, char *name) { struct drm_gem_object *obj; @@ -1208,9 +1208,8 @@ static const struct drm_gem_object_funcs msm_gem_obje= ct_funcs =3D { .vm_ops =3D &vm_ops, }; =20 -static int msm_gem_new_impl(struct drm_device *dev, - uint32_t size, uint32_t flags, - struct drm_gem_object **obj) +static int msm_gem_new_impl(struct drm_device *dev, uint32_t flags, + struct drm_gem_object **obj) { struct msm_drm_private *priv =3D dev->dev_private; struct msm_gem_object *msm_obj; @@ -1244,7 +1243,7 @@ static int msm_gem_new_impl(struct drm_device *dev, return 0; } =20 -struct drm_gem_object *msm_gem_new(struct drm_device *dev, uint32_t size, = uint32_t flags) +struct drm_gem_object *msm_gem_new(struct drm_device *dev, size_t size, ui= nt32_t flags) { struct msm_drm_private *priv =3D dev->dev_private; struct msm_gem_object *msm_obj; @@ -1259,7 +1258,7 @@ struct drm_gem_object *msm_gem_new(struct drm_device = *dev, uint32_t size, uint32 if (size =3D=3D 0) return ERR_PTR(-EINVAL); =20 - ret =3D msm_gem_new_impl(dev, size, flags, &obj); + ret =3D msm_gem_new_impl(dev, flags, &obj); if (ret) return ERR_PTR(ret); =20 @@ -1299,12 +1298,12 @@ struct drm_gem_object *msm_gem_import(struct drm_de= vice *dev, struct msm_drm_private *priv =3D dev->dev_private; struct msm_gem_object *msm_obj; struct drm_gem_object *obj; - uint32_t size; - int ret, npages; + size_t size, npages; + int ret; =20 size =3D PAGE_ALIGN(dmabuf->size); =20 - ret =3D msm_gem_new_impl(dev, size, MSM_BO_WC, &obj); + ret =3D msm_gem_new_impl(dev, MSM_BO_WC, &obj); if (ret) return ERR_PTR(ret); =20 @@ -1347,7 +1346,7 @@ struct drm_gem_object *msm_gem_import(struct drm_devi= ce *dev, return ERR_PTR(ret); } =20 -void *msm_gem_kernel_new(struct drm_device *dev, uint32_t size, uint32_t f= lags, +void *msm_gem_kernel_new(struct drm_device *dev, size_t size, uint32_t fla= gs, struct drm_gpuvm *vm, struct drm_gem_object **bo, uint64_t *iova) { diff --git a/drivers/gpu/drm/msm/msm_gem.h b/drivers/gpu/drm/msm/msm_gem.h index 751c3b4965bc..a4cf31853c50 100644 --- a/drivers/gpu/drm/msm/msm_gem.h +++ b/drivers/gpu/drm/msm/msm_gem.h @@ -297,10 +297,10 @@ bool msm_gem_active(struct drm_gem_object *obj); int msm_gem_cpu_prep(struct drm_gem_object *obj, uint32_t op, ktime_t *tim= eout); int msm_gem_cpu_fini(struct drm_gem_object *obj); int msm_gem_new_handle(struct drm_device *dev, struct drm_file *file, - uint32_t size, uint32_t flags, uint32_t *handle, char *name); + size_t size, uint32_t flags, uint32_t *handle, char *name); struct drm_gem_object *msm_gem_new(struct drm_device *dev, - uint32_t size, uint32_t flags); -void *msm_gem_kernel_new(struct drm_device *dev, uint32_t size, uint32_t f= lags, + size_t size, uint32_t flags); +void *msm_gem_kernel_new(struct drm_device *dev, size_t size, uint32_t fla= gs, struct drm_gpuvm *vm, struct drm_gem_object **bo, uint64_t *iova); void msm_gem_kernel_put(struct drm_gem_object *bo, struct drm_gpuvm *vm); diff --git a/drivers/gpu/drm/msm/msm_gem_prime.c b/drivers/gpu/drm/msm/msm_= gem_prime.c index c0a33ac839cb..036d34c674d9 100644 --- a/drivers/gpu/drm/msm/msm_gem_prime.c +++ b/drivers/gpu/drm/msm/msm_gem_prime.c @@ -15,7 +15,7 @@ struct sg_table *msm_gem_prime_get_sg_table(struct drm_gem_object *obj) { struct msm_gem_object *msm_obj =3D to_msm_bo(obj); - int npages =3D obj->size >> PAGE_SHIFT; + size_t npages =3D obj->size >> PAGE_SHIFT; =20 if (msm_obj->flags & MSM_BO_NO_SHARE) return ERR_PTR(-EINVAL); --=20 2.50.1