drm/radeon: command stream checker for r3xx-r5xx hardware
For security purpose we want to make sure the userspace process doesn't
access memory beyond buffer it owns. To achieve this we need to check
states the userspace program. For color buffer and zbuffer we check that
the clipping register will discard access beyond buffers set as color
or zbuffer. For vertex buffer we check that no vertex fetch will happen
beyond buffer end. For texture we check various texture states (number
of mipmap level, texture size, texture depth, ...) to compute the amount
of memory the texture fetcher might access.
The command stream checking impact the performances so far quick benchmark
shows an average of 3% decrease in fps of various applications. It can
be optimized a bit more by caching result of checking and thus avoid a
full recheck if no states changed since last check.
Note that this patch is still incomplete on checking side as it doesn't
check 2d rendering states.
Signed-off-by: Jerome Glisse <jglisse@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
diff --git a/drivers/gpu/drm/radeon/r100.c b/drivers/gpu/drm/radeon/r100.c
index 64a692c0..c550932 100644
--- a/drivers/gpu/drm/radeon/r100.c
+++ b/drivers/gpu/drm/radeon/r100.c
@@ -647,7 +647,7 @@
*/
int r100_cs_parse_packet0(struct radeon_cs_parser *p,
struct radeon_cs_packet *pkt,
- unsigned *auth, unsigned n,
+ const unsigned *auth, unsigned n,
radeon_packet0_check_t check)
{
unsigned reg;
@@ -657,6 +657,10 @@
idx = pkt->idx + 1;
reg = pkt->reg;
+ /* Check that register fall into register range
+ * determined by the number of entry (n) in the
+ * safe register bitmap.
+ */
if (pkt->one_reg_wr) {
if ((reg >> 7) > n) {
return -EINVAL;
@@ -686,24 +690,6 @@
return 0;
}
-int r100_cs_parse_packet3(struct radeon_cs_parser *p,
- struct radeon_cs_packet *pkt,
- unsigned *auth, unsigned n,
- radeon_packet3_check_t check)
-{
- unsigned i, m;
-
- if ((pkt->opcode >> 5) > n) {
- return -EINVAL;
- }
- i = pkt->opcode >> 5;
- m = 1 << (pkt->opcode & 31);
- if (auth[i] & m) {
- return check(p, pkt);
- }
- return 0;
-}
-
void r100_cs_dump_packet(struct radeon_cs_parser *p,
struct radeon_cs_packet *pkt)
{
@@ -904,6 +890,25 @@
return 0;
}
+int r100_cs_track_check_pkt3_indx_buffer(struct radeon_cs_parser *p,
+ struct radeon_cs_packet *pkt,
+ struct radeon_object *robj)
+{
+ struct radeon_cs_chunk *ib_chunk;
+ unsigned idx;
+
+ ib_chunk = &p->chunks[p->chunk_ib_idx];
+ idx = pkt->idx + 1;
+ if ((ib_chunk->kdata[idx+2] + 1) > radeon_object_size(robj)) {
+ DRM_ERROR("[drm] Buffer too small for PACKET3 INDX_BUFFER "
+ "(need %u have %lu) !\n",
+ ib_chunk->kdata[idx+2] + 1,
+ radeon_object_size(robj));
+ return -EINVAL;
+ }
+ return 0;
+}
+
static int r100_packet3_check(struct radeon_cs_parser *p,
struct radeon_cs_packet *pkt)
{
@@ -957,6 +962,10 @@
return r;
}
ib[idx+1] = ib_chunk->kdata[idx+1] + ((u32)reloc->lobj.gpu_offset);
+ r = r100_cs_track_check_pkt3_indx_buffer(p, pkt, reloc->robj);
+ if (r) {
+ return r;
+ }
break;
case 0x23:
/* FIXME: cleanup */
@@ -1002,18 +1011,18 @@
}
p->idx += pkt.count + 2;
switch (pkt.type) {
- case PACKET_TYPE0:
- r = r100_packet0_check(p, &pkt);
- break;
- case PACKET_TYPE2:
- break;
- case PACKET_TYPE3:
- r = r100_packet3_check(p, &pkt);
- break;
- default:
- DRM_ERROR("Unknown packet type %d !\n",
- pkt.type);
- return -EINVAL;
+ case PACKET_TYPE0:
+ r = r100_packet0_check(p, &pkt);
+ break;
+ case PACKET_TYPE2:
+ break;
+ case PACKET_TYPE3:
+ r = r100_packet3_check(p, &pkt);
+ break;
+ default:
+ DRM_ERROR("Unknown packet type %d !\n",
+ pkt.type);
+ return -EINVAL;
}
if (r) {
return r;
@@ -1349,6 +1358,11 @@
}
}
+int r100_init(struct radeon_device *rdev)
+{
+ return 0;
+}
+
/*
* Debugfs info
*/