diff options
author | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2022-05-14 05:14:31 +0000 |
---|---|---|
committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2022-05-14 05:14:31 +0000 |
commit | 77ee1ceb557479ca0cc268ce8c2167f3b1d472fe (patch) | |
tree | e79143eb7e93f1ce88fd851e896bfce377921ad4 | |
parent | 3fdb365cfaa5733847aed788cc6ff712e8b26943 (diff) | |
parent | 422090944dfcf526c0d2457863c4525e54ece120 (diff) | |
download | gchips-77ee1ceb557479ca0cc268ce8c2167f3b1d472fe.tar.gz |
Snap for 8591706 from 422090944dfcf526c0d2457863c4525e54ece120 to tm-qpr1-release
Change-Id: I90b5f5c40ebea78b5d53297b6126038242cd670b
-rw-r--r-- | gralloc4/src/core/mali_gralloc_reference.cpp | 56 | ||||
-rw-r--r-- | gralloc4/src/mali_gralloc_buffer.h | 3 |
2 files changed, 58 insertions, 1 deletions
diff --git a/gralloc4/src/core/mali_gralloc_reference.cpp b/gralloc4/src/core/mali_gralloc_reference.cpp index 954c2b3..8f12975 100644 --- a/gralloc4/src/core/mali_gralloc_reference.cpp +++ b/gralloc4/src/core/mali_gralloc_reference.cpp @@ -21,6 +21,7 @@ #include <android-base/thread_annotations.h> #include <hardware/gralloc1.h> +#include <algorithm> #include <map> #include <mutex> @@ -58,6 +59,54 @@ private: return hnd->get_usage() & cpu_access_usage; } + static off_t get_buffer_size(unsigned int fd) { + off_t current = lseek(fd, 0, SEEK_CUR); + off_t size = lseek(fd, 0, SEEK_END); + lseek(fd, current, SEEK_SET); + return size; + } + + static bool dmabuf_sanity_check(buffer_handle_t handle) { + private_handle_t *hnd = + static_cast<private_handle_t *>(const_cast<native_handle_t *>(handle)); + + int valid_fd_count = std::find(hnd->fds, hnd->fds + MAX_FDS, -1) - hnd->fds; + // One fd is reserved for metadata which is not accounted for in fd_count + if (hnd->fd_count != valid_fd_count - 1) { + MALI_GRALLOC_LOGE("%s failed: count of valid buffer fds does not match fd_count", + __func__); + return false; + } + + auto check_pid = [&](int fd, uint64_t allocated_size) -> bool { + auto size = get_buffer_size(fd); + auto size_padding = size - (off_t)allocated_size; + if ((size != -1) && ((size_padding < 0) || (size_padding > PAGE_SIZE))) { + MALI_GRALLOC_LOGE("%s failed: fd (%d) size (%jd) is not within a PAGE_SIZE of " + "expected size (%" PRIx64 ")", + __func__, fd, static_cast<intmax_t>(size), allocated_size); + return false; + } + return true; + }; + + // Check client facing dmabufs + for (auto i = 0; i < hnd->fd_count; i++) { + if (!check_pid(hnd->fds[i], hnd->alloc_sizes[i])) { + MALI_GRALLOC_LOGE("%s failed: Size check failed for alloc_sizes[%d]", __func__, i); + return false; + } + } + + // Check metadata dmabuf + if (!check_pid(hnd->get_share_attr_fd(), hnd->attr_size)) { + MALI_GRALLOC_LOGE("%s failed: Size check failed for metadata fd", __func__); + return false; + } + + return true; + } + int map_locked(buffer_handle_t handle) REQUIRES(lock) { private_handle_t *hnd = (private_handle_t *)handle; auto it = buffer_map.find(hnd); @@ -72,10 +121,15 @@ private: MALI_GRALLOC_LOGE("BUG: Found an imported buffer with ref count 0, expect errors"); } + // Return early if buffer is already mapped if (data.bases[0] != nullptr) { return 0; } + if (!dmabuf_sanity_check(handle)) { + return -EINVAL; + } + int error = mali_gralloc_ion_map(hnd); if (error != 0) { return error; @@ -115,7 +169,7 @@ private: } else { for (auto i = 0; i < MAX_BUFFER_FDS; i++) { if (hnd->bases[i] != 0 || data.bases[i] != nullptr) { - MALI_GRALLOC_LOGE("Validation failed: Expected nullptr for unmaped buffer"); + MALI_GRALLOC_LOGE("Validation failed: Expected nullptr for unmapped buffer"); return -EINVAL; } } diff --git a/gralloc4/src/mali_gralloc_buffer.h b/gralloc4/src/mali_gralloc_buffer.h index 02172c6..3863342 100644 --- a/gralloc4/src/mali_gralloc_buffer.h +++ b/gralloc4/src/mali_gralloc_buffer.h @@ -177,6 +177,9 @@ struct private_handle_t int magic DEFAULT_INITIALIZER(sMagic); int flags DEFAULT_INITIALIZER(0); + /* + * Number of dmabuf fds, NOT including the metadata fd + */ int fd_count DEFAULT_INITIALIZER(1); /* |