Commit 520f8350 authored by Matthew Auld's avatar Matthew Auld Committed by Chris Wilson
Browse files

drm/i915: properly sanity check batch_start_offset 



Check the edge case where batch_start_offset sits exactly on the batch
size.

v2: add new range_overflows variant to capture the special case where
the size is permitted to be zero, like with batch_len.

v3: other way around. the common case is the exclusive one which should
just be >=, with that we then just need to convert the three odd ball
cases that don't apply to use the new inclusive _end version.

Testcase: igt/gem_exec_params/invalid-batch-start-offset
Fixes: 0b537272 ("drm/i915/cmdparser: Use cached vmappings")
Signed-off-by: default avatarMatthew Auld <matthew.auld@intel.com>
Cc: Mika Kuoppala <mika.kuoppala@linux.intel.com>
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
Link: https://patchwork.freedesktop.org/patch/msgid/20200306094735.258285-1-matthew.auld@intel.com
parent ef398881

drivers/gpu/drm/i915/display/intel_fbc.c

+6 −6
Original line number Diff line number Diff line
@@ -509,10 +509,10 @@ static int intel_fbc_alloc_cfb(struct drm_i915_private *dev_priv, 


		fbc->compressed_llb = compressed_llb;



		GEM_BUG_ON(range_overflows_t(u64, dev_priv->dsm.start,

		GEM_BUG_ON(range_overflows_end_t(u64, dev_priv->dsm.start,

						 fbc->compressed_fb.start,

						 U32_MAX));

		GEM_BUG_ON(range_overflows_t(u64, dev_priv->dsm.start,

		GEM_BUG_ON(range_overflows_end_t(u64, dev_priv->dsm.start,

						 fbc->compressed_llb->start,

						 U32_MAX));

		intel_de_write(dev_priv, FBC_CFB_BASE,

drivers/gpu/drm/i915/gt/intel_rc6.c

+4 −4
Original line number Diff line number Diff line
@@ -320,7 +320,7 @@ static int vlv_rc6_init(struct intel_rc6 *rc6) 
		return PTR_ERR(pctx);

	}



	GEM_BUG_ON(range_overflows_t(u64,

	GEM_BUG_ON(range_overflows_end_t(u64,

					 i915->dsm.start,

					 pctx->stolen->start,

					 U32_MAX));

drivers/gpu/drm/i915/i915_utils.h

+13 −1
Original line number Diff line number Diff line
@@ -102,12 +102,24 @@ bool i915_error_injected(void); 
	typeof(max) max__ = (max); \

	(void)(&start__ == &size__); \

	(void)(&start__ == &max__); \

	start__ > max__ || size__ > max__ - start__; \

	start__ >= max__ || size__ > max__ - start__; \

})



#define range_overflows_t(type, start, size, max) \

	range_overflows((type)(start), (type)(size), (type)(max))



#define range_overflows_end(start, size, max) ({ \

	typeof(start) start__ = (start); \

	typeof(size) size__ = (size); \

	typeof(max) max__ = (max); \

	(void)(&start__ == &size__); \

	(void)(&start__ == &max__); \

	start__ > max__ || size__ > max__ - start__; \

})



#define range_overflows_end_t(type, start, size, max) \

	range_overflows_end((type)(start), (type)(size), (type)(max))



/* Note we don't consider signbits :| */

#define overflows_type(x, T) \

	(sizeof(x) > sizeof(T) && (x) >> BITS_PER_TYPE(T))

CRA Git | Maintained and supported by SUSTech CRA and CCSE