From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ben Widawsky <ben@bwidawsk.net>
Subject: Re: [PATCH] drm/i915: Defend against userspace creating
 a gem object with size==0
Date: Wed, 14 Sep 2011 20:02:10 +0000
Message-ID: <20110914200210.GA22458@cloud01>
References: <1316002468-31203-1-git-send-email-daniel.vetter@ffwll.ch>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <intel-gfx-bounces+gcfxdi-intel-gfx=m.gmane.org@lists.freedesktop.org>
Received: from cloud01.chad-versace.us (184-106-247-128.static.cloud-ips.com
	[184.106.247.128])
	by gabe.freedesktop.org (Postfix) with ESMTP id D10CAA088E
	for <intel-gfx@lists.freedesktop.org>;
	Wed, 14 Sep 2011 12:58:49 -0700 (PDT)
Content-Disposition: inline
In-Reply-To: <1316002468-31203-1-git-send-email-daniel.vetter@ffwll.ch>
List-Unsubscribe: <http://lists.freedesktop.org/mailman/options/intel-gfx>,
	<mailto:intel-gfx-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <http://lists.freedesktop.org/archives/intel-gfx>
List-Post: <mailto:intel-gfx@lists.freedesktop.org>
List-Help: <mailto:intel-gfx-request@lists.freedesktop.org?subject=help>
List-Subscribe: <http://lists.freedesktop.org/mailman/listinfo/intel-gfx>,
	<mailto:intel-gfx-request@lists.freedesktop.org?subject=subscribe>
Sender: intel-gfx-bounces+gcfxdi-intel-gfx=m.gmane.org@lists.freedesktop.org
Errors-To: intel-gfx-bounces+gcfxdi-intel-gfx=m.gmane.org@lists.freedesktop.org
To: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: intel-gfx@lists.freedesktop.org
List-Id: intel-gfx@lists.freedesktop.org

On Wed, Sep 14, 2011 at 02:14:28PM +0200, Daniel Vetter wrote:
> From: Chris Wilson <chris@chris-wilson.co.uk>
> 
> We currently only round up the userspace size to the next page. We
> assume that userspace hasn't made a mistake and requested a zero-length
> gem object and all through our internal code we then presume that every
> object is backed by at least a single page. Fix that oversight and
> report EINVAL back to userspace if they try to create a zero length
> object.
> 
> Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
> [danvet: This fixes tests/gem_bad_length]
> Signed-Off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
> ---
>  drivers/gpu/drm/i915/i915_gem.c |    2 ++
>  1 files changed, 2 insertions(+), 0 deletions(-)
> 
> diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c
> index 7998827..9857e9d 100644
> --- a/drivers/gpu/drm/i915/i915_gem.c
> +++ b/drivers/gpu/drm/i915/i915_gem.c
> @@ -195,6 +195,8 @@ i915_gem_create(struct drm_file *file,
>  	u32 handle;
>  
>  	size = roundup(size, PAGE_SIZE);
> +	if (size == 0)
> +		return -EINVAL;
>  
>  	/* Allocate the new object */
>  	obj = i915_gem_alloc_object(dev, size);

Could we just: s/roundup/DIV_ROUND_UP and be happy?

Ben