Re: [PATCH 4/5] drm/i915: check for allocation overflow in error state capture

[Ben Widawsky <ben@bwidawsk.net>]

On Thu, Sep 19, 2013 at 12:18:35PM +0200, Daniel Vetter wrote:
> Pretty harmless since actually binding such a giant thing would be
> really hard to pull off - it doesn't fit into the gtt of any shipping
> gpu right now.
> 
> Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
> ---
>  drivers/gpu/drm/i915/i915_gpu_error.c | 8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/i915/i915_gpu_error.c b/drivers/gpu/drm/i915/i915_gpu_error.c
> index 763283e..6c80636 100644
> --- a/drivers/gpu/drm/i915/i915_gpu_error.c
> +++ b/drivers/gpu/drm/i915/i915_gpu_error.c
> @@ -478,7 +478,7 @@ static void i915_error_state_free(struct kref *error_ref)
>  static struct drm_i915_error_object *
>  i915_error_object_create_sized(struct drm_i915_private *dev_priv,
>  			       struct drm_i915_gem_object *src,
> -			       const int num_pages)
> +			       const unsigned int num_pages)
>  {
>  	struct drm_i915_error_object *dst;
>  	int i;
> @@ -487,6 +487,12 @@ i915_error_object_create_sized(struct drm_i915_private *dev_priv,
>  	if (src == NULL || src->pages == NULL)
>  		return NULL;
>  
> +	if (num_pages > (UINT_MAX - sizeof(*dst)) / sizeof(u32 *)) {
> +		DRM_DEBUG("error object with overflowing num_pages %u\n",
> +			  num_pages);
> +		return NULL;
> +	}
> +

I think either of these two assertions would be much better:
if (num_pages > src->base.size >> PAGE_SHIFT)

or

if (num_pages > dev_priv->gtt.base.total >> 12)...

Later with PPGTT, the gtt will just be a VM.

>  	dst = kmalloc(sizeof(*dst) + num_pages * sizeof(u32 *), GFP_ATOMIC);
>  	if (dst == NULL)
>  		return NULL;

-- 
Ben Widawsky, Intel Open Source Technology Center