From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ben Widawsky <ben@bwidawsk.net>
Subject: Re: [PATCH 4/5] drm/i915: check for allocation overflow
 in error state capture
Date: Fri, 20 Sep 2013 16:39:12 -0700
Message-ID: <20130920233912.GA1710@bwidawsk.net>
References: <1379585916-6521-1-git-send-email-daniel.vetter@ffwll.ch>
	<1379585916-6521-4-git-send-email-daniel.vetter@ffwll.ch>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <intel-gfx-bounces+gcfxdi-intel-gfx=m.gmane.org@lists.freedesktop.org>
Received: from mail.bwidawsk.net (bwidawsk.net [166.78.191.112])
	by gabe.freedesktop.org (Postfix) with ESMTP id 05464E5C87
	for <intel-gfx@lists.freedesktop.org>;
	Fri, 20 Sep 2013 16:39:20 -0700 (PDT)
Content-Disposition: inline
In-Reply-To: <1379585916-6521-4-git-send-email-daniel.vetter@ffwll.ch>
List-Unsubscribe: <http://lists.freedesktop.org/mailman/options/intel-gfx>,
	<mailto:intel-gfx-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <http://lists.freedesktop.org/archives/intel-gfx>
List-Post: <mailto:intel-gfx@lists.freedesktop.org>
List-Help: <mailto:intel-gfx-request@lists.freedesktop.org?subject=help>
List-Subscribe: <http://lists.freedesktop.org/mailman/listinfo/intel-gfx>,
	<mailto:intel-gfx-request@lists.freedesktop.org?subject=subscribe>
Sender: intel-gfx-bounces+gcfxdi-intel-gfx=m.gmane.org@lists.freedesktop.org
Errors-To: intel-gfx-bounces+gcfxdi-intel-gfx=m.gmane.org@lists.freedesktop.org
To: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: Intel Graphics Development <intel-gfx@lists.freedesktop.org>
List-Id: intel-gfx@lists.freedesktop.org

On Thu, Sep 19, 2013 at 12:18:35PM +0200, Daniel Vetter wrote:
> Pretty harmless since actually binding such a giant thing would be
> really hard to pull off - it doesn't fit into the gtt of any shipping
> gpu right now.
> 
> Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
> ---
>  drivers/gpu/drm/i915/i915_gpu_error.c | 8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/i915/i915_gpu_error.c b/drivers/gpu/drm/i915/i915_gpu_error.c
> index 763283e..6c80636 100644
> --- a/drivers/gpu/drm/i915/i915_gpu_error.c
> +++ b/drivers/gpu/drm/i915/i915_gpu_error.c
> @@ -478,7 +478,7 @@ static void i915_error_state_free(struct kref *error_ref)
>  static struct drm_i915_error_object *
>  i915_error_object_create_sized(struct drm_i915_private *dev_priv,
>  			       struct drm_i915_gem_object *src,
> -			       const int num_pages)
> +			       const unsigned int num_pages)
>  {
>  	struct drm_i915_error_object *dst;
>  	int i;
> @@ -487,6 +487,12 @@ i915_error_object_create_sized(struct drm_i915_private *dev_priv,
>  	if (src == NULL || src->pages == NULL)
>  		return NULL;
>  
> +	if (num_pages > (UINT_MAX - sizeof(*dst)) / sizeof(u32 *)) {
> +		DRM_DEBUG("error object with overflowing num_pages %u\n",
> +			  num_pages);
> +		return NULL;
> +	}
> +

I think either of these two assertions would be much better:
if (num_pages > src->base.size >> PAGE_SHIFT)

or

if (num_pages > dev_priv->gtt.base.total >> 12)...

Later with PPGTT, the gtt will just be a VM.

>  	dst = kmalloc(sizeof(*dst) + num_pages * sizeof(u32 *), GFP_ATOMIC);
>  	if (dst == NULL)
>  		return NULL;

-- 
Ben Widawsky, Intel Open Source Technology Center