[1/2] drm/i915/userptr: add user_size limit check
diff mbox series

Message ID 20200116192809.843138-1-matthew.auld@intel.com
State New
Headers show
Series
  • [1/2] drm/i915/userptr: add user_size limit check
Related show

Commit Message

Matthew Auld Jan. 16, 2020, 7:28 p.m. UTC
Don't allow a mismatch between obj->base.size/vma->size and the actual
number of pages for the backing store, which is limited to INT_MAX
pages.

Signed-off-by: Matthew Auld <matthew.auld@intel.com>
Cc: Chris Wilson <chris@chris-wilson.co.uk>
---
 drivers/gpu/drm/i915/gem/i915_gem_userptr.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

Comments

Chris Wilson Jan. 16, 2020, 7:31 p.m. UTC | #1
Quoting Matthew Auld (2020-01-16 19:28:08)
> Don't allow a mismatch between obj->base.size/vma->size and the actual
> number of pages for the backing store, which is limited to INT_MAX
> pages.
> 
> Signed-off-by: Matthew Auld <matthew.auld@intel.com>
> Cc: Chris Wilson <chris@chris-wilson.co.uk>
> ---
>  drivers/gpu/drm/i915/gem/i915_gem_userptr.c | 12 ++++++++++++
>  1 file changed, 12 insertions(+)
> 
> diff --git a/drivers/gpu/drm/i915/gem/i915_gem_userptr.c b/drivers/gpu/drm/i915/gem/i915_gem_userptr.c
> index e5558af111e2..fef96a303d9d 100644
> --- a/drivers/gpu/drm/i915/gem/i915_gem_userptr.c
> +++ b/drivers/gpu/drm/i915/gem/i915_gem_userptr.c
> @@ -768,6 +768,18 @@ i915_gem_userptr_ioctl(struct drm_device *dev,
>         if (args->flags & ~(I915_USERPTR_READ_ONLY |
>                             I915_USERPTR_UNSYNCHRONIZED))
>                 return -EINVAL;
> +       /*
> +        * XXX: There is a prevalence of the assumption that we fit the
> +        * object's page count inside a 32bit _signed_ variable. Let's document
> +        * this and catch if we ever need to fix it. In the meantime, if you do
> +        * spot such a local variable, please consider fixing!
> +        */
> +
> +       if (args->user_size >> PAGE_SHIFT > INT_MAX)
> +               return -E2BIG;

Are we not safe yet?

> +
> +       if (overflows_type(args->user_size, obj->base.size))
> +               return -E2BIG;

Ok.
-Chris

Patch
diff mbox series

diff --git a/drivers/gpu/drm/i915/gem/i915_gem_userptr.c b/drivers/gpu/drm/i915/gem/i915_gem_userptr.c
index e5558af111e2..fef96a303d9d 100644
--- a/drivers/gpu/drm/i915/gem/i915_gem_userptr.c
+++ b/drivers/gpu/drm/i915/gem/i915_gem_userptr.c
@@ -768,6 +768,18 @@  i915_gem_userptr_ioctl(struct drm_device *dev,
 	if (args->flags & ~(I915_USERPTR_READ_ONLY |
 			    I915_USERPTR_UNSYNCHRONIZED))
 		return -EINVAL;
+	/*
+	 * XXX: There is a prevalence of the assumption that we fit the
+	 * object's page count inside a 32bit _signed_ variable. Let's document
+	 * this and catch if we ever need to fix it. In the meantime, if you do
+	 * spot such a local variable, please consider fixing!
+	 */
+
+	if (args->user_size >> PAGE_SHIFT > INT_MAX)
+		return -E2BIG;
+
+	if (overflows_type(args->user_size, obj->base.size))
+		return -E2BIG;
 
 	if (!args->user_size)
 		return -EINVAL;