| Message ID | 1379585916-6521-4-git-send-email-daniel.vetter@ffwll.ch (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Thu, Sep 19, 2013 at 12:18:35PM +0200, Daniel Vetter wrote: > Pretty harmless since actually binding such a giant thing would be > really hard to pull off - it doesn't fit into the gtt of any shipping > gpu right now. > > Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> > --- > drivers/gpu/drm/i915/i915_gpu_error.c | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/i915/i915_gpu_error.c b/drivers/gpu/drm/i915/i915_gpu_error.c > index 763283e..6c80636 100644 > --- a/drivers/gpu/drm/i915/i915_gpu_error.c > +++ b/drivers/gpu/drm/i915/i915_gpu_error.c > @@ -478,7 +478,7 @@ static void i915_error_state_free(struct kref *error_ref) > static struct drm_i915_error_object * > i915_error_object_create_sized(struct drm_i915_private *dev_priv, > struct drm_i915_gem_object *src, > - const int num_pages) > + const unsigned int num_pages) > { > struct drm_i915_error_object *dst; > int i; > @@ -487,6 +487,12 @@ i915_error_object_create_sized(struct drm_i915_private *dev_priv, > if (src == NULL || src->pages == NULL) > return NULL; > > + if (num_pages > (UINT_MAX - sizeof(*dst)) / sizeof(u32 *)) { > + DRM_DEBUG("error object with overflowing num_pages %u\n", > + num_pages); > + return NULL; > + } > + I think either of these two assertions would be much better: if (num_pages > src->base.size >> PAGE_SHIFT) or if (num_pages > dev_priv->gtt.base.total >> 12)... Later with PPGTT, the gtt will just be a VM. > dst = kmalloc(sizeof(*dst) + num_pages * sizeof(u32 *), GFP_ATOMIC); > if (dst == NULL) > return NULL;
diff --git a/drivers/gpu/drm/i915/i915_gpu_error.c b/drivers/gpu/drm/i915/i915_gpu_error.c index 763283e..6c80636 100644 --- a/drivers/gpu/drm/i915/i915_gpu_error.c +++ b/drivers/gpu/drm/i915/i915_gpu_error.c @@ -478,7 +478,7 @@ static void i915_error_state_free(struct kref *error_ref) static struct drm_i915_error_object * i915_error_object_create_sized(struct drm_i915_private *dev_priv, struct drm_i915_gem_object *src, - const int num_pages) + const unsigned int num_pages) { struct drm_i915_error_object *dst; int i; @@ -487,6 +487,12 @@ i915_error_object_create_sized(struct drm_i915_private *dev_priv, if (src == NULL || src->pages == NULL) return NULL; + if (num_pages > (UINT_MAX - sizeof(*dst)) / sizeof(u32 *)) { + DRM_DEBUG("error object with overflowing num_pages %u\n", + num_pages); + return NULL; + } + dst = kmalloc(sizeof(*dst) + num_pages * sizeof(u32 *), GFP_ATOMIC); if (dst == NULL) return NULL;
Pretty harmless since actually binding such a giant thing would be really hard to pull off - it doesn't fit into the gtt of any shipping gpu right now. Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> --- drivers/gpu/drm/i915/i915_gpu_error.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)