From patchwork Thu Sep 19 12:53:36 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Daniel Vetter <daniel.vetter@ffwll.ch>
X-Patchwork-Id: 2911141
Return-Path: 
 <intel-gfx-bounces+patchwork-intel-gfx=patchwork.kernel.org@lists.freedesktop.org>
X-Original-To: patchwork-intel-gfx@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.19.201])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id 5F45C9F1E1
	for <patchwork-intel-gfx@patchwork.kernel.org>;
	Thu, 19 Sep 2013 12:54:00 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 4264F203FD
	for <patchwork-intel-gfx@patchwork.kernel.org>;
	Thu, 19 Sep 2013 12:53:59 +0000 (UTC)
Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177])
	by mail.kernel.org (Postfix) with ESMTP id DD79A203E1
	for <patchwork-intel-gfx@patchwork.kernel.org>;
	Thu, 19 Sep 2013 12:53:57 +0000 (UTC)
Received: from gabe.freedesktop.org (localhost [127.0.0.1])
	by gabe.freedesktop.org (Postfix) with ESMTP id 840D7E690A
	for <patchwork-intel-gfx@patchwork.kernel.org>;
	Thu, 19 Sep 2013 05:53:57 -0700 (PDT)
X-Original-To: intel-gfx@lists.freedesktop.org
Delivered-To: intel-gfx@lists.freedesktop.org
Received: from mail-ee0-f54.google.com (mail-ee0-f54.google.com
	[74.125.83.54])
	by gabe.freedesktop.org (Postfix) with ESMTP id C7AC9E736E
	for <intel-gfx@lists.freedesktop.org>;
	Thu, 19 Sep 2013 05:53:24 -0700 (PDT)
Received: by mail-ee0-f54.google.com with SMTP id e53so4224003eek.27
	for <intel-gfx@lists.freedesktop.org>;
	Thu, 19 Sep 2013 05:53:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ffwll.ch; s=google;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=/8GzLBlrAyMY03EWS43IUE+QESC77h6eWVmw05xnmN8=;
	b=Ngmx+//+XuKSoiXLYK4Vo0srIoJiYkTr7vJn4AzZ3dWlhPbezbBtdby6R1WEiC1ePh
	LBMD0O2eA7t9QWNSHYHhbDSaXmkPHjTbIYqkz2eAxT0ntqmNqaXtB6RYP6pueRC6tygw
	lsOBIkG4VA0AMgm6DZD+v1xqOuTJqk2DoNZog=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=/8GzLBlrAyMY03EWS43IUE+QESC77h6eWVmw05xnmN8=;
	b=GF8ybrpbGOnV1qh125iyIuNyp/6YdDlllHaI5Ilioiq8qLRyhkqbAY3ZIsjnriCOkR
	YWFICy/VcEdKR8ji+a98rmIblX9hTlY472eKGpdbXL+8+cSIUHFi/Hg49DSTGD0Hyeg2
	bSAsRX/dQS8VvEjeKZMN5Sh3AZQF517mhQqNJjDKvzKcrRM/BvWOP04/vF02llRufdTB
	amgMtH4a2EkgbgmOi14wcxRPA2dWYpuejoM9gG8tIwBTBnbcE3Trcx18vCAT4SzPVnGm
	+W9FUR0PQjrWuPVWzSPQOXXNqZr4O9CJbfyXH4SU3mwlFZaxPkF8ZXyo4b7Kd7yrmhXZ
	tluA==
X-Gm-Message-State: 
 ALoCoQlwZduzK6xc206Siqj1/+aAW6btzN0K1Rclx2R4lbEJp4OrHb23OtnyTcw7b9PohIBMc0rM
X-Received: by 10.14.210.195 with SMTP id u43mr2153794eeo.80.1379595203995;
	Thu, 19 Sep 2013 05:53:23 -0700 (PDT)
Received: from phenom.ffwll.local (178-83-130-250.dynamic.hispeed.ch.
	[178.83.130.250]) by mx.google.com with ESMTPSA id
	n48sm11073324eeg.17.1969.12.31.16.00.00
	(version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
	Thu, 19 Sep 2013 05:53:22 -0700 (PDT)
From: Daniel Vetter <daniel.vetter@ffwll.ch>
To: Intel Graphics Development <intel-gfx@lists.freedesktop.org>
Date: Thu, 19 Sep 2013 14:53:36 +0200
Message-Id: <1379595216-29967-1-git-send-email-daniel.vetter@ffwll.ch>
X-Mailer: git-send-email 1.8.4.rc3
In-Reply-To: <1379592011-14751-1-git-send-email-daniel.vetter@ffwll.ch>
References: <1379592011-14751-1-git-send-email-daniel.vetter@ffwll.ch>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Subject: [Intel-gfx] [PATCH] drm/i915: Use unsigned for overflow checks in
	execbuf
X-BeenThere: intel-gfx@lists.freedesktop.org
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Intel graphics driver community testing & development
	<intel-gfx.lists.freedesktop.org>
List-Unsubscribe: <http://lists.freedesktop.org/mailman/options/intel-gfx>,
	<mailto:intel-gfx-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <http://lists.freedesktop.org/archives/intel-gfx>
List-Post: <mailto:intel-gfx@lists.freedesktop.org>
List-Help: <mailto:intel-gfx-request@lists.freedesktop.org?subject=help>
List-Subscribe: <http://lists.freedesktop.org/mailman/listinfo/intel-gfx>,
	<mailto:intel-gfx-request@lists.freedesktop.org?subject=subscribe>
MIME-Version: 1.0
Sender: 
 intel-gfx-bounces+patchwork-intel-gfx=patchwork.kernel.org@lists.freedesktop.org
Errors-To: 
 intel-gfx-bounces+patchwork-intel-gfx=patchwork.kernel.org@lists.freedesktop.org
X-Spam-Status: No, score=-4.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD,T_DKIM_INVALID,UNPARSEABLE_RELAY
	autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

There's actually no real risk since we already check for stricter
constraints earlier (using UINT_MAX / sizeof (struct
drm_i915_gem_exec_object2) as the limit). But in eb_create we use
signed integers, which steals a factor of 2. Luckily struct
drm_i915_gem_exec_object2 for this to not matter.

Still, be consistent and use unsigned integers.

Similar use unsinged integers when checking for overflows in the
relocation entry processing.

I've also added a new subtests to igt/gem_reloc_overflow to also
test for overflowing args->buffer_count values.

v2: Give the variables again tighter scope to make it clear that the
computation is purely local and doesn't leak out to the 2nd block.
Requested by Chris Wilson.

v3: Add a comment why we don't need to recheck for overflows.

Cc: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
---
 drivers/gpu/drm/i915/i915_gem_execbuffer.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
index ccfb8e6..f71eb6c 100644
--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
@@ -47,16 +47,22 @@ eb_create(struct drm_i915_gem_execbuffer2 *args, struct i915_address_space *vm)
 {
 	struct eb_vmas *eb = NULL;
 
+	/*
+	 * We already check for potential overflows of args->buffer_count before
+	 * calling i915_gem_do_execbuffer. So here we just need to make sure
+	 * that we don't overflow the by using a different type than unsigned
+	 * integers.
+	 */
 	if (args->flags & I915_EXEC_HANDLE_LUT) {
-		int size = args->buffer_count;
+		unsigned size = args->buffer_count;
 		size *= sizeof(struct i915_vma *);
 		size += sizeof(struct eb_vmas);
 		eb = kmalloc(size, GFP_TEMPORARY | __GFP_NOWARN | __GFP_NORETRY);
 	}
 
 	if (eb == NULL) {
-		int size = args->buffer_count;
-		int count = PAGE_SIZE / sizeof(struct hlist_head) / 2;
+		unsigned size = args->buffer_count;
+		unsigned count = PAGE_SIZE / sizeof(struct hlist_head) / 2;
 		BUILD_BUG_ON_NOT_POWER_OF_2(PAGE_SIZE / sizeof(struct hlist_head));
 		while (count > 2*size)
 			count >>= 1;
@@ -667,7 +673,7 @@ i915_gem_execbuffer_relocate_slow(struct drm_device *dev,
 	bool need_relocs;
 	int *reloc_offset;
 	int i, total, ret;
-	int count = args->buffer_count;
+	unsigned count = args->buffer_count;
 
 	if (WARN_ON(list_empty(&eb->vmas)))
 		return 0;
@@ -818,8 +824,8 @@ validate_exec_list(struct drm_i915_gem_exec_object2 *exec,
 		   int count)
 {
 	int i;
-	int relocs_total = 0;
-	int relocs_max = INT_MAX / sizeof(struct drm_i915_gem_relocation_entry);
+	unsigned relocs_total = 0;
+	unsigned relocs_max = UINT_MAX / sizeof(struct drm_i915_gem_relocation_entry);
 
 	for (i = 0; i < count; i++) {
 		char __user *ptr = to_user_ptr(exec[i].relocs_ptr);