| Message ID | 20170127172008.25126-1-chris@chris-wilson.co.uk (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
Em Sex, 2017-01-27 às 17:20 +0000, Chris Wilson escreveu: > Just do a quick check that the stolen memory address range doesn't > overflow our chosen integer type. Reviewed-by: Paulo Zanoni <paulo.r.zanoni@intel.com> > > Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> > --- > drivers/gpu/drm/i915/i915_gem_stolen.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/i915/i915_gem_stolen.c > b/drivers/gpu/drm/i915/i915_gem_stolen.c > index 42bbc4b04fd6..37a26e1c9190 100644 > --- a/drivers/gpu/drm/i915/i915_gem_stolen.c > +++ b/drivers/gpu/drm/i915/i915_gem_stolen.c > @@ -189,7 +189,7 @@ static dma_addr_t i915_stolen_to_dma(struct > drm_i915_private *dev_priv) > base = tom - tseg_size - ggtt->stolen_size; > } > > - if (base == 0) > + if (base == 0 || base + ggtt->stolen_size <= base) > return 0; > > /* make sure we don't clobber the GTT if it's within stolen > memory */
On pe, 2017-01-27 at 17:20 +0000, Chris Wilson wrote: > Just do a quick check that the stolen memory address range doesn't > overflow our chosen integer type. > > Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> <SNIP> > @@ -189,7 +189,7 @@ static dma_addr_t i915_stolen_to_dma(struct drm_i915_private *dev_priv) > base = tom - tseg_size - ggtt->stolen_size; > } > > - if (base == 0) > + if (base == 0 || base + ggtt->stolen_size <= base) range_overflows? Regards, Joonas
On Mon, Jan 30, 2017 at 02:41:15PM +0200, Joonas Lahtinen wrote: > On pe, 2017-01-27 at 17:20 +0000, Chris Wilson wrote: > > Just do a quick check that the stolen memory address range doesn't > > overflow our chosen integer type. > > > > Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> > > <SNIP> > > > @@ -189,7 +189,7 @@ static dma_addr_t i915_stolen_to_dma(struct drm_i915_private *dev_priv) > > base = tom - tseg_size - ggtt->stolen_size; > > } > > > > - if (base == 0) > > + if (base == 0 || base + ggtt->stolen_size <= base) > > range_overflows? if (base == 0 || range_overflows(base, ggtt->stolen_size, U64_MAX /* DMA_ADDR_MAX */)) Bleh. #define add_overflows(A, B) __builtin_add_overflow_p((A), (B), (typeof((A) + (B)))0) if (base == 0 || add_overflows(base, ggtt->stolen_size)) -Chris
On ma, 2017-01-30 at 13:15 +0000, Chris Wilson wrote: > > if (base == 0 || range_overflows(base, ggtt->stolen_size, U64_MAX /* DMA_ADDR_MAX */)) > > Bleh. > > #define add_overflows(A, B) __builtin_add_overflow_p((A), (B), (typeof((A) + (B)))0) > > if (base == 0 || add_overflows(base, ggtt->stolen_size)) Looks good. Regards, Joonas
diff --git a/drivers/gpu/drm/i915/i915_gem_stolen.c b/drivers/gpu/drm/i915/i915_gem_stolen.c index 42bbc4b04fd6..37a26e1c9190 100644 --- a/drivers/gpu/drm/i915/i915_gem_stolen.c +++ b/drivers/gpu/drm/i915/i915_gem_stolen.c @@ -189,7 +189,7 @@ static dma_addr_t i915_stolen_to_dma(struct drm_i915_private *dev_priv) base = tom - tseg_size - ggtt->stolen_size; } - if (base == 0) + if (base == 0 || base + ggtt->stolen_size <= base) return 0; /* make sure we don't clobber the GTT if it's within stolen memory */
Just do a quick check that the stolen memory address range doesn't overflow our chosen integer type. Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> --- drivers/gpu/drm/i915/i915_gem_stolen.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)