[3/4] drm/i915/fb: Check that the clear color fits within the BO

Commit Message

Ville Syrjala Nov. 29, 2024, 6:50 a.m. UTC

From: Ville Syrjälä <ville.syrjala@linux.intel.com>

Make sure the user supplied offset[] for the clear color plane
fits within the actual BO. Note that we use tile units to track
the size here. All the other color/aux planes are already
being checked correctly.

Cc: Sagar Ghuge <sagar.ghuge@intel.com>
Cc: Nanley Chery <nanley.g.chery@intel.com>
Cc: Xi Ruoyao <xry111@xry111.site>
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
---
 drivers/gpu/drm/i915/display/intel_fb.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

Patch

diff --git a/drivers/gpu/drm/i915/display/intel_fb.c b/drivers/gpu/drm/i915/display/intel_fb.c
index e478d412785e..9f7f1b9f3275 100644
--- a/drivers/gpu/drm/i915/display/intel_fb.c
+++ b/drivers/gpu/drm/i915/display/intel_fb.c
@@ -1694,6 +1694,8 @@  int intel_fill_fb_info(struct drm_i915_private *i915, struct intel_framebuffer *
 		 * arithmetic related to alignment and offset calculation.
 		 */
 		if (is_gen12_ccs_cc_plane(&fb->base, i)) {
+			unsigned int end;
+
 			if (!IS_ALIGNED(fb->base.offsets[i], 64)) {
 				drm_dbg_kms(&i915->drm,
 					    "fb misaligned clear color plane %d offset (0x%x)\n",
@@ -1701,6 +1703,14 @@  int intel_fill_fb_info(struct drm_i915_private *i915, struct intel_framebuffer *
 				return -EINVAL;
 			}
 
+			if (check_add_overflow(fb->base.offsets[i], 64, &end)) {
+				drm_dbg_kms(&i915->drm,
+					    "fb bad clear color plane %d offset (0x%x)\n",
+					    i, fb->base.offsets[i]);
+				return -EINVAL;
+			}
+
+			max_size = max(max_size, DIV_ROUND_UP(end, tile_size));
 			continue;
 		}