From patchwork Thu Mar  2 16:38:30 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Arnd Bergmann <arnd@arndb.de>
X-Patchwork-Id: 9601349
X-Patchwork-Delegate: kvalo@adurom.com
Return-Path: <linux-wireless-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	807BA60429 for <patchwork-linux-wireless@patchwork.kernel.org>;
	Thu,  2 Mar 2017 18:16:41 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 77319285CF
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Thu,  2 Mar 2017 18:16:41 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 6BC6D285D3; Thu,  2 Mar 2017 18:16:41 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.4 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_HI,
	RCVD_IN_SORBS_SPAM autolearn=unavailable version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E3C73285CF
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Thu,  2 Mar 2017 18:16:40 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752270AbdCBSQg (ORCPT
	<rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
	Thu, 2 Mar 2017 13:16:36 -0500
Received: from mout.kundenserver.de ([212.227.126.131]:65510 "EHLO
	mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1753217AbdCBSQf (ORCPT
	<rfc822;linux-wireless@vger.kernel.org>);
	Thu, 2 Mar 2017 13:16:35 -0500
Received: from wuerfel.lan ([78.42.17.5]) by mrelayeu.kundenserver.de
	(mreue001 [212.227.15.129]) with ESMTPA (Nemesis) id
	0M2kwo-1cTbIV3GJ4-00sfIB; Thu, 02 Mar 2017 17:38:57 +0100
From: Arnd Bergmann <arnd@arndb.de>
To: kasan-dev@googlegroups.com
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>,
	Alexander Potapenko <glider@google.com>,
	Dmitry Vyukov <dvyukov@google.com>, netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org, linux-media@vger.kernel.org,
	linux-wireless@vger.kernel.org, kernel-build-reports@lists.linaro.org,
	"David S . Miller" <davem@davemloft.net>, Arnd Bergmann <arnd@arndb.de>
Subject: [PATCH 22/26] drm/i915/gvt: don't overflow the kernel stack with
	KASAN
Date: Thu,  2 Mar 2017 17:38:30 +0100
Message-Id: <20170302163834.2273519-23-arnd@arndb.de>
X-Mailer: git-send-email 2.9.0
In-Reply-To: <20170302163834.2273519-1-arnd@arndb.de>
References: <20170302163834.2273519-1-arnd@arndb.de>
X-Provags-ID: V03:K0:/jw5U77y+u4hsh9y/RDJ9mc4PhyVg1Fuixt2ata69lYHbtJ7QtX
	mpsuBVtBC7K6J0kf+N2ezl+LzRYNKr8TC3NS8BygB5mY2fw02z5WAfTwT5+YzxJRP3kg8uA
	Tm6Fu7Qlc7Gs3uB12husl/K2xzz4CtcxBEzrPQrAw2Ug8anhWYW29XmhUgZMHt7e40TdalH
	iW0KHvZXko84jQv5yDGsQ==
X-UI-Out-Filterresults: notjunk:1; V01:K0:S7w5uBNTUsk=:a4sxr630R6372ZWWm7tyd4
	0v4rka30VKWKtlBXwSBPa0KEyMNJyGJJzpk3nO6Rx1HLR8YpIYTDWiftIWvpzXC4g1V7Oq/e5
	8hRce4D5P9qkqMN5IM3hCKoA0n9Hq7IncPsHRe3pOrEJc2mWjTz8sCUT7hpJSdIxvhxT+dePc
	Fl1L9GP0d3b9KaZia9TE05ooEwbvpQnO43ayNSyrR9/DGyr1/QdHJ+7dCpZu0cSTNYn6ycBYA
	/mOkP+9Q80OVlB2vpgsgYukaLssxjgvAIkhdre15pTHnPWYlp2LOHkmqaaOCYGbdG6RqqfEIW
	l5p84WQ5gmZsStSbjl7A4eYW1PSJ85jlTKkxjrCqXmBZnXAHdTrmvlQ6gCx8vGye2r4ayiiCn
	eA/XlZ0cszqvBES+hX7lYW0JbvFlepje7l/m6eEOHlskASnfji0M7n0f9AisBXixOFbZWp7kC
	7sLUuG5C1/Yef373MIK6m7NS42CbXLOpMbQq5E5bkIo+SB9fmEyzJvDjgNxiuh9ZacSvIPXgg
	iLE3Qs8PM5+LAOtpiym0FCF9/cLLQcWKqljN/yWS/x4v4PVAMvDc8gApNApK8DKTESXDc2n6K
	HfdRAAr/dwGoG3Ua8f/p9NsHrt9wRHSo2mB1R/LT8Bmis+lP3U6hX1Fz1y+qPeshFvfoZwUjD
	7LS5lUNIp3AajYdV3uAZxKADu6dmcFial2G3ELTj2TZ7d8qo0AYxcITTJ8beibIRam9k=
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Enabling CONFIG_KASAN can lead to an instant stack overflow:

drivers/gpu/drm/i915/gvt/handlers.c: In function 'init_generic_mmio_info':
drivers/gpu/drm/i915/gvt/handlers.c:2200:1: error: the frame size of 30464 bytes is larger than 3072 bytes [-Werror=frame-larger-than=]
drivers/gpu/drm/i915/gvt/handlers.c: In function 'init_broadwell_mmio_info':
drivers/gpu/drm/i915/gvt/handlers.c:2402:1: error: the frame size of 5376 bytes is larger than 3072 bytes [-Werror=frame-larger-than=]
drivers/gpu/drm/i915/gvt/handlers.c: In function 'init_skl_mmio_info':
drivers/gpu/drm/i915/gvt/handlers.c:2628:1: error: the frame size of 5296 bytes is larger than 3072 bytes [-Werror=frame-larger-than=]

The reason is the INTEL_GVT_MMIO_OFFSET() hack that attempts to convert any type
(including i915_reg_t) into a u32 by reading the first four bytes, in combination
with the stack sanitizer that adds a redzone around each instance.

Originally, i915_reg_t was introduced to add a little extra type safety by
disallowing simple type casts, and INTEL_GVT_MMIO_OFFSET() goes the opposite
way by allowing any type as input, including those that are not safe in this
context.

I'm replacing it with an implementation that specifically allows the three
types that are actually used as input: 'i915_reg_t' (from _MMIO constants),
'int' (from other constants), and 'unsigned int' (from function arguments),
and any other type should now provoke a build error. This also solves the
stack overflow as we no longer use a local variable for each instance.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
---
 drivers/gpu/drm/i915/gvt/mmio.h | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/drivers/gpu/drm/i915/gvt/mmio.h b/drivers/gpu/drm/i915/gvt/mmio.h
index 3bc620f56f35..bf40100fc626 100644
--- a/drivers/gpu/drm/i915/gvt/mmio.h
+++ b/drivers/gpu/drm/i915/gvt/mmio.h
@@ -78,13 +78,20 @@ bool intel_gvt_match_device(struct intel_gvt *gvt, unsigned long device);
 int intel_gvt_setup_mmio_info(struct intel_gvt *gvt);
 void intel_gvt_clean_mmio_info(struct intel_gvt *gvt);
 
+static inline u32 intel_gvt_mmio_offset(unsigned int offset)
+{
+	return offset;
+}
+
 struct intel_gvt_mmio_info *intel_gvt_find_mmio_info(struct intel_gvt *gvt,
 						     unsigned int offset);
-#define INTEL_GVT_MMIO_OFFSET(reg) ({ \
-	typeof(reg) __reg = reg; \
-	u32 *offset = (u32 *)&__reg; \
-	*offset; \
-})
+#define INTEL_GVT_MMIO_OFFSET(reg) \
+__builtin_choose_expr(__builtin_types_compatible_p(typeof(reg), int), intel_gvt_mmio_offset, \
+__builtin_choose_expr(__builtin_types_compatible_p(typeof(reg), unsigned int), intel_gvt_mmio_offset, \
+__builtin_choose_expr(__builtin_types_compatible_p(typeof(reg), i915_reg_t), i915_mmio_reg_offset, \
+	(void)(0) \
+)))(reg)
+
 
 int intel_vgpu_init_mmio(struct intel_vgpu *vgpu);
 void intel_vgpu_reset_mmio(struct intel_vgpu *vgpu);