[PATCH] drm/i915: add sanity check for partial view creation

[PATCH] drm/i915: add sanity check for partial view creation

[Matthew Auld]

When binding pages for a partial view we should check that the offset +
size is valid relative to the size of the gem object.

Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Signed-off-by: Matthew Auld <matthew.auld@intel.com>
---
 drivers/gpu/drm/i915/i915_gem_gtt.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/gpu/drm/i915/i915_gem_gtt.c b/drivers/gpu/drm/i915/i915_gem_gtt.c
index 49e4f26..a477bb2 100644
--- a/drivers/gpu/drm/i915/i915_gem_gtt.c
+++ b/drivers/gpu/drm/i915/i915_gem_gtt.c
@@ -3500,6 +3500,10 @@ intel_partial_pages(const struct i915_ggtt_view *view,
 	struct sg_page_iter obj_sg_iter;
 	int ret = -ENOMEM;
 
+	if (view->params.partial.offset + view->params.partial.size >
+	    obj->pages->nents)
+		return ERR_PTR(-EINVAL);
+
 	st = kmalloc(sizeof(*st), GFP_KERNEL);
 	if (!st)
 		goto err_st_alloc;
-- 
2.4.3

_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx

✗ Fi.CI.BAT: warning for drm/i915: add sanity check for partial view creation

[Patchwork]

== Series Details ==

Series: drm/i915: add sanity check for partial view creation
URL   : https://patchwork.freedesktop.org/series/3926/
State : warning

== Summary ==

Series 3926v1 drm/i915: add sanity check for partial view creation
http://patchwork.freedesktop.org/api/1.0/series/3926/revisions/1/mbox/

Test kms_flip:
        Subgroup basic-flip-vs-dpms:
                pass       -> DMESG-WARN (hsw-brixbox)
        Subgroup basic-flip-vs-wf_vblank:
                dmesg-warn -> PASS       (hsw-brixbox)
Test kms_pipe_crc_basic:
        Subgroup nonblocking-crc-pipe-b:
                dmesg-warn -> PASS       (snb-x220t)
        Subgroup read-crc-pipe-b:
                pass       -> DMESG-WARN (hsw-gt2)
        Subgroup suspend-read-crc-pipe-c:
                pass       -> DMESG-WARN (bsw-nuc-2)
Test pm_rpm:
        Subgroup basic-pci-d3-state:
                fail       -> DMESG-FAIL (snb-x220t)
                pass       -> DMESG-WARN (hsw-gt2)
                dmesg-warn -> PASS       (byt-nuc)

bdw-nuci7        total:166  pass:155  dwarn:0   dfail:0   fail:0   skip:11 
bdw-ultra        total:169  pass:155  dwarn:0   dfail:0   fail:0   skip:14 
bsw-nuc-2        total:169  pass:137  dwarn:1   dfail:0   fail:1   skip:30 
byt-nuc          total:169  pass:144  dwarn:0   dfail:0   fail:0   skip:25 
hsw-brixbox      total:169  pass:153  dwarn:1   dfail:0   fail:0   skip:15 
hsw-gt2          total:169  pass:156  dwarn:2   dfail:1   fail:0   skip:10 
ilk-hp8440p      total:169  pass:118  dwarn:0   dfail:0   fail:1   skip:50 
ivb-t430s        total:169  pass:153  dwarn:0   dfail:0   fail:1   skip:15 
snb-dellxps      total:169  pass:143  dwarn:2   dfail:0   fail:1   skip:23 
snb-x220t        total:169  pass:144  dwarn:1   dfail:1   fail:1   skip:22 

Results at /archive/results/CI_IGT_test/Patchwork_1495/

a1c053436ca45c5860f842e294ad29d6055bd43b drm-intel-nightly: 2016y-02m-29d-16h-58m-26s UTC integration manifest
2cdbd535042074b7b79b7db1ae18cb632ffd823c drm/i915: add sanity check for partial view creation

_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx

Re: [PATCH] drm/i915: add sanity check for partial view creation

[Ville Syrjälä]

On Mon, Feb 29, 2016 at 05:11:02PM +0000, Matthew Auld wrote:
> When binding pages for a partial view we should check that the offset +
> size is valid relative to the size of the gem object.
> 
> Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
> Signed-off-by: Matthew Auld <matthew.auld@intel.com>
> ---
>  drivers/gpu/drm/i915/i915_gem_gtt.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/drivers/gpu/drm/i915/i915_gem_gtt.c b/drivers/gpu/drm/i915/i915_gem_gtt.c
> index 49e4f26..a477bb2 100644
> --- a/drivers/gpu/drm/i915/i915_gem_gtt.c
> +++ b/drivers/gpu/drm/i915/i915_gem_gtt.c
> @@ -3500,6 +3500,10 @@ intel_partial_pages(const struct i915_ggtt_view *view,
>  	struct sg_page_iter obj_sg_iter;
>  	int ret = -ENOMEM;
>  
> +	if (view->params.partial.offset + view->params.partial.size >
> +	    obj->pages->nents)
> +		return ERR_PTR(-EINVAL);

It seems to me that if we hit this, there must a bug somewhere higher
up.

> +
>  	st = kmalloc(sizeof(*st), GFP_KERNEL);
>  	if (!st)
>  		goto err_st_alloc;
> -- 
> 2.4.3
> 
> _______________________________________________
> Intel-gfx mailing list
> Intel-gfx@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/intel-gfx

-- 
Ville Syrjälä
Intel OTC
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx

Re: [PATCH] drm/i915: add sanity check for partial view creation

[Joonas Lahtinen]

On ma, 2016-02-29 at 17:11 +0000, Matthew Auld wrote:
> When binding pages for a partial view we should check that the offset +
> size is valid relative to the size of the gem object.
> 
> Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>

Reviewed-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>

> Signed-off-by: Matthew Auld <matthew.auld@intel.com>
> ---
>  drivers/gpu/drm/i915/i915_gem_gtt.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/drivers/gpu/drm/i915/i915_gem_gtt.c b/drivers/gpu/drm/i915/i915_gem_gtt.c
> index 49e4f26..a477bb2 100644
> --- a/drivers/gpu/drm/i915/i915_gem_gtt.c
> +++ b/drivers/gpu/drm/i915/i915_gem_gtt.c
> @@ -3500,6 +3500,10 @@ intel_partial_pages(const struct i915_ggtt_view *view,
>  	struct sg_page_iter obj_sg_iter;
>  	int ret = -ENOMEM;
>  
> +	if (view->params.partial.offset + view->params.partial.size >
> +	    obj->pages->nents)
> +		return ERR_PTR(-EINVAL);
> +
>  	st = kmalloc(sizeof(*st), GFP_KERNEL);
>  	if (!st)
>  		goto err_st_alloc;
-- 
Joonas Lahtinen
Open Source Technology Center
Intel Corporation
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx

Re: [PATCH] drm/i915: add sanity check for partial view creation

[Tvrtko Ursulin]

On 29/02/16 17:11, Matthew Auld wrote:
> When binding pages for a partial view we should check that the offset +
> size is valid relative to the size of the gem object.
>
> Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
> Signed-off-by: Matthew Auld <matthew.auld@intel.com>
> ---
>   drivers/gpu/drm/i915/i915_gem_gtt.c | 4 ++++
>   1 file changed, 4 insertions(+)
>
> diff --git a/drivers/gpu/drm/i915/i915_gem_gtt.c b/drivers/gpu/drm/i915/i915_gem_gtt.c
> index 49e4f26..a477bb2 100644
> --- a/drivers/gpu/drm/i915/i915_gem_gtt.c
> +++ b/drivers/gpu/drm/i915/i915_gem_gtt.c
> @@ -3500,6 +3500,10 @@ intel_partial_pages(const struct i915_ggtt_view *view,
>   	struct sg_page_iter obj_sg_iter;
>   	int ret = -ENOMEM;
>
> +	if (view->params.partial.offset + view->params.partial.size >
> +	    obj->pages->nents)
> +		return ERR_PTR(-EINVAL);
> +

obj->pages->nents is not guaranteed to be equal to number of pages but 
can be less than due sg entry coalescing.

I suggest replacing with a check against "obj->base.size >> PAGE_SHIFT".

>   	st = kmalloc(sizeof(*st), GFP_KERNEL);
>   	if (!st)
>   		goto err_st_alloc;
>

Regards,

Tvrtko
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx

Re: [PATCH] drm/i915: add sanity check for partial view creation

[Chris Wilson]

On Wed, Mar 02, 2016 at 03:29:12PM +0200, Joonas Lahtinen wrote:
> On ma, 2016-02-29 at 17:11 +0000, Matthew Auld wrote:
> > When binding pages for a partial view we should check that the offset +
> > size is valid relative to the size of the gem object.
> > 
> > Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
> 
> Reviewed-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
> 
> > Signed-off-by: Matthew Auld <matthew.auld@intel.com>
> > ---
> >  drivers/gpu/drm/i915/i915_gem_gtt.c | 4 ++++
> >  1 file changed, 4 insertions(+)
> > 
> > diff --git a/drivers/gpu/drm/i915/i915_gem_gtt.c b/drivers/gpu/drm/i915/i915_gem_gtt.c
> > index 49e4f26..a477bb2 100644
> > --- a/drivers/gpu/drm/i915/i915_gem_gtt.c
> > +++ b/drivers/gpu/drm/i915/i915_gem_gtt.c
> > @@ -3500,6 +3500,10 @@ intel_partial_pages(const struct i915_ggtt_view *view,
> >  	struct sg_page_iter obj_sg_iter;
> >  	int ret = -ENOMEM;
> >  
> > +	if (view->params.partial.offset + view->params.partial.size >
> > +	    obj->pages->nents)
> > +		return ERR_PTR(-EINVAL);

Wrong. Tell me again what nents has to do with the object size?
-Chris

-- 
Chris Wilson, Intel Open Source Technology Centre
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx

Re: [PATCH] drm/i915: add sanity check for partial view creation

[Joonas Lahtinen]

On ma, 2016-02-29 at 19:57 +0200, Ville Syrjälä wrote:
> On Mon, Feb 29, 2016 at 05:11:02PM +0000, Matthew Auld wrote:
> > 
> > When binding pages for a partial view we should check that the offset +
> > size is valid relative to the size of the gem object.
> > 
> > Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
> > Signed-off-by: Matthew Auld <matthew.auld@intel.com>
> > ---
> >  drivers/gpu/drm/i915/i915_gem_gtt.c | 4 ++++
> >  1 file changed, 4 insertions(+)
> > 
> > diff --git a/drivers/gpu/drm/i915/i915_gem_gtt.c b/drivers/gpu/drm/i915/i915_gem_gtt.c
> > index 49e4f26..a477bb2 100644
> > --- a/drivers/gpu/drm/i915/i915_gem_gtt.c
> > +++ b/drivers/gpu/drm/i915/i915_gem_gtt.c
> > @@ -3500,6 +3500,10 @@ intel_partial_pages(const struct i915_ggtt_view *view,
> >  	struct sg_page_iter obj_sg_iter;
> >  	int ret = -ENOMEM;
> >  
> > +	if (view->params.partial.offset + view->params.partial.size >
> > +	    obj->pages->nents)
> > +		return ERR_PTR(-EINVAL);
> It seems to me that if we hit this, there must a bug somewhere higher
> up.
> 

Currently yes. This is in preparation of the more widespread support
for partial views and was chosen as a good get-to-know-GEM-code
candidate.

Regards, Joonas

> > 
> > +
> >  	st = kmalloc(sizeof(*st), GFP_KERNEL);
> >  	if (!st)
> >  		goto err_st_alloc;
> > -- 
> > 2.4.3
> > 
> > _______________________________________________
> > Intel-gfx mailing list
> > Intel-gfx@lists.freedesktop.org
> > https://lists.freedesktop.org/mailman/listinfo/intel-gfx
-- 
Joonas Lahtinen
Open Source Technology Center
Intel Corporation
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx

[PATCH] drm/i915: add sanity check for partial view creation

[Matthew Auld]

Upon creating a partial view we should check that the offset + size is
valid relative to the size of the gem object.

v2:
(Tvrtko Ursulin)
    - Don't use pages->nents to determine the page count
v3:
(Chris Wilson)
    - Handle potential overflow
v4:
(Chris Wilson)
    - Idiomatically handle overflow
    - Less idiotic placement
    - Treat as programmer error

Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Signed-off-by: Matthew Auld <matthew.auld@intel.com>
---
 drivers/gpu/drm/i915/i915_gem_gtt.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/drivers/gpu/drm/i915/i915_gem_gtt.c b/drivers/gpu/drm/i915/i915_gem_gtt.c
index fb0f963..593eb15 100644
--- a/drivers/gpu/drm/i915/i915_gem_gtt.c
+++ b/drivers/gpu/drm/i915/i915_gem_gtt.c
@@ -3356,6 +3356,14 @@ i915_gem_obj_lookup_or_create_ggtt_vma(struct drm_i915_gem_object *obj,
 	if (WARN_ON(!view))
 		return ERR_PTR(-EINVAL);
 
+	if (view->type == I915_GGTT_VIEW_PARTIAL) {
+		unsigned int page_count = obj->base.size >> PAGE_SHIFT;
+		if (WARN_ON(view->params.partial.offset > page_count ||
+			    view->params.partial.size > page_count  -
+			    view->params.partial.offset))
+			return ERR_PTR(-EINVAL);
+	}
+
 	vma = i915_gem_obj_to_ggtt_view(obj, view);
 
 	if (IS_ERR(vma))
-- 
2.4.3

_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx

Re: [PATCH] drm/i915: add sanity check for partial view creation

[Matthew Auld]

> If this concerns you that, please look at the API,
and please review the outstanding patches.

Could you elaborate on this please?
What patches are you referring to?
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx

Re: [PATCH] drm/i915: add sanity check for partial view creation

[Chris Wilson]

On Fri, Mar 04, 2016 at 10:11:24AM +0000, Matthew Auld wrote:
> When binding pages for a partial view we should check that the offset +
> size is valid relative to the size of the gem object.
> 
> v2: Don't use pages->nents to determine the page count (Tvrtko Ursulin)
> v3: Handle potential overflow (Chris Wilson)
> 
> Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
> Signed-off-by: Matthew Auld <matthew.auld@intel.com>
> ---
>  drivers/gpu/drm/i915/i915_gem_gtt.c | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/drivers/gpu/drm/i915/i915_gem_gtt.c b/drivers/gpu/drm/i915/i915_gem_gtt.c
> index 7b8de85..596692b 100644
> --- a/drivers/gpu/drm/i915/i915_gem_gtt.c
> +++ b/drivers/gpu/drm/i915/i915_gem_gtt.c
> @@ -3493,6 +3493,13 @@ intel_partial_pages(const struct i915_ggtt_view *view,
>  	struct sg_page_iter obj_sg_iter;
>  	int ret = -ENOMEM;
>  
> +	if (U64_MAX - view->params.partial.offset < view->params.partial.size)
> +		return ERR_PTR(-ERANGE);

Idiomatically is this how we test for offset+size overflows?

> +	if (view->params.partial.offset + view->params.partial.size >
> +	    obj->base.size >> PAGE_SHIFT)
> +		return ERR_PTR(-EINVAL);

This is still idiotic (placement, choice of runtime errors for a
programmer error). If this concerns you that, please look at the API,
and please review the outstanding patches.
-Chris

-- 
Chris Wilson, Intel Open Source Technology Centre
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx

[PATCH] drm/i915: add sanity check for partial view creation

[Matthew Auld]

When binding pages for a partial view we should check that the offset +
size is valid relative to the size of the gem object.

v2: Don't use pages->nents to determine the page count (Tvrtko Ursulin)
v3: Handle potential overflow (Chris Wilson)

Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Signed-off-by: Matthew Auld <matthew.auld@intel.com>
---
 drivers/gpu/drm/i915/i915_gem_gtt.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/gpu/drm/i915/i915_gem_gtt.c b/drivers/gpu/drm/i915/i915_gem_gtt.c
index 7b8de85..596692b 100644
--- a/drivers/gpu/drm/i915/i915_gem_gtt.c
+++ b/drivers/gpu/drm/i915/i915_gem_gtt.c
@@ -3493,6 +3493,13 @@ intel_partial_pages(const struct i915_ggtt_view *view,
 	struct sg_page_iter obj_sg_iter;
 	int ret = -ENOMEM;
 
+	if (U64_MAX - view->params.partial.offset < view->params.partial.size)
+		return ERR_PTR(-ERANGE);
+
+	if (view->params.partial.offset + view->params.partial.size >
+	    obj->base.size >> PAGE_SHIFT)
+		return ERR_PTR(-EINVAL);
+
 	st = kmalloc(sizeof(*st), GFP_KERNEL);
 	if (!st)
 		goto err_st_alloc;
-- 
2.4.3

_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx

Re: [PATCH] drm/i915: add sanity check for partial view creation

[Chris Wilson]

On Thu, Mar 03, 2016 at 11:27:47AM +0000, Auld, Matthew wrote:
> > Handle overflow?
> 
> Okay, good idea.
> 
> > Why do it here and not at creation?
> 
> We could, given that we currently only exercise partial views in the gem fault handler code, but as Joonas mentioned we are expecting further use of partial views, so it makes sense to have the check in only one place.

More use of broken code? Please review the patches to fix the current
implementation first!
-Chris

-- 
Chris Wilson, Intel Open Source Technology Centre
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx

Re: [PATCH] drm/i915: add sanity check for partial view creation

[Auld, Matthew]

> Handle overflow?

Okay, good idea.

> Why do it here and not at creation?

We could, given that we currently only exercise partial views in the gem fault handler code, but as Joonas mentioned we are expecting further use of partial views, so it makes sense to have the check in only one place.

> What bug are you fixing?

afaik this doesn't fix a bug, but it does seem like a reasonable sanity check to add, given more widespread use of partial views.

> Is this a user error? Or just an internal programming bug.

I think if we were to ever hit this it would be indicative of an internal programming bug.
________________________________________
From: Chris Wilson [chris@chris-wilson.co.uk]
Sent: 02 March 2016 14:42
To: Auld, Matthew
Cc: intel-gfx@lists.freedesktop.org
Subject: Re: [Intel-gfx] [PATCH] drm/i915: add sanity check for partial view creation

On Wed, Mar 02, 2016 at 02:33:29PM +0000, Matthew Auld wrote:
> When binding pages for a partial view we should check that the offset +
> size is valid relative to the size of the gem object.
>
> v2: Don't use pages->nents to determine the page count (Tvrtko Ursulin)
>
> Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
> Signed-off-by: Matthew Auld <matthew.auld@intel.com>
> ---
>  drivers/gpu/drm/i915/i915_gem_gtt.c | 4 ++++
>  1 file changed, 4 insertions(+)
>
> diff --git a/drivers/gpu/drm/i915/i915_gem_gtt.c b/drivers/gpu/drm/i915/i915_gem_gtt.c
> index 7b8de85..2c49d043 100644
> --- a/drivers/gpu/drm/i915/i915_gem_gtt.c
> +++ b/drivers/gpu/drm/i915/i915_gem_gtt.c
> @@ -3493,6 +3493,10 @@ intel_partial_pages(const struct i915_ggtt_view *view,
>       struct sg_page_iter obj_sg_iter;
>       int ret = -ENOMEM;
>
> +     if (view->params.partial.offset + view->params.partial.size >

Handle overflow?

Why do it here and not at creation?

What bug are you fixing?


> +         obj->base.size >> PAGE_SHIFT)
> +             return ERR_PTR(-EINVAL);

Is this a user error? Or just an internal programming bug.
-Chris

--
Chris Wilson, Intel Open Source Technology Centre
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx

Re: [PATCH] drm/i915: add sanity check for partial view creation

[Chris Wilson]

On Wed, Mar 02, 2016 at 02:33:29PM +0000, Matthew Auld wrote:
> When binding pages for a partial view we should check that the offset +
> size is valid relative to the size of the gem object.
> 
> v2: Don't use pages->nents to determine the page count (Tvrtko Ursulin)
> 
> Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
> Signed-off-by: Matthew Auld <matthew.auld@intel.com>
> ---
>  drivers/gpu/drm/i915/i915_gem_gtt.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/drivers/gpu/drm/i915/i915_gem_gtt.c b/drivers/gpu/drm/i915/i915_gem_gtt.c
> index 7b8de85..2c49d043 100644
> --- a/drivers/gpu/drm/i915/i915_gem_gtt.c
> +++ b/drivers/gpu/drm/i915/i915_gem_gtt.c
> @@ -3493,6 +3493,10 @@ intel_partial_pages(const struct i915_ggtt_view *view,
>  	struct sg_page_iter obj_sg_iter;
>  	int ret = -ENOMEM;
>  
> +	if (view->params.partial.offset + view->params.partial.size >

Handle overflow?

Why do it here and not at creation?

What bug are you fixing?


> +	    obj->base.size >> PAGE_SHIFT)
> +		return ERR_PTR(-EINVAL);

Is this a user error? Or just an internal programming bug.
-Chris

-- 
Chris Wilson, Intel Open Source Technology Centre
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx

[PATCH] drm/i915: add sanity check for partial view creation

[Matthew Auld]

When binding pages for a partial view we should check that the offset +
size is valid relative to the size of the gem object.

v2: Don't use pages->nents to determine the page count (Tvrtko Ursulin)

Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Signed-off-by: Matthew Auld <matthew.auld@intel.com>
---
 drivers/gpu/drm/i915/i915_gem_gtt.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/gpu/drm/i915/i915_gem_gtt.c b/drivers/gpu/drm/i915/i915_gem_gtt.c
index 7b8de85..2c49d043 100644
--- a/drivers/gpu/drm/i915/i915_gem_gtt.c
+++ b/drivers/gpu/drm/i915/i915_gem_gtt.c
@@ -3493,6 +3493,10 @@ intel_partial_pages(const struct i915_ggtt_view *view,
 	struct sg_page_iter obj_sg_iter;
 	int ret = -ENOMEM;
 
+	if (view->params.partial.offset + view->params.partial.size >
+	    obj->base.size >> PAGE_SHIFT)
+		return ERR_PTR(-EINVAL);
+
 	st = kmalloc(sizeof(*st), GFP_KERNEL);
 	if (!st)
 		goto err_st_alloc;
-- 
2.4.3

_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx