All of lore.kernel.org
 help / color / mirror / Atom feed
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Jani Nikula <jani.nikula@linux.intel.com>,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>
Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>,
	Rodrigo Vivi <rodrigo.vivi@intel.com>,
	Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com>,
	David Airlie <airlied@linux.ie>, Daniel Vetter <daniel@ffwll.ch>,
	Chris Wilson <chris@chris-wilson.co.uk>,
	intel-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org,
	kernel-janitors@vger.kernel.org
Subject: [PATCH] drm/i915: prevent integer overflow in query_engine_info()
Date: Thu, 1 Sep 2022 18:38:42 +0300	[thread overview]
Message-ID: <YxDSAj6tIrTZv5Y5@kili> (raw)

This code uses struct_size() but it stores the result in an int so the
integer overflow checks are not effective.  Record the types as size_t
to prevent the size from being truncated.

Fixes: bf3c50837506 ("drm/i915/query: Use struct_size() helper")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
I do not know if the integer overflow can happen.  This is a hardenning
patch just like the conversion to struct_size().

 drivers/gpu/drm/i915/i915_query.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/i915/i915_query.c b/drivers/gpu/drm/i915/i915_query.c
index 6ec9c9fb7b0d..43a499fbdc8d 100644
--- a/drivers/gpu/drm/i915/i915_query.c
+++ b/drivers/gpu/drm/i915/i915_query.c
@@ -13,7 +13,7 @@
 #include <uapi/drm/i915_drm.h>
 
 static int copy_query_item(void *query_hdr, size_t query_sz,
-			   u32 total_length,
+			   size_t total_length,
 			   struct drm_i915_query_item *query_item)
 {
 	if (query_item->length == 0)
@@ -135,7 +135,8 @@ query_engine_info(struct drm_i915_private *i915,
 	struct drm_i915_engine_info info = { };
 	unsigned int num_uabi_engines = 0;
 	struct intel_engine_cs *engine;
-	int len, ret;
+	size_t len;
+	int ret;
 
 	if (query_item->flags)
 		return -EINVAL;
-- 
2.35.1


WARNING: multiple messages have this Message-ID (diff)
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Jani Nikula <jani.nikula@linux.intel.com>,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>
Cc: Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com>,
	David Airlie <airlied@linux.ie>,
	intel-gfx@lists.freedesktop.org, kernel-janitors@vger.kernel.org,
	dri-devel@lists.freedesktop.org,
	Chris Wilson <chris@chris-wilson.co.uk>,
	Rodrigo Vivi <rodrigo.vivi@intel.com>
Subject: [PATCH] drm/i915: prevent integer overflow in query_engine_info()
Date: Thu, 1 Sep 2022 18:38:42 +0300	[thread overview]
Message-ID: <YxDSAj6tIrTZv5Y5@kili> (raw)

This code uses struct_size() but it stores the result in an int so the
integer overflow checks are not effective.  Record the types as size_t
to prevent the size from being truncated.

Fixes: bf3c50837506 ("drm/i915/query: Use struct_size() helper")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
I do not know if the integer overflow can happen.  This is a hardenning
patch just like the conversion to struct_size().

 drivers/gpu/drm/i915/i915_query.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/i915/i915_query.c b/drivers/gpu/drm/i915/i915_query.c
index 6ec9c9fb7b0d..43a499fbdc8d 100644
--- a/drivers/gpu/drm/i915/i915_query.c
+++ b/drivers/gpu/drm/i915/i915_query.c
@@ -13,7 +13,7 @@
 #include <uapi/drm/i915_drm.h>
 
 static int copy_query_item(void *query_hdr, size_t query_sz,
-			   u32 total_length,
+			   size_t total_length,
 			   struct drm_i915_query_item *query_item)
 {
 	if (query_item->length == 0)
@@ -135,7 +135,8 @@ query_engine_info(struct drm_i915_private *i915,
 	struct drm_i915_engine_info info = { };
 	unsigned int num_uabi_engines = 0;
 	struct intel_engine_cs *engine;
-	int len, ret;
+	size_t len;
+	int ret;
 
 	if (query_item->flags)
 		return -EINVAL;
-- 
2.35.1


WARNING: multiple messages have this Message-ID (diff)
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Jani Nikula <jani.nikula@linux.intel.com>,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>
Cc: David Airlie <airlied@linux.ie>,
	intel-gfx@lists.freedesktop.org, kernel-janitors@vger.kernel.org,
	dri-devel@lists.freedesktop.org,
	Chris Wilson <chris@chris-wilson.co.uk>,
	Daniel Vetter <daniel@ffwll.ch>,
	Rodrigo Vivi <rodrigo.vivi@intel.com>
Subject: [Intel-gfx] [PATCH] drm/i915: prevent integer overflow in query_engine_info()
Date: Thu, 1 Sep 2022 18:38:42 +0300	[thread overview]
Message-ID: <YxDSAj6tIrTZv5Y5@kili> (raw)

This code uses struct_size() but it stores the result in an int so the
integer overflow checks are not effective.  Record the types as size_t
to prevent the size from being truncated.

Fixes: bf3c50837506 ("drm/i915/query: Use struct_size() helper")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
I do not know if the integer overflow can happen.  This is a hardenning
patch just like the conversion to struct_size().

 drivers/gpu/drm/i915/i915_query.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/i915/i915_query.c b/drivers/gpu/drm/i915/i915_query.c
index 6ec9c9fb7b0d..43a499fbdc8d 100644
--- a/drivers/gpu/drm/i915/i915_query.c
+++ b/drivers/gpu/drm/i915/i915_query.c
@@ -13,7 +13,7 @@
 #include <uapi/drm/i915_drm.h>
 
 static int copy_query_item(void *query_hdr, size_t query_sz,
-			   u32 total_length,
+			   size_t total_length,
 			   struct drm_i915_query_item *query_item)
 {
 	if (query_item->length == 0)
@@ -135,7 +135,8 @@ query_engine_info(struct drm_i915_private *i915,
 	struct drm_i915_engine_info info = { };
 	unsigned int num_uabi_engines = 0;
 	struct intel_engine_cs *engine;
-	int len, ret;
+	size_t len;
+	int ret;
 
 	if (query_item->flags)
 		return -EINVAL;
-- 
2.35.1


             reply	other threads:[~2022-09-01 15:39 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-09-01 15:38 Dan Carpenter [this message]
2022-09-01 15:38 ` [Intel-gfx] [PATCH] drm/i915: prevent integer overflow in query_engine_info() Dan Carpenter
2022-09-01 15:38 ` Dan Carpenter
2022-09-01 16:45 ` [Intel-gfx] ✗ Fi.CI.BAT: failure for " Patchwork
2022-09-01 17:14 ` [Intel-gfx] [PATCH] " Andrzej Hajda
2022-09-01 17:14   ` Andrzej Hajda
2022-09-06  9:27 ` Tvrtko Ursulin
2022-09-06  9:27   ` [Intel-gfx] " Tvrtko Ursulin
2022-09-06  9:27   ` Tvrtko Ursulin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YxDSAj6tIrTZv5Y5@kili \
    --to=dan.carpenter@oracle.com \
    --cc=airlied@linux.ie \
    --cc=chris@chris-wilson.co.uk \
    --cc=daniel@ffwll.ch \
    --cc=dri-devel@lists.freedesktop.org \
    --cc=gustavoars@kernel.org \
    --cc=intel-gfx@lists.freedesktop.org \
    --cc=jani.nikula@linux.intel.com \
    --cc=joonas.lahtinen@linux.intel.com \
    --cc=kernel-janitors@vger.kernel.org \
    --cc=rodrigo.vivi@intel.com \
    --cc=tvrtko.ursulin@linux.intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.