[PATCH 1/2] drm/i915: fix integer overflow in i915_gem_execbuffer2()
Xi Wang
xi.wang at gmail.com
Fri Apr 6 13:34:58 PDT 2012
On Apr 6, 2012, at 3:40 PM, Chris Wilson wrote:
> On Fri, 6 Apr 2012 14:17:41 -0400, Xi Wang <xi.wang at gmail.com> wrote:
>>
>> Why an attempt to vmalloc? The overflow check in drm_malloc_ab()
>> will simply return NULL and fail the ioctl with -ENOMEM.
>
> It's an invalid value for the ioctl and should be treated as such, not
> making ENOMEM more ambiguous.
We could copy and paste the overflow check so as to return -EINVAL.
I just doubt how much that would help --- you can find existing usages
in other functions, for example, in i915_gem_execbuffer():
/* Copy in the exec list from userland */
exec_list = drm_malloc_ab(sizeof(*exec_list), args->buffer_count);
exec2_list = drm_malloc_ab(sizeof(*exec2_list), args->buffer_count);
if (exec_list == NULL || exec2_list == NULL) {
DRM_DEBUG("Failed to allocate exec list for %d buffers\n",
args->buffer_count);
drm_free_large(exec_list);
drm_free_large(exec2_list);
return -ENOMEM;
}
Should we fix all these as well by repeating the checks and returning
-EINVAL? I am worried about the code bloat / readability price you
would pay for getting a different error code.
BTW, I've also seen code using E2BIG. Any documented guideline?
- xi
More information about the dri-devel
mailing list