[bug report] drm/xe: shift wrapping in xe_gem_create_ioctl()

[Dan Carpenter]

Hello Matthew Brost,

The patch dd08ebf6c352: "drm/xe: Introduce a new DRM driver for Intel
GPUs" from Mar 30, 2023 (linux-next), leads to the following Smatch
static checker warning:

	drivers/gpu/drm/xe/xe_bo.c:1916 xe_gem_create_ioctl()
	warn: potential integer overflow from user 'args->placement <<'

drivers/gpu/drm/xe/xe_bo.c
    1869 int xe_gem_create_ioctl(struct drm_device *dev, void *data,
    1870                         struct drm_file *file)
    1871 {
    1872         struct xe_device *xe = to_xe_device(dev);
    1873         struct xe_file *xef = to_xe_file(file);
    1874         struct drm_xe_gem_create *args = data;
    1875         struct xe_vm *vm = NULL;
    1876         struct xe_bo *bo;
    1877         unsigned int bo_flags;
    1878         u32 handle;
    1879         int err;
    1880 
    1881         if (XE_IOCTL_DBG(xe, args->extensions) ||
    1882             XE_IOCTL_DBG(xe, args->pad[0] || args->pad[1] || args->pad[2]) ||
    1883             XE_IOCTL_DBG(xe, args->reserved[0] || args->reserved[1]))
    1884                 return -EINVAL;
    1885 
    1886         /* at least one valid memory placement must be specified */
    1887         if (XE_IOCTL_DBG(xe, (args->placement & ~xe->info.mem_region_mask) ||
    1888                          !args->placement))
    1889                 return -EINVAL;
    1890 
    1891         if (XE_IOCTL_DBG(xe, args->flags &
    1892                          ~(DRM_XE_GEM_CREATE_FLAG_DEFER_BACKING |
    1893                            DRM_XE_GEM_CREATE_FLAG_SCANOUT |
    1894                            DRM_XE_GEM_CREATE_FLAG_NEEDS_VISIBLE_VRAM)))
    1895                 return -EINVAL;
    1896 
    1897         if (XE_IOCTL_DBG(xe, args->handle))
    1898                 return -EINVAL;
    1899 
    1900         if (XE_IOCTL_DBG(xe, !args->size))
    1901                 return -EINVAL;
    1902 
    1903         if (XE_IOCTL_DBG(xe, args->size > SIZE_MAX))
    1904                 return -EINVAL;
    1905 
    1906         if (XE_IOCTL_DBG(xe, args->size & ~PAGE_MASK))
    1907                 return -EINVAL;
    1908 
    1909         bo_flags = 0;
    1910         if (args->flags & DRM_XE_GEM_CREATE_FLAG_DEFER_BACKING)
    1911                 bo_flags |= XE_BO_DEFER_BACKING;
    1912 
    1913         if (args->flags & DRM_XE_GEM_CREATE_FLAG_SCANOUT)
    1914                 bo_flags |= XE_BO_SCANOUT_BIT;
    1915 
--> 1916         bo_flags |= args->placement << (ffs(XE_BO_CREATE_SYSTEM_BIT) - 1);
                             ^^^^^^^^^^^^^^^
Potential shift wrapping.

    1917 
    1918         if (args->flags & DRM_XE_GEM_CREATE_FLAG_NEEDS_VISIBLE_VRAM) {
    1919                 if (XE_IOCTL_DBG(xe, !(bo_flags & XE_BO_CREATE_VRAM_MASK)))
    1920                         return -EINVAL;
    1921 
    1922                 bo_flags |= XE_BO_NEEDS_CPU_ACCESS;
    1923         }
    1924 

regards,
dan carpenter