[PATCH 3/3] drm/i915: Distinguish uAPI errors from implementation limitations
Tvrtko Ursulin
tursulin at ursulin.net
Wed May 31 13:22:44 UTC 2017
From: Tvrtko Ursulin <tvrtko.ursulin at intel.com>
Start returning -ENOMEM when we cannot handle the requested
number of allocations rather than confusing the user by
telling them they have used the uAPI incorrectly.
Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin at intel.com>
Testcase: igt/gem_reloc_overflow/single-overflow
---
drivers/gpu/drm/i915/i915_gem_execbuffer.c | 24 ++++++++++++++----------
1 file changed, 14 insertions(+), 10 deletions(-)
diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
index a5e748d226f6..a8dee19b6087 100644
--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
@@ -1178,8 +1178,7 @@ validate_exec_list(struct drm_device *dev,
struct drm_i915_gem_exec_object2 *exec,
unsigned int count)
{
- unsigned relocs_total = 0;
- unsigned relocs_max = UINT_MAX / sizeof(struct drm_i915_gem_relocation_entry);
+ size_t relocs_total = 0;
unsigned invalid_flags;
unsigned int i;
@@ -1223,18 +1222,23 @@ validate_exec_list(struct drm_device *dev,
exec[i].pad_to_size = 0;
}
- /* First check for malicious input causing overflow in
- * the worst case where we need to allocate the entire
- * relocation tree as a single array.
- */
- if (exec[i].relocation_count > relocs_max - relocs_total)
- return -EINVAL;
- relocs_total += exec[i].relocation_count;
-
length = exec[i].relocation_count *
sizeof(struct drm_i915_gem_relocation_entry);
/*
+ * Check for malicious input causing overflow in the worst
+ * case where we need to allocate the entire relocation tree
+ * as a single array.
+ */
+ if (overflows_type(length, size_t))
+ return -ENOMEM;
+
+ if (add_overflows(relocs_total, length))
+ return -ENOMEM;
+
+ relocs_total += length;
+
+ /*
* We must check that the entire relocation array is safe
* to read, but since we may need to update the presumed
* offsets during execution, check for full write access.
--
2.9.4
More information about the Intel-gfx-trybot
mailing list