[PATCH 3/3] drm/i915: Distinguish uAPI errors from implementation limitations

Tvrtko Ursulin tursulin at ursulin.net
Wed May 31 13:22:44 UTC 2017 

From: Tvrtko Ursulin <tvrtko.ursulin at intel.com>

Start returning -ENOMEM when we cannot handle the requested
number of allocations rather than confusing the user by
telling them they have used the uAPI incorrectly.

Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin at intel.com>
Testcase: igt/gem_reloc_overflow/single-overflow
---
 drivers/gpu/drm/i915/i915_gem_execbuffer.c | 24 ++++++++++++++----------
 1 file changed, 14 insertions(+), 10 deletions(-)

diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
index a5e748d226f6..a8dee19b6087 100644
--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
@@ -1178,8 +1178,7 @@ validate_exec_list(struct drm_device *dev,
 		   struct drm_i915_gem_exec_object2 *exec,
 		   unsigned int count)
 {
-	unsigned relocs_total = 0;
-	unsigned relocs_max = UINT_MAX / sizeof(struct drm_i915_gem_relocation_entry);
+	size_t relocs_total = 0;
 	unsigned invalid_flags;
 	unsigned int i;
 
@@ -1223,18 +1222,23 @@ validate_exec_list(struct drm_device *dev,
 			exec[i].pad_to_size = 0;
 		}
 
-		/* First check for malicious input causing overflow in
-		 * the worst case where we need to allocate the entire
-		 * relocation tree as a single array.
-		 */
-		if (exec[i].relocation_count > relocs_max - relocs_total)
-			return -EINVAL;
-		relocs_total += exec[i].relocation_count;
-
 		length = exec[i].relocation_count *
 			 sizeof(struct drm_i915_gem_relocation_entry);
 
 		/*
+		 * Check for malicious input causing overflow in the worst
+		 * case where we need to allocate the entire relocation tree
+		 * as a single array.
+		 */
+		if (overflows_type(length, size_t))
+			return  -ENOMEM;
+
+		if (add_overflows(relocs_total, length))
+			return -ENOMEM;
+
+		relocs_total += length;
+
+		/*
 		 * We must check that the entire relocation array is safe
 		 * to read, but since we may need to update the presumed
 		 * offsets during execution, check for full write access.
-- 
2.9.4

More information about the Intel-gfx-trybot mailing list