[Intel-gfx] [PATCH 4/5] drm/i915: check for allocation overflow in error state capture
Ben Widawsky
ben at bwidawsk.net
Sat Sep 21 01:39:12 CEST 2013
On Thu, Sep 19, 2013 at 12:18:35PM +0200, Daniel Vetter wrote:
> Pretty harmless since actually binding such a giant thing would be
> really hard to pull off - it doesn't fit into the gtt of any shipping
> gpu right now.
>
> Signed-off-by: Daniel Vetter <daniel.vetter at ffwll.ch>
> ---
> drivers/gpu/drm/i915/i915_gpu_error.c | 8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/i915/i915_gpu_error.c b/drivers/gpu/drm/i915/i915_gpu_error.c
> index 763283e..6c80636 100644
> --- a/drivers/gpu/drm/i915/i915_gpu_error.c
> +++ b/drivers/gpu/drm/i915/i915_gpu_error.c
> @@ -478,7 +478,7 @@ static void i915_error_state_free(struct kref *error_ref)
> static struct drm_i915_error_object *
> i915_error_object_create_sized(struct drm_i915_private *dev_priv,
> struct drm_i915_gem_object *src,
> - const int num_pages)
> + const unsigned int num_pages)
> {
> struct drm_i915_error_object *dst;
> int i;
> @@ -487,6 +487,12 @@ i915_error_object_create_sized(struct drm_i915_private *dev_priv,
> if (src == NULL || src->pages == NULL)
> return NULL;
>
> + if (num_pages > (UINT_MAX - sizeof(*dst)) / sizeof(u32 *)) {
> + DRM_DEBUG("error object with overflowing num_pages %u\n",
> + num_pages);
> + return NULL;
> + }
> +
I think either of these two assertions would be much better:
if (num_pages > src->base.size >> PAGE_SHIFT)
or
if (num_pages > dev_priv->gtt.base.total >> 12)...
Later with PPGTT, the gtt will just be a VM.
> dst = kmalloc(sizeof(*dst) + num_pages * sizeof(u32 *), GFP_ATOMIC);
> if (dst == NULL)
> return NULL;
--
Ben Widawsky, Intel Open Source Technology Center
More information about the Intel-gfx
mailing list