[Intel-gfx] [PATCH 1/2] drm/i915/userptr: add user_size limit check
Chris Wilson
chris at chris-wilson.co.uk
Thu Jan 16 19:31:29 UTC 2020
Quoting Matthew Auld (2020-01-16 19:28:08)
> Don't allow a mismatch between obj->base.size/vma->size and the actual
> number of pages for the backing store, which is limited to INT_MAX
> pages.
>
> Signed-off-by: Matthew Auld <matthew.auld at intel.com>
> Cc: Chris Wilson <chris at chris-wilson.co.uk>
> ---
> drivers/gpu/drm/i915/gem/i915_gem_userptr.c | 12 ++++++++++++
> 1 file changed, 12 insertions(+)
>
> diff --git a/drivers/gpu/drm/i915/gem/i915_gem_userptr.c b/drivers/gpu/drm/i915/gem/i915_gem_userptr.c
> index e5558af111e2..fef96a303d9d 100644
> --- a/drivers/gpu/drm/i915/gem/i915_gem_userptr.c
> +++ b/drivers/gpu/drm/i915/gem/i915_gem_userptr.c
> @@ -768,6 +768,18 @@ i915_gem_userptr_ioctl(struct drm_device *dev,
> if (args->flags & ~(I915_USERPTR_READ_ONLY |
> I915_USERPTR_UNSYNCHRONIZED))
> return -EINVAL;
> + /*
> + * XXX: There is a prevalence of the assumption that we fit the
> + * object's page count inside a 32bit _signed_ variable. Let's document
> + * this and catch if we ever need to fix it. In the meantime, if you do
> + * spot such a local variable, please consider fixing!
> + */
> +
> + if (args->user_size >> PAGE_SHIFT > INT_MAX)
> + return -E2BIG;
Are we not safe yet?
> +
> + if (overflows_type(args->user_size, obj->base.size))
> + return -E2BIG;
Ok.
-Chris
More information about the Intel-gfx
mailing list