[PATCH] drm/i915/gvt: Check if "pipe" is valid value.

Aleksei Gimbitskii aleksei.gimbitskii at intel.com
Tue Jun 4 09:32:50 UTC 2019 

Static code analyzer reported that array "irq->events" may use index
value bigger than its size. If "pipe" is equal to I915_MAX_PIPES this
problem may arise. To ensure that "pipe" are valid insert additional
check before passing "pipe" to SKL_FLIP_EVENT().

This patch fixed the critial issues #765,#777 reported by klocwork.

Signed-off-by: Aleksei Gimbitskii <aleksei.gimbitskii at intel.com>
Cc: Zhenyu Wang <zhenyuw at linux.intel.com>
Cc: Zhi Wang <zhi.a.wang at intel.com>
Cc: Colin Xu <colin.xu at intel.com>
---
 drivers/gpu/drm/i915/gvt/handlers.c | 21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/i915/gvt/handlers.c b/drivers/gpu/drm/i915/gvt/handlers.c
index 7732caa1a546..5a652ca732c2 100644
--- a/drivers/gpu/drm/i915/gvt/handlers.c
+++ b/drivers/gpu/drm/i915/gvt/handlers.c
@@ -748,12 +748,22 @@ static int south_chicken2_mmio_write(struct intel_vgpu *vgpu,
 #define DSPSURF_TO_PIPE(offset) \
 	calc_index(offset, _DSPASURF, _DSPBSURF, 0, DSPSURF(PIPE_C))
 
+#define valid_pipe(pipe) \
+	(pipe >= PIPE_A && pipe < I915_MAX_PIPES)
+
 static int pri_surf_mmio_write(struct intel_vgpu *vgpu, unsigned int offset,
 		void *p_data, unsigned int bytes)
 {
 	struct drm_i915_private *dev_priv = vgpu->gvt->dev_priv;
 	u32 pipe = DSPSURF_TO_PIPE(offset);
-	int event = SKL_FLIP_EVENT(pipe, PLANE_PRIMARY);
+	int event;
+
+	if (!valid_pipe(pipe)) {
+		WARN_ON(true);
+		return -EINVAL;
+	}
+
+	event = SKL_FLIP_EVENT(pipe, PLANE_PRIMARY);
 
 	write_vreg(vgpu, offset, p_data, bytes);
 	vgpu_vreg_t(vgpu, DSPSURFLIVE(pipe)) = vgpu_vreg(vgpu, offset);
@@ -775,7 +785,14 @@ static int spr_surf_mmio_write(struct intel_vgpu *vgpu, unsigned int offset,
 		void *p_data, unsigned int bytes)
 {
 	u32 pipe = SPRSURF_TO_PIPE(offset);
-	int event = SKL_FLIP_EVENT(pipe, PLANE_SPRITE0);
+	int event;
+
+	if (!valid_pipe(pipe)) {
+		WARN_ON(true);
+		return -EINVAL;
+	}
+
+	event = SKL_FLIP_EVENT(pipe, PLANE_SPRITE0);
 
 	write_vreg(vgpu, offset, p_data, bytes);
 	vgpu_vreg_t(vgpu, SPRSURFLIVE(pipe)) = vgpu_vreg(vgpu, offset);
-- 
2.17.1

---------------------------------------------------------------------
Intel Finland Oy
Registered Address: PL 281, 00181 Helsinki 
Business Identity Code: 0357606 - 4 
Domiciled in Helsinki 

This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.

More information about the intel-gvt-dev mailing list