[Mesa-dev] [PATCH] i965: Fix uint64_t overflow in intel_client_wait_sync()

[Kristian Høgsberg]

DRM_IOCTL_I915_GEM_WAIT takes an int64_t for the timeout value but
GL_ARB_sync takes an uint64_t.  Further, the ioctl used to wait
indefinitely when passed a negative timeout, but it's been broken and
now returns immediately in that case.  Thus, if an application passes
UINT64_MAX to wait forever, we overflow to -1LL and return immediately.
Work around this mess by clamping the wait timeout to INT64_MAX.

Signed-off-by: Kristian Høgsberg <krh at bitplanet.net>
---


 src/mesa/drivers/dri/i965/intel_syncobj.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/mesa/drivers/dri/i965/intel_syncobj.c b/src/mesa/drivers/dri/i965/intel_syncobj.c
index 9cde152..fb95892 100644
--- a/src/mesa/drivers/dri/i965/intel_syncobj.c
+++ b/src/mesa/drivers/dri/i965/intel_syncobj.c
@@ -84,6 +84,13 @@ static void intel_client_wait_sync(struct gl_context *ctx, struct gl_sync_object
 {
    struct intel_sync_object *sync = (struct intel_sync_object *)s;
 
+   /* DRM_IOCTL_I915_GEM_WAIT uses a signed 64 bit timeout and returns
+    * immediately for timeouts <= 0.  The best we can do is to clamp the
+    * timeout to INT64_MAX.  This limits the maximum timeout from 584 years to
+    * 292 years - likely not a big deal. */
+   if (timeout > INT64_MAX)
+      timeout = INT64_MAX;
+
    if (sync->bo && drm_intel_gem_bo_wait(sync->bo, timeout) == 0) {
       s->StatusFlag = 1;
       drm_intel_bo_unreference(sync->bo);
-- 
2.1.0