Commit 520f8350 authored by Matthew Auld's avatar Matthew Auld Committed by Chris Wilson

drm/i915: properly sanity check batch_start_offset

Check the edge case where batch_start_offset sits exactly on the batch
size.

v2: add new range_overflows variant to capture the special case where
the size is permitted to be zero, like with batch_len.

v3: other way around. the common case is the exclusive one which should
just be >=, with that we then just need to convert the three odd ball
cases that don't apply to use the new inclusive _end version.

Testcase: igt/gem_exec_params/invalid-batch-start-offset
Fixes: 0b537272 ("drm/i915/cmdparser: Use cached vmappings")
Signed-off-by: default avatarMatthew Auld <matthew.auld@intel.com>
Cc: Mika Kuoppala <mika.kuoppala@linux.intel.com>
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
Link: https://patchwork.freedesktop.org/patch/msgid/20200306094735.258285-1-matthew.auld@intel.com
parent ef398881
...@@ -509,12 +509,12 @@ static int intel_fbc_alloc_cfb(struct drm_i915_private *dev_priv, ...@@ -509,12 +509,12 @@ static int intel_fbc_alloc_cfb(struct drm_i915_private *dev_priv,
fbc->compressed_llb = compressed_llb; fbc->compressed_llb = compressed_llb;
GEM_BUG_ON(range_overflows_t(u64, dev_priv->dsm.start, GEM_BUG_ON(range_overflows_end_t(u64, dev_priv->dsm.start,
fbc->compressed_fb.start, fbc->compressed_fb.start,
U32_MAX)); U32_MAX));
GEM_BUG_ON(range_overflows_t(u64, dev_priv->dsm.start, GEM_BUG_ON(range_overflows_end_t(u64, dev_priv->dsm.start,
fbc->compressed_llb->start, fbc->compressed_llb->start,
U32_MAX)); U32_MAX));
intel_de_write(dev_priv, FBC_CFB_BASE, intel_de_write(dev_priv, FBC_CFB_BASE,
dev_priv->dsm.start + fbc->compressed_fb.start); dev_priv->dsm.start + fbc->compressed_fb.start);
intel_de_write(dev_priv, FBC_LL_BASE, intel_de_write(dev_priv, FBC_LL_BASE,
......
...@@ -320,10 +320,10 @@ static int vlv_rc6_init(struct intel_rc6 *rc6) ...@@ -320,10 +320,10 @@ static int vlv_rc6_init(struct intel_rc6 *rc6)
return PTR_ERR(pctx); return PTR_ERR(pctx);
} }
GEM_BUG_ON(range_overflows_t(u64, GEM_BUG_ON(range_overflows_end_t(u64,
i915->dsm.start, i915->dsm.start,
pctx->stolen->start, pctx->stolen->start,
U32_MAX)); U32_MAX));
pctx_paddr = i915->dsm.start + pctx->stolen->start; pctx_paddr = i915->dsm.start + pctx->stolen->start;
intel_uncore_write(uncore, VLV_PCBR, pctx_paddr); intel_uncore_write(uncore, VLV_PCBR, pctx_paddr);
......
...@@ -102,12 +102,24 @@ bool i915_error_injected(void); ...@@ -102,12 +102,24 @@ bool i915_error_injected(void);
typeof(max) max__ = (max); \ typeof(max) max__ = (max); \
(void)(&start__ == &size__); \ (void)(&start__ == &size__); \
(void)(&start__ == &max__); \ (void)(&start__ == &max__); \
start__ > max__ || size__ > max__ - start__; \ start__ >= max__ || size__ > max__ - start__; \
}) })
#define range_overflows_t(type, start, size, max) \ #define range_overflows_t(type, start, size, max) \
range_overflows((type)(start), (type)(size), (type)(max)) range_overflows((type)(start), (type)(size), (type)(max))
#define range_overflows_end(start, size, max) ({ \
typeof(start) start__ = (start); \
typeof(size) size__ = (size); \
typeof(max) max__ = (max); \
(void)(&start__ == &size__); \
(void)(&start__ == &max__); \
start__ > max__ || size__ > max__ - start__; \
})
#define range_overflows_end_t(type, start, size, max) \
range_overflows_end((type)(start), (type)(size), (type)(max))
/* Note we don't consider signbits :| */ /* Note we don't consider signbits :| */
#define overflows_type(x, T) \ #define overflows_type(x, T) \
(sizeof(x) > sizeof(T) && (x) >> BITS_PER_TYPE(T)) (sizeof(x) > sizeof(T) && (x) >> BITS_PER_TYPE(T))
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment