]> www.infradead.org Git - users/griffoul/linux.git/commitdiff
projects / users / griffoul / linux.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a04ac82)
drm/i915/gem: Support parsing of oversize batches
authorChris Wilson <chris@chris-wilson.co.uk>
Thu, 15 Oct 2020 11:59:54 +0000 (12:59 +0100)
committerChris Wilson <chris@chris-wilson.co.uk>
Thu, 15 Oct 2020 18:27:05 +0000 (19:27 +0100)
Matthew Auld noted that on more recent systems (such as the parser for
gen9) we may have objects that are larger than expected by the GEM uAPI
(i.e. greater than u32). These objects would have incorrect implicit
batch lengths, causing the parser to reject them for being incomplete,
or worse.

Based on a patch by Matthew Auld.

Reported-by: Matthew Auld <matthew.auld@intel.com>
Fixes: 435e8fc059db ("drm/i915: Allow parsing of unsized batches")
Testcase: igt/gem_exec_params/larger-than-life-batch
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Matthew Auld <matthew.auld@intel.com>
Cc: Mika Kuoppala <mika.kuoppala@linux.intel.com>
Cc: Jon Bloomfield <jon.bloomfield@intel.com>
Reviewed-by: Matthew Auld <matthew.auld@intel.com>
Cc: stable@vger.kernel.org
Link: https://patchwork.freedesktop.org/patch/msgid/20201015115954.871-1-chris@chris-wilson.co.uk
drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c patch | blob | history

diff --git a/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c
index b7c4cacc36388be15e5ba0923da390357bb501fc..6bd6fc9886941adda3d4b045943275dd8d0c36a7 100644 (file)
--- a/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c
+++ b/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c
@@ -287,8 +287,8 @@ struct i915_execbuffer {
        u64 invalid_flags; /** Set of execobj.flags that are invalid */
        u32 context_flags; /** Set of execobj.flags to insert from the ctx */
 
+       u64 batch_len; /** Length of batch within object */
        u32 batch_start_offset; /** Location within object of batch */
-       u32 batch_len; /** Length of batch within object */
        u32 batch_flags; /** Flags composed for emit_bb_start() */
        struct intel_gt_buffer_pool_node *batch_pool; /** pool node for batch buffer */
 
@@ -871,6 +871,10 @@ static int eb_lookup_vmas(struct i915_execbuffer *eb)
 
        if (eb->batch_len == 0)
                eb->batch_len = eb->batch->vma->size - eb->batch_start_offset;
+       if (unlikely(eb->batch_len == 0)) { /* impossible! */
+               drm_dbg(&i915->drm, "Invalid batch length\n");
+               return -EINVAL;
+       }
 
        return 0;
 
@@ -2424,7 +2428,7 @@ static int eb_parse(struct i915_execbuffer *eb)
        struct drm_i915_private *i915 = eb->i915;
        struct intel_gt_buffer_pool_node *pool = eb->batch_pool;
        struct i915_vma *shadow, *trampoline, *batch;
-       unsigned int len;
+       unsigned long len;
        int err;
 
        if (!eb_use_cmdparser(eb)) {
@@ -2449,6 +2453,8 @@ static int eb_parse(struct i915_execbuffer *eb)
        } else {
                len += I915_CMD_PARSER_TRAMPOLINE_SIZE;
        }
+       if (unlikely(len < eb->batch_len)) /* last paranoid check of overflow */
+               return -EINVAL;
 
        if (!pool) {
                pool = intel_gt_get_buffer_pool(eb->engine->gt, len);
Unnamed repository; edit this file 'description' to name the repository.