drm/i915: Make sure fb gtt offsets stay within 32bits

Let's try to make sure the fb offset computations never hit an integer overflow by making sure the entire fb stays below 32bits. framebuffer_check() in the core already does the same check, but as it doesn't know about tiling some things can slip through. Repeat the check in the driver with tiling taken into account. v2: Use add_overflows() after massaging it to work for me (Chris) v3: Call it add_overflow_t() to match min_t() & co. (Chris) Cc: Chris Wilson <chris@chris-wilson.co.uk> Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20181023160201.9840-1-ville.syrjala@linux.intel.comReviewed-by: Chris Wilson <chris@chris-wilson.co.uk>

drm/i915: Make sure fb gtt offsets stay within 32bits
Let's try to make sure the fb offset computations never hit an integer overflow by making sure the entire fb stays below 32bits. framebuffer_check() in the core already does the same check, but as it doesn't know about tiling some things can slip through. Repeat the check in the driver with tiling taken into account. v2: Use add_overflows() after massaging it to work for me (Chris) v3: Call it add_overflow_t() to match min_t() & co. (Chris) Cc: Chris Wilson <chris@chris-wilson.co.uk> Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20181023160201.9840-1-ville.syrjala@linux.intel.comReviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
70bbe53c · Ville Syrjälä · 1fdee758 · 70bbe53c · 70bbe53c
Commit 70bbe53c authored Oct 23, 2018 by Ville Syrjälä
Hide whitespace changes
Inline Side-by-side

Showing with 24 additions and 5 deletions

drivers/gpu/drm/i915/i915_utils.h drivers/gpu/drm/i915/i915_utils.h +7 -4

drivers/gpu/drm/i915/intel_display.c drivers/gpu/drm/i915/intel_display.c +17 -1

No files found.
--- a/drivers/gpu/drm/i915/i915_utils.h
+++ b/drivers/gpu/drm/i915/i915_utils.h
@@ -44,16 +44,19 @@
 			     __stringify(x), (long)(x))
 #if defined(GCC_VERSION) && GCC_VERSION >= 70000
-#define add_overflows(A, B) \
+#define add_overflows_t(T, A, B) \
-	__builtin_add_overflow_p((A), (B), (typeof((A) + (B)))0)
+	__builtin_add_overflow_p((A), (B), (T)0)
 #else
-#define add_overflows(A, B) ({ \
+#define add_overflows_t(T, A, B) ({ \
 	typeof(A) a = (A); \
 	typeof(B) b = (B); \
-	a + b < a; \
+	(T)(a + b) < a; \
 })
 #endif
+#define add_overflows(A, B) \
+	add_overflows_t(typeof((A) + (B)), (A), (B))
 #define range_overflows(start, size, max) ({ \
 	typeof(start) start__ = (start); \
 	typeof(size) size__ = (size); \

--- a/drivers/gpu/drm/i915/intel_display.c
+++ b/drivers/gpu/drm/i915/intel_display.c
@@ -2341,10 +2341,26 @@ static int intel_fb_offset_to_xy(int *x, int *y,
 				 int color_plane)
 {
 	struct drm_i915_private *dev_priv = to_i915(fb->dev);
+	unsigned int height;
 	if (fb->modifier != DRM_FORMAT_MOD_LINEAR &&
-	    fb->offsets[color_plane] % intel_tile_size(dev_priv))
+	    fb->offsets[color_plane] % intel_tile_size(dev_priv)) {
+		DRM_DEBUG_KMS("Misaligned offset 0x%08x for color plane %d\n",
+			      fb->offsets[color_plane], color_plane);
 		return -EINVAL;
+	}
+	height = drm_framebuffer_plane_height(fb->height, fb, color_plane);
+	height = ALIGN(height, intel_tile_height(fb, color_plane));
+	/* Catch potential overflows early */
+	if (add_overflows_t(u32, mul_u32_u32(height, fb->pitches[color_plane]),
+			    fb->offsets[color_plane])) {
+		DRM_DEBUG_KMS("Bad offset 0x%08x or pitch %d for color plane %d\n",
+			      fb->offsets[color_plane], fb->pitches[color_plane],
+			      color_plane);
+		return -ERANGE;
+	}
 	*x = 0;
 	*y = 0;