| Message ID | 20220813010857.4043956-1-gwan-gyeong.mun@intel.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | Fixes integer overflow or integer truncation issues in page lookups, ttm place configuration and scatterlist creation | expand |
On 8/15/22 5:03 PM, Jani Nikula wrote: > On Sat, 13 Aug 2022, Gwan-gyeong Mun <gwan-gyeong.mun@intel.com> wrote: >> There is an impedance mismatch between the first/last valid page >> frame number of ttm place in unsigned and our memory/page accounting in >> unsigned long. >> As the object size is under the control of userspace, we have to be prudent >> and catch the conversion errors. >> To catch the implicit truncation as we switch from unsigned long to >> unsigned, we use overflows_type check and report E2BIG or overflow_type >> prior to the operation. >> >> v3: Not to change execution inside a macro. (Mauro) >> Add safe_conversion_gem_bug_on() macro and remove temporal >> SAFE_CONVERSION() macro. >> v4: Fix unhandled GEM_BUG_ON() macro call from safe_conversion_gem_bug_on() >> v6: Fix to follow general use case for GEM_BUG_ON(). (Jani) >> >> Signed-off-by: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com> >> Cc: Chris Wilson <chris@chris-wilson.co.uk> >> Cc: Matthew Auld <matthew.auld@intel.com> >> Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com> >> Cc: Jani Nikula <jani.nikula@intel.com> >> Reviewed-by: Nirmoy Das <nirmoy.das@intel.com> (v2) >> Reviewed-by: Mauro Carvalho Chehab <mchehab@kernel.org> (v3) >> Reported-by: kernel test robot <lkp@intel.com> >> Reviewed-by: Andrzej Hajda <andrzej.hajda@intel.com> (v5) >> --- >> drivers/gpu/drm/i915/gem/i915_gem_ttm.c | 6 +++--- >> drivers/gpu/drm/i915/intel_region_ttm.c | 22 +++++++++++++++++++--- >> 2 files changed, 22 insertions(+), 6 deletions(-) >> >> diff --git a/drivers/gpu/drm/i915/gem/i915_gem_ttm.c b/drivers/gpu/drm/i915/gem/i915_gem_ttm.c >> index 9f2be1892b6c..30f488712abe 100644 >> --- a/drivers/gpu/drm/i915/gem/i915_gem_ttm.c >> +++ b/drivers/gpu/drm/i915/gem/i915_gem_ttm.c >> @@ -140,14 +140,14 @@ i915_ttm_place_from_region(const struct intel_memory_region *mr, >> if (flags & I915_BO_ALLOC_CONTIGUOUS) >> place->flags |= TTM_PL_FLAG_CONTIGUOUS; >> if (offset != I915_BO_INVALID_OFFSET) { >> - place->fpfn = offset >> PAGE_SHIFT; >> - place->lpfn = place->fpfn + (size >> PAGE_SHIFT); >> + GEM_BUG_ON(!safe_conversion(&place->fpfn, offset >> PAGE_SHIFT)); >> + GEM_BUG_ON(!safe_conversion(&place->lpfn, place->fpfn + (size >> PAGE_SHIFT))); > > This would be the natural thing to do with BUG_ON/WARN_ON. And I'd like > it if we could use it like this. But, as I tried to say, GEM_BUG_ON is > nothing like BUG_ON/WARN_ON, and no code is generated for > CONFIG_DRM_I915_DEBUG_GEM=n. And our CI will never catch it because it > always has CONFIG_DRM_I915_DEBUG_GEM=y. > Hi Jani, Thanks for the detailed explanation of what the build option CONFIG_DRM_I915_DEBUG_GEM doesn't cover. Using the WARN_ON() macro, I modified with the way in your comments on v5 version and sent the v7 patch again. Many thanks, G.G > BR, > Jani. > > >> } else if (mr->io_size && mr->io_size < mr->total) { >> if (flags & I915_BO_ALLOC_GPU_ONLY) { >> place->flags |= TTM_PL_FLAG_TOPDOWN; >> } else { >> place->fpfn = 0; >> - place->lpfn = mr->io_size >> PAGE_SHIFT; >> + GEM_BUG_ON(!safe_conversion(&place->lpfn, mr->io_size >> PAGE_SHIFT)); >> } >> } >> } >> diff --git a/drivers/gpu/drm/i915/intel_region_ttm.c b/drivers/gpu/drm/i915/intel_region_ttm.c >> index 575d67bc6ffe..c480b0b50bcc 100644 >> --- a/drivers/gpu/drm/i915/intel_region_ttm.c >> +++ b/drivers/gpu/drm/i915/intel_region_ttm.c >> @@ -209,14 +209,28 @@ intel_region_ttm_resource_alloc(struct intel_memory_region *mem, >> if (flags & I915_BO_ALLOC_CONTIGUOUS) >> place.flags |= TTM_PL_FLAG_CONTIGUOUS; >> if (offset != I915_BO_INVALID_OFFSET) { >> - place.fpfn = offset >> PAGE_SHIFT; >> - place.lpfn = place.fpfn + (size >> PAGE_SHIFT); >> + if (!safe_conversion(&place.fpfn, offset >> PAGE_SHIFT)) { >> + GEM_BUG_ON(!safe_conversion(&place.fpfn,offset >> PAGE_SHIFT)); >> + ret = -E2BIG; >> + goto out; >> + } >> + if (!safe_conversion(&place.lpfn, place.fpfn + (size >> PAGE_SHIFT))) { >> + GEM_BUG_ON(!safe_conversion(&place.lpfn, >> + place.fpfn + (size >> PAGE_SHIFT))); >> + ret = -E2BIG; >> + goto out; >> + } >> } else if (mem->io_size && mem->io_size < mem->total) { >> if (flags & I915_BO_ALLOC_GPU_ONLY) { >> place.flags |= TTM_PL_FLAG_TOPDOWN; >> } else { >> place.fpfn = 0; >> - place.lpfn = mem->io_size >> PAGE_SHIFT; >> + if (!safe_conversion(&place.lpfn, mem->io_size >> PAGE_SHIFT)) { >> + GEM_BUG_ON(!safe_conversion(&place.lpfn, >> + mem->io_size >> PAGE_SHIFT)); >> + ret = -E2BIG; >> + goto out; >> + } >> } >> } >> >> @@ -224,6 +238,8 @@ intel_region_ttm_resource_alloc(struct intel_memory_region *mem, >> mock_bo.bdev = &mem->i915->bdev; >> >> ret = man->func->alloc(man, &mock_bo, &place, &res); >> + >> +out: >> if (ret == -ENOSPC) >> ret = -ENXIO; >> if (!ret) >
This patch series fixes integer overflow or integer truncation issues in page lookups, ttm place configuration and scatterlist creation, etc. We need to check that we avoid integer overflows when looking up a page, and so fix all the instances where we have mistakenly used a plain integer instead of a more suitable long. And there is an impedance mismatch between the scatterlist API using unsigned int and our memory/page accounting in unsigned long. That is we may try to create a scatterlist for a large object that overflows returning a small table into which we try to fit very many pages. As the object size is under the control of userspace, we have to be prudent and catch the conversion errors. To catch the implicit truncation as we switch from unsigned long into the scatterlist's unsigned int, we use our overflows_type check and report E2BIG prior to the operation. This is already used in our create ioctls to indicate if the uABI request is simply too large for the backing store. And ttm place also has the same problem with scatterlist creation, and we fix the integer truncation problem with the way approached by scatterlist creation. And It corrects the error code to return -E2BIG when creating gem objects using ttm or shmem, if the size is too large in each case. In order to provide a common macro, it moves and adds a few utility macros into overflow/util_macros header v6: Move macro addition location so that it can be used by other than drm subsystem (Jani, Mauro, Andi) Fix to follow general use case for GEM_BUG_ON(). (Jani) v5: Fix an alignment to match open parenthesis Fix macros to be enclosed in parentheses for complex values Fix too long line warning v4: Fix build warnins that reported by kernel test robot. (kernel test robot <lkp@intel.com>) Add kernel-doc markups to the kAPI functions and macros (Mauoro) v3: Modify overflows_type() macro to consider signed data types and add is_type_unsigned() macro (Mauro) Make not use the same macro name on a function. (Mauro) For kernel-doc, macros and functions are handled in the same namespace, the same macro name on a function prevents ever adding documentation for it. Not to change execution inside a macro. (Mauro) Fix the problem that safe_conversion() macro always returns true (G.G) Add safe_conversion_gem_bug_on() macro and remove temporal SAFE_CONVERSION() macro. (G.G.) Chris Wilson (3): drm/i915/gem: Typecheck page lookups drm/i915: Check for integer truncation on scatterlist creation drm/i915: Remove truncation warning for large objects Gwan-gyeong Mun (5): overflow: Move and add few utility macros into overflow util_macros: Add exact_type macro to catch type mis-match while compiling drm/i915: Check for integer truncation on the configuration of ttm place drm/i915: Check if the size is too big while creating shmem file drm/i915: Use error code as -E2BIG when the size of gem ttm object is too large drivers/gpu/drm/i915/gem/i915_gem_internal.c | 6 +- drivers/gpu/drm/i915/gem/i915_gem_object.c | 7 +- drivers/gpu/drm/i915/gem/i915_gem_object.h | 303 +++++++++++++++--- drivers/gpu/drm/i915/gem/i915_gem_pages.c | 27 +- drivers/gpu/drm/i915/gem/i915_gem_phys.c | 4 + drivers/gpu/drm/i915/gem/i915_gem_shmem.c | 19 +- drivers/gpu/drm/i915/gem/i915_gem_ttm.c | 23 +- drivers/gpu/drm/i915/gem/i915_gem_userptr.c | 5 +- .../drm/i915/gem/selftests/i915_gem_context.c | 12 +- .../drm/i915/gem/selftests/i915_gem_mman.c | 8 +- .../drm/i915/gem/selftests/i915_gem_object.c | 8 +- drivers/gpu/drm/i915/gvt/dmabuf.c | 9 +- drivers/gpu/drm/i915/i915_gem.c | 18 +- drivers/gpu/drm/i915/i915_scatterlist.h | 11 + drivers/gpu/drm/i915/i915_utils.h | 6 +- drivers/gpu/drm/i915/i915_vma.c | 8 +- drivers/gpu/drm/i915/intel_region_ttm.c | 22 +- include/linux/overflow.h | 54 ++++ include/linux/util_macros.h | 25 ++ 19 files changed, 482 insertions(+), 93 deletions(-)