From patchwork Fri Apr 3 21:27:46 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matt Roper X-Patchwork-Id: 6160301 Return-Path: X-Original-To: patchwork-dri-devel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id CB2E79F389 for ; Fri, 3 Apr 2015 21:29:00 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id EAF74203B0 for ; Fri, 3 Apr 2015 21:28:59 +0000 (UTC) Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) by mail.kernel.org (Postfix) with ESMTP id BD00D202C8 for ; Fri, 3 Apr 2015 21:28:58 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id 371F56E2E5; Fri, 3 Apr 2015 14:28:57 -0700 (PDT) X-Original-To: dri-devel@lists.freedesktop.org Delivered-To: dri-devel@lists.freedesktop.org Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by gabe.freedesktop.org (Postfix) with ESMTP id 38F066E2E5; Fri, 3 Apr 2015 14:28:56 -0700 (PDT) Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga102.jf.intel.com with ESMTP; 03 Apr 2015 14:28:57 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.11,519,1422950400"; d="scan'208";a="675025384" Received: from mdroper-hswdev.fm.intel.com (HELO mdroper-hswdev) ([10.1.134.215]) by orsmga001.jf.intel.com with ESMTP; 03 Apr 2015 14:28:56 -0700 Received: from mattrope by mdroper-hswdev with local (Exim 4.82) (envelope-from ) id 1Ye995-0007CK-BW; Fri, 03 Apr 2015 14:28:55 -0700 From: Matt Roper To: dri-devel@lists.freedesktop.org Subject: [PATCH] drm: Add integer overflow checking to transitional plane helpers Date: Fri, 3 Apr 2015 14:27:46 -0700 Message-Id: <1428096466-27622-1-git-send-email-matthew.d.roper@intel.com> X-Mailer: git-send-email 1.8.5.1 Cc: intel-gfx@lists.freedesktop.org X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, T_RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Add tests for destination rectangle integer overflow before calling the driver's check function. This will ensure that the transitional plane helpers match the behavior of the full atomic helpers by always returning -ERANGE for planes positioned beyond INT_MAX. Note that the legacy SetPlane ioctl itself also includes similar tests for integer overflow, so the only case where this check really matters is when legacy cursor operations get routed through the universal plane interface internally. This issue was first noticed with i915 commit: commit ff42e093e9c9c17a6e1d6aab24875a36795f926e Author: Daniel Vetter Date: Mon Mar 2 16:35:20 2015 +0100 Revert "drm/i915: Switch planes from transitional helpers to full atomic helpers" The above revert switched us from full atomic helpers back to the transitional helpers, and in doing so we lost the overflow checking here for universal cursor updates. Even though such extreme cursor positions are unlikely to actually happen in the wild, we still don't want there to be a change of behavior when drivers switch from transitional helpers to full helpers. Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=84269 Signed-off-by: Matt Roper --- drivers/gpu/drm/drm_plane_helper.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/drivers/gpu/drm/drm_plane_helper.c b/drivers/gpu/drm/drm_plane_helper.c index 33807e0..1e9e105 100644 --- a/drivers/gpu/drm/drm_plane_helper.c +++ b/drivers/gpu/drm/drm_plane_helper.c @@ -417,6 +417,20 @@ int drm_plane_helper_commit(struct drm_plane *plane, for (i = 0; i < 2; i++) crtc_funcs[i] = crtc[i] ? crtc[i]->helper_private : NULL; + /* + * Give drivers some help against integer overflows (and match the + * behavior of the full atomic helpers). + */ + if (plane_state->crtc_w > INT_MAX || + plane_state->crtc_x > INT_MAX - (int32_t) plane_state->crtc_w || + plane_state->crtc_h > INT_MAX || + plane_state->crtc_y > INT_MAX - (int32_t) plane_state->crtc_h) { + DRM_DEBUG_ATOMIC("Invalid CRTC coordinates %ux%u+%d+%d\n", + plane_state->crtc_w, plane_state->crtc_h, + plane_state->crtc_x, plane_state->crtc_y); + return -ERANGE; + } + if (plane_funcs->atomic_check) { ret = plane_funcs->atomic_check(plane, plane_state); if (ret)