From patchwork Wed Jun 28 16:00:20 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Chris Wilson <chris@chris-wilson.co.uk>
X-Patchwork-Id: 9814817
Return-Path: <dri-devel-bounces@lists.freedesktop.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	DB05460383 for <patchwork-dri-devel@patchwork.kernel.org>;
	Wed, 28 Jun 2017 16:00:53 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CD39928488
	for <patchwork-dri-devel@patchwork.kernel.org>;
	Wed, 28 Jun 2017 16:00:53 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id C1A87285DA; Wed, 28 Jun 2017 16:00:53 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED
	autolearn=ham version=3.3.1
Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 5173128488
	for <patchwork-dri-devel@patchwork.kernel.org>;
	Wed, 28 Jun 2017 16:00:53 +0000 (UTC)
Received: from gabe.freedesktop.org (localhost [127.0.0.1])
	by gabe.freedesktop.org (Postfix) with ESMTP id 6ED866E1BF;
	Wed, 28 Jun 2017 16:00:51 +0000 (UTC)
X-Original-To: dri-devel@lists.freedesktop.org
Delivered-To: dri-devel@lists.freedesktop.org
Received: from fireflyinternet.com (mail.fireflyinternet.com
	[109.228.58.192])
	by gabe.freedesktop.org (Postfix) with ESMTPS id 6C3C26E1BF
	for <dri-devel@lists.freedesktop.org>;
	Wed, 28 Jun 2017 16:00:49 +0000 (UTC)
X-Default-Received-SPF: pass (skip=forwardok (res=PASS))
	x-ip-name=78.156.65.138;
Received: from localhost (unverified [78.156.65.138])
	by fireflyinternet.com (Firefly Internet (M1)) with ESMTP (TLS) id
	7505139-1500050 for multiple; Wed, 28 Jun 2017 17:00:20 +0100
MIME-Version: 1.0
To: Sean Paul <seanpaul@chromium.org>,  dri-devel@lists.freedesktop.org
From: Chris Wilson <chris@chris-wilson.co.uk>
In-Reply-To: <20170628155117.3558-1-seanpaul@chromium.org>
References: <20170628155117.3558-1-seanpaul@chromium.org>
Message-ID: <149866562059.23475.15965626912972737879@mail.alporthouse.com>
User-Agent: alot/0.3.6
Subject: Re: [PATCH] dma-buf/sw_sync: Fix timeline/pt overflow cases
Date: Wed, 28 Jun 2017 17:00:20 +0100
Cc: marcheu@chromium.org, linux-media@vger.kernel.org
X-BeenThere: dri-devel@lists.freedesktop.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Direct Rendering Infrastructure - Development
	<dri-devel.lists.freedesktop.org>
List-Unsubscribe: <https://lists.freedesktop.org/mailman/options/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <https://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <https://lists.freedesktop.org/mailman/listinfo/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>
X-Virus-Scanned: ClamAV using ClamSMTP

Quoting Sean Paul (2017-06-28 16:51:11)
> Protect against long-running processes from overflowing the timeline
> and creating fences that go back in time. While we're at it, avoid
> overflowing while we're incrementing the timeline.
> 
> Signed-off-by: Sean Paul <seanpaul@chromium.org>
> ---
>  drivers/dma-buf/sw_sync.c | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/dma-buf/sw_sync.c b/drivers/dma-buf/sw_sync.c
> index 69c5ff36e2f9..40934619ed88 100644
> --- a/drivers/dma-buf/sw_sync.c
> +++ b/drivers/dma-buf/sw_sync.c
> @@ -142,7 +142,7 @@ static void sync_timeline_signal(struct sync_timeline *obj, unsigned int inc)
>  
>         spin_lock_irqsave(&obj->child_list_lock, flags);
>  
> -       obj->value += inc;
> +       obj->value += min(inc, ~0x0U - obj->value);

The timeline uses u32 seqno, so just obj->value += min(inc, INT_MAX);

Better of course would be to report the error,

>         list_for_each_entry_safe(pt, next, &obj->active_list_head,
>                                  active_list) {
> @@ -178,6 +178,11 @@ static struct sync_pt *sync_pt_create(struct sync_timeline *obj, int size,
>                 return NULL;
>  
>         spin_lock_irqsave(&obj->child_list_lock, flags);
> +       if (value < obj->value) {
> +               spin_unlock_irqrestore(&obj->child_list_lock, flags);
> +               return NULL;
> +       }

Needs a u32 check. if ((int)(value - obj->value) < 0) return some_error;
-Chris

diff --git a/drivers/dma-buf/sw_sync.c b/drivers/dma-buf/sw_sync.c
index 69c5ff36e2f9..2503cf884018 100644
--- a/drivers/dma-buf/sw_sync.c
+++ b/drivers/dma-buf/sw_sync.c
@@ -345,6 +345,9 @@ static long sw_sync_ioctl_inc(struct sync_timeline *obj, unsigned long arg)
        if (copy_from_user(&value, (void __user *)arg, sizeof(value)))
                return -EFAULT;
 
+       if (value > INT_MAX)
+               return -EINVAL;
+
        sync_timeline_signal(obj, value);

>