From patchwork Fri Dec 16 19:25:35 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Chris Wilson <chris@chris-wilson.co.uk>
X-Patchwork-Id: 9478369
Return-Path: <dri-devel-bounces@lists.freedesktop.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	4E300601C2 for <patchwork-dri-devel@patchwork.kernel.org>;
	Fri, 16 Dec 2016 19:29:13 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3D34E28772
	for <patchwork-dri-devel@patchwork.kernel.org>;
	Fri, 16 Dec 2016 19:29:13 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 2C783287DB; Fri, 16 Dec 2016 19:29:13 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id E001228772
	for <patchwork-dri-devel@patchwork.kernel.org>;
	Fri, 16 Dec 2016 19:29:12 +0000 (UTC)
Received: from gabe.freedesktop.org (localhost [127.0.0.1])
	by gabe.freedesktop.org (Postfix) with ESMTP id 1C0C96ECE6;
	Fri, 16 Dec 2016 19:28:57 +0000 (UTC)
X-Original-To: dri-devel@lists.freedesktop.org
Delivered-To: dri-devel@lists.freedesktop.org
Received: from mail-wj0-x242.google.com (mail-wj0-x242.google.com
	[IPv6:2a00:1450:400c:c01::242])
	by gabe.freedesktop.org (Postfix) with ESMTPS id 226136ECD7;
	Fri, 16 Dec 2016 19:26:18 +0000 (UTC)
Received: by mail-wj0-x242.google.com with SMTP id he10so15675630wjc.2;
	Fri, 16 Dec 2016 11:26:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=sender:from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=D1OCsQmQeif4FVNj4WJOSVZez72QH0nIZzJqKoCehD8=;
	b=uPYazTuxc0Wr5pUTJrAEqec2XDwTeHkEWNdcxlxu3jXvA4/ao5yKtOwg01L4BKvrFC
	raScXMefwq5staCgLXJaAzFFQbgCQ6haZd7si1+36jZVZZVTCD9legq8/pPRFYZgxgJS
	Nd/aTVksA3+1Uo9HOcK1bvNI4mFQieodJ2LhPGJyCyQMmGFsM/+XehN3IvMipaHBieKU
	GGoh43PBHlR4FJPRhPWTBmRd6i1wA3G9uZBt+b3mO513HFJYCtv6mqV4QQRi0jd6EYGJ
	aUKoyk5nYuktyRdjzOlDGFDxDfs0okMPF20yShb7x2HYMQEPDB6cn6544zrSBNRMNCKQ
	UljQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:sender:from:to:cc:subject:date:message-id
	:in-reply-to:references;
	bh=D1OCsQmQeif4FVNj4WJOSVZez72QH0nIZzJqKoCehD8=;
	b=chOC1/mhRPRIsrblDEezFjllnxgcsK109hlQ6Pq8EislnNy/GbC08tabbaYq9UmP+L
	oTPAlWaVHMx/u2EsYtcY3sZ+8URl8TdxIeYm1wWzLz3ryfRN7wEmRwCh1Egp8LfQwSNp
	XxOunYVhvtu1ybQDAWmyDTge/qT7El+awSU65076H1J5YhGJIOqqTvmjXjoI8yikgkrk
	pOv12ULMfZ6F0Z61deMMZLJ/4CFHpDqP0zFIECJIgPwjidO/D/hdpucPvlEayWCnBCXt
	K4NxABOQGnJppedAwSTTrnEdh3hXRE0x3ToE/FGJzrTx7v32uenoB1xUoUOXoYFykr1z
	0eOA==
X-Gm-Message-State: 
 AKaTC0340ppxIEdJNbK9EmBD/wfHCkhzuX/kmENQNUNzpgO+PxHtVa/sXPBBCWUcj69F5A==
X-Received: by 10.194.127.104 with SMTP id nf8mr4087687wjb.39.1481916376481;
	Fri, 16 Dec 2016 11:26:16 -0800 (PST)
Received: from haswell.alporthouse.com ([78.156.65.138])
	by smtp.gmail.com with ESMTPSA id
	v2sm8125856wja.41.2016.12.16.11.26.15
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Fri, 16 Dec 2016 11:26:16 -0800 (PST)
From: Chris Wilson <chris@chris-wilson.co.uk>
To: dri-devel@lists.freedesktop.org
Subject: [PATCH v3 23/38] drm: Detect overflow in drm_mm_reserve_node()
Date: Fri, 16 Dec 2016 19:25:35 +0000
Message-Id: <20161216192550.8352-24-chris@chris-wilson.co.uk>
X-Mailer: git-send-email 2.11.0
In-Reply-To: <20161216192550.8352-1-chris@chris-wilson.co.uk>
References: <20161216192550.8352-1-chris@chris-wilson.co.uk>
Cc: intel-gfx@lists.freedesktop.org
X-BeenThere: dri-devel@lists.freedesktop.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Direct Rendering Infrastructure - Development
	<dri-devel.lists.freedesktop.org>
List-Unsubscribe: <https://lists.freedesktop.org/mailman/options/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <https://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <https://lists.freedesktop.org/mailman/listinfo/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>
X-Virus-Scanned: ClamAV using ClamSMTP

Protect ourselves from a caller passing in node.start + node.size that
will overflow and trick us into reserving that node.

Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Reviewed-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
---
 drivers/gpu/drm/drm_mm.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/drivers/gpu/drm/drm_mm.c b/drivers/gpu/drm/drm_mm.c
index 767cfd05c628..370cb8ee91c9 100644
--- a/drivers/gpu/drm/drm_mm.c
+++ b/drivers/gpu/drm/drm_mm.c
@@ -308,10 +308,9 @@ int drm_mm_reserve_node(struct drm_mm *mm, struct drm_mm_node *node)
 	u64 hole_start, hole_end;
 	u64 adj_start, adj_end;
 
-	if (WARN_ON(node->size == 0))
-		return -EINVAL;
-
 	end = node->start + node->size;
+	if (unlikely(end <= node->start))
+		return -ENOSPC;
 
 	/* Find the relevant hole to add our node to */
 	hole = drm_mm_interval_tree_iter_first(&mm->interval_tree,