OpenCloudOS-Kernel/drivers/gpu/drm
Chris Wilson d710fc16ff drm/i915: Prevent overflow of execbuf.buffer_count and num_cliprects
We check whether the multiplies will overflow prior to calling
kmalloc_array so that we can respond with -EINVAL for the invalid user
arguments rather than treating it as an -ENOMEM that would otherwise
occur. However, as Dan Carpenter pointed out, we did an addition on the
unsigned int prior to passing to kmalloc_array where it would be
promoted to size_t for the calculation, thereby allowing it to overflow
and underallocate.

v2: buffer_count is currently limited to INT_MAX because we treat it as
signaled variable for LUT_HANDLE in eb_lookup_vma
v3: Move common checks for eb1/eb2 into the same function
v4: Put the check back for nfence*sizeof(user_fence) overflow
v5: access_ok uses ULONG_MAX but kvmalloc_array uses SIZE_MAX
v6: size_t and unsigned long are not type-equivalent on 32b

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20171116105059.25142-1-chris@chris-wilson.co.uk
Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
2017-11-16 14:17:08 +00:00
..
amd Merge branch 'linus-4.14-rc4-acp-prereq' of git://people.freedesktop.org/~agd5f/linux into drm-next 2017-11-14 05:53:39 +10:00
arc drm/arc: Use drm_gem_fb_create() 2017-09-02 14:23:06 +02:00
arm drm/arm/mali: Use drm_gem_fb_create() 2017-08-27 19:29:46 +02:00
armada drm/armada: Replace drm_framebuffer_reference/unreference() with _get/put() 2017-10-16 15:02:44 -04:00
ast drm: Pass struct drm_file * to __drm_mode_object_find [v2] 2017-10-12 10:03:04 +10:00
atmel-hlcdc drm/atmel-hlcdc: Use drm_gem_fb_create() 2017-08-27 19:30:15 +02:00
bochs drm: Pass struct drm_file * to __drm_mode_object_find [v2] 2017-10-12 10:03:04 +10:00
bridge drm/bridge: adv7511: Fix a use after free 2017-10-18 09:38:43 +05:30
cirrus drm: Pass struct drm_file * to __drm_mode_object_find [v2] 2017-10-12 10:03:04 +10:00
etnaviv drm/etnaviv: short-circuit perfmon ioctls 2017-10-22 18:41:56 +02:00
exynos - Improved HDMI and Mixer drivers 2017-11-14 14:12:43 +10:00
fsl-dcu drm/fsl-dcu: Use drm_gem_fb_create() 2017-10-01 17:00:20 +02:00
gma500 drm/gma500: use ARRAY_SIZE 2017-10-16 11:29:05 +02:00
hisilicon drm/hisilicon: Ensure LDI regs are properly configured. 2017-11-01 10:36:50 +08:00
i2c drm: i2c: tda998x: constify i2c_device_id 2017-08-22 08:33:44 +02:00
i810 drm/pci: Deprecate drm_pci_init/exit completely 2017-06-20 10:41:03 +02:00
i915 drm/i915: Prevent overflow of execbuf.buffer_count and num_cliprects 2017-11-16 14:17:08 +00:00
imx Merge tag 'drm-misc-next-2017-09-20' of git://anongit.freedesktop.org/git/drm-misc into drm-next 2017-09-28 05:46:15 +10:00
lib mm: treewide: remove GFP_TEMPORARY allocation flag 2017-09-13 18:53:16 -07:00
mediatek drm/mediatek: hdmi: clean up drm_bridge_add call 2017-08-21 08:49:24 +05:30
meson drm/meson: Use drm_gem_fb_create() 2017-10-01 17:01:39 +02:00
mga Merge airlied/drm-next into drm-misc-next 2017-07-26 13:43:33 +02:00
mgag200 drm: Pass struct drm_file * to __drm_mode_object_find [v2] 2017-10-12 10:03:04 +10:00
msm Linux 4.14-rc7 2017-11-02 12:40:41 +10:00
mxsfb drm/mxsfb: Use drm_gem_fb_create() and drm_gem_fb_prepare_fb() 2017-10-01 17:02:20 +02:00
nouveau drm/nouveau/bios/timing: mark expected switch fall-throughs 2017-11-03 09:12:10 +10:00
omapdrm omapdrm: omapdss_hdmi_ops: add lost_hotplug op 2017-10-12 10:49:14 +03:00
panel drm/panel: simple: add Toshiba LT089AC19000 2017-10-19 11:48:44 +02:00
pl111 drm/pl111: Add handling of Versatile platforms 2017-09-10 23:58:42 +02:00
qxl qxl: alloc & use shadow for dumb buffers 2017-10-23 08:23:11 +02:00
r128 drm/pci: Deprecate drm_pci_init/exit completely 2017-06-20 10:41:03 +02:00
radeon Merge tag 'drm-amdkfd-next-2017-11-02' of git://people.freedesktop.org/~gabbayo/linux into drm-next 2017-11-03 05:12:24 +10:00
rcar-du drm/rcar-du: Use drm_gem_fb_create() 2017-10-01 17:02:53 +02:00
rockchip Driver Changes: 2017-11-14 05:29:34 +10:00
savage drm/pci: Deprecate drm_pci_init/exit completely 2017-06-20 10:41:03 +02:00
selftests mm: treewide: remove GFP_TEMPORARY allocation flag 2017-09-13 18:53:16 -07:00
shmobile drm/shmobile: Use drm_gem_fb_create() 2017-10-01 17:03:22 +02:00
sis drm/pci: Deprecate drm_pci_init/exit completely 2017-06-20 10:41:03 +02:00
sti drm/sti: Use drm_gem_fb_create() 2017-08-27 19:30:49 +02:00
stm drm/stm: ltdc: remove bridge from driver internal structure 2017-10-10 11:32:48 +02:00
sun4i drm/sun4i: Add support for A20 display pipeline components 2017-10-17 19:49:17 +02:00
tdfx drm/pci: Deprecate drm_pci_init/exit completely 2017-06-20 10:41:03 +02:00
tegra drm/tegra: hdmi: Add cec-notifier support 2017-10-20 14:19:54 +02:00
tilcdc tilcdc changes for v4.15 2017-10-17 10:13:47 +10:00
tinydrm drm/tinydrm: Remove explicit .best_encoder assignment 2017-10-13 17:34:51 +02:00
ttm drm/ttm: Downgrade pr_err to pr_debug for memory allocation failures 2017-11-04 09:48:28 -04:00
tve200 drm/tve200: Use drm_gem_fb_create() and drm_gem_fb_prepare_fb() 2017-10-01 17:04:36 +02:00
udl Merge tag 'drm-misc-next-2017-10-20' of git://anongit.freedesktop.org/drm/drm-misc into drm-next 2017-10-24 16:51:05 +10:00
vc4 drm/vc4: Fix wrong printk format in vc4_bo_stats_debugfs() 2017-11-03 10:15:42 -07:00
vgem drm/vgem: switch to drm_*_get(), drm_*_put() helpers 2017-08-11 11:41:43 -04:00
via drm/via: use ARRAY_SIZE 2017-10-16 11:29:28 +02:00
virtio Merge airlied/drm-next into drm-misc-next 2017-10-03 11:09:16 +02:00
vmwgfx drm: Reorganize drm_pending_event to support future event types [v2] 2017-10-21 07:23:40 +10:00
zte drm/zte: Use drm_gem_fb_create() 2017-08-27 19:31:06 +02:00
Kconfig Merge branch 'drm-next-4.15' of git://people.freedesktop.org/~agd5f/linux into drm-next 2017-09-28 08:37:02 +10:00
Makefile drm: Add drm_object lease infrastructure [v5] 2017-10-25 16:31:29 +10:00
ati_pcigart.c
drm_agpsupport.c drm/agpsupport: Remove extra blank line 2017-09-20 09:54:19 -07:00
drm_atomic.c drm: Reorganize drm_pending_event to support future event types [v2] 2017-10-21 07:23:40 +10:00
drm_atomic_helper.c Merge tag 'drm-misc-next-2017-10-20' of git://anongit.freedesktop.org/drm/drm-misc into drm-next 2017-10-24 16:51:05 +10:00
drm_auth.c drm: Check mode object lease status in all master ioctl paths [v4] 2017-10-25 16:31:30 +10:00
drm_blend.c mm: treewide: remove GFP_TEMPORARY allocation flag 2017-09-13 18:53:16 -07:00
drm_bridge.c drm/bridge: change return type of drm_bridge_add function 2017-08-21 08:51:53 +05:30
drm_bufs.c switch compat_drm_mapbufs() to drm_ioctl_kernel() 2017-07-04 13:16:26 -04:00
drm_cache.c
drm_color_mgmt.c drm: Pass struct drm_file * to __drm_mode_object_find [v2] 2017-10-12 10:03:04 +10:00
drm_connector.c drm: Pass struct drm_file * to __drm_mode_object_find [v2] 2017-10-12 10:03:04 +10:00
drm_context.c
drm_crtc.c drm: Pass struct drm_file * to __drm_mode_object_find [v2] 2017-10-12 10:03:04 +10:00
drm_crtc_helper.c drm: Replace kzalloc with kcalloc 2017-10-13 15:49:03 -04:00
drm_crtc_helper_internal.h drm: Add drm_{crtc/encoder/connector}_mode_valid() 2017-05-30 08:37:24 +02:00
drm_crtc_internal.h drm: Pass struct drm_file * to __drm_mode_object_find [v2] 2017-10-12 10:03:04 +10:00
drm_debugfs.c
drm_debugfs_crc.c drm/atomic: Prepare drm_modeset_lock infrastructure for interruptible waiting, v2. 2017-09-13 09:50:52 +02:00
drm_dma.c
drm_dp_aux_dev.c drm_dp_aux_dev: switch to read_iter/write_iter 2017-07-08 20:51:46 -04:00
drm_dp_dual_mode_helper.c drm: Add retries for lspcon mode detection 2017-10-13 12:13:54 +03:00
drm_dp_helper.c drm/dp: WARN about invalid/unknown link rates and bw codes 2017-10-11 18:41:44 +03:00
drm_dp_mst_topology.c drm/dp/mst: Sideband message transaction to power up/down nodes 2017-09-11 16:03:57 +03:00
drm_drv.c drm: Add new LEASE debug level 2017-10-25 16:31:29 +10:00
drm_dumb_buffers.c drm/dumb-buffers: Add defaults for .dumb_map_offset and .dumb_destroy 2017-07-29 13:51:44 +02:00
drm_edid.c drm: handle override and firmware EDID at drm_do_get_edid() level 2017-09-19 17:49:25 +03:00
drm_edid_load.c drm: add backwards compatibility support for drm_kms_helper.edid_firmware 2017-09-19 18:11:45 +03:00
drm_encoder.c drm: Check mode object lease status in all master ioctl paths [v4] 2017-10-25 16:31:30 +10:00
drm_encoder_slave.c
drm_fb_cma_helper.c drm/fb-cma-helper: Remove unused functions 2017-10-01 17:05:39 +02:00
drm_fb_helper.c drm: Replace kzalloc with kcalloc 2017-10-13 15:49:03 -04:00
drm_file.c drm: Document device unplug infrastructure 2017-08-11 10:48:03 +02:00
drm_flip_work.c
drm_fourcc.c
drm_framebuffer.c drm/mode_object: fix documentation for object lookups. 2017-11-10 13:50:47 +10:00
drm_gem.c drm: fix typo in drm_gem_get_pages() comment 2017-10-04 18:04:28 +02:00
drm_gem_cma_helper.c drm/gem-cma-helper: Change the level of the allocation failure message 2017-10-16 15:19:57 +02:00
drm_gem_framebuffer_helper.c drm/gem-fb-helper: Improve documentation 2017-10-08 15:02:51 +02:00
drm_global.c
drm_hashtab.c
drm_info.c
drm_internal.h drm: Add CRTC_GET_SEQUENCE and CRTC_QUEUE_SEQUENCE ioctls [v3] 2017-10-23 11:15:03 +10:00
drm_ioc32.c Merge airlied/drm-next into drm-misc-next 2017-07-26 13:43:33 +02:00
drm_ioctl.c drm: Add four ioctls for managing drm mode object leases [v7] 2017-10-25 16:31:30 +10:00
drm_irq.c drm/doc: Polish irq helper documentation 2017-06-01 08:02:14 +02:00
drm_kms_helper_common.c drm: add backwards compatibility support for drm_kms_helper.edid_firmware 2017-09-19 18:11:45 +03:00
drm_lease.c drm: Add four ioctls for managing drm mode object leases [v7] 2017-10-25 16:31:30 +10:00
drm_legacy.h switch compat_drm_mapbufs() to drm_ioctl_kernel() 2017-07-04 13:16:26 -04:00
drm_lock.c
drm_memory.c
drm_mipi_dsi.c drm: Convert to using %pOF instead of full_name 2017-07-26 13:45:06 +02:00
drm_mm.c lib/interval_tree: fast overlap detection 2017-09-08 18:26:49 -07:00
drm_mode_config.c drm: Check mode object lease status in all master ioctl paths [v4] 2017-10-25 16:31:30 +10:00
drm_mode_object.c drm/mode_object: fix documentation for object lookups. 2017-11-10 13:50:47 +10:00
drm_modes.c drm/modes: Fix drm_mode_is_420_only() comment 2017-07-31 14:23:30 +02:00
drm_modeset_helper.c drm: Plumb modifiers through plane init 2017-08-01 17:50:06 +01:00
drm_modeset_lock.c drm: Require __GFP_NOFAIL for the legacy drm_modeset_lock_all 2017-10-31 17:36:46 +01:00
drm_of.c drm/drm_of: Move drm_of_panel_bridge_remove_function into header. 2017-10-13 16:59:36 +02:00
drm_panel.c
drm_pci.c drm/core: clean up references to drm_dev_unref() 2017-09-27 10:53:12 +02:00
drm_plane.c drm: Check mode object lease status in all master ioctl paths [v4] 2017-10-25 16:31:30 +10:00
drm_plane_helper.c drm: Replace kzalloc with kcalloc 2017-10-13 15:49:03 -04:00
drm_prime.c drm/core: clean up references to drm_dev_unref() 2017-09-27 10:53:12 +02:00
drm_print.c
drm_probe_helper.c drm: Pass struct drm_file * to __drm_mode_object_find [v2] 2017-10-12 10:03:04 +10:00
drm_property.c drm: Pass struct drm_file * to __drm_mode_object_find [v2] 2017-10-12 10:03:04 +10:00
drm_rect.c drm: Add DRM_MODE_ROTATE_ and DRM_MODE_REFLECT_ to UAPI 2017-05-22 09:49:48 +02:00
drm_scatter.c
drm_scdc_helper.c Merge tag 'drm-misc-next-2017-09-20' of git://anongit.freedesktop.org/git/drm-misc into drm-next 2017-09-28 05:46:15 +10:00
drm_simple_kms_helper.c drm: Plumb modifiers through plane init 2017-08-01 17:50:06 +01:00
drm_syncobj.c Merge tag 'drm-misc-next-2017-10-16' of git://anongit.freedesktop.org/drm/drm-misc into drm-next 2017-10-17 10:10:17 +10:00
drm_sysfs.c
drm_trace.h drm: Use correct path to trace include 2017-09-05 11:11:18 +02:00
drm_trace_points.c
drm_vblank.c drm/vblank: Tune drm_crtc_accurate_vblank_count() WARN down to a debug 2017-11-07 21:07:02 +02:00
drm_vm.c Merge branch 'x86-mm-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-09-04 12:21:28 -07:00
drm_vma_manager.c lib/interval_tree: fast overlap detection 2017-09-08 18:26:49 -07:00