Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c8725226 authored by Chris Wilson's avatar Chris Wilson
Browse files

drm/i915: Protect against drm_gem_object not being the first member 



Dave Airlie spotted that we had a potential bug should we ever rearrange
the drm_i915_gem_object so not the base drm_gem_object was not its first
member. He noticed that we often convert the return of
drm_gem_object_lookup() immediately into drm_i915_gem_object and then
check the result for nullity. This is only valid when the base object is
the first member and so the superobject has the same address. Play safe
instead and use the compiler to convert back to the original return
address for sanity testing.

Signed-off-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
parent 548f245b

drivers/gpu/drm/i915/i915_gem.c

+9 −9
Original line number Diff line number Diff line
@@ -506,7 +506,7 @@ i915_gem_pread_ioctl(struct drm_device *dev, void *data, 
		return ret;



	obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle));

	if (obj == NULL) {

	if (&obj->base == NULL) {

		ret = -ENOENT;

		goto unlock;

	}
@@ -949,7 +949,7 @@ i915_gem_pwrite_ioctl(struct drm_device *dev, void *data, 
		return ret;



	obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle));

	if (obj == NULL) {

	if (&obj->base == NULL) {

		ret = -ENOENT;

		goto unlock;

	}
@@ -1045,7 +1045,7 @@ i915_gem_set_domain_ioctl(struct drm_device *dev, void *data, 
		return ret;



	obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle));

	if (obj == NULL) {

	if (&obj->base == NULL) {

		ret = -ENOENT;

		goto unlock;

	}
@@ -1088,7 +1088,7 @@ i915_gem_sw_finish_ioctl(struct drm_device *dev, void *data, 
		return ret;



	obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle));

	if (obj == NULL) {

	if (&obj->base == NULL) {

		ret = -ENOENT;

		goto unlock;

	}
@@ -1463,7 +1463,7 @@ i915_gem_mmap_gtt_ioctl(struct drm_device *dev, void *data, 
		return ret;



	obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle));

	if (obj == NULL) {

	if (&obj->base == NULL) {

		ret = -ENOENT;

		goto unlock;

	}
@@ -3331,7 +3331,7 @@ i915_gem_pin_ioctl(struct drm_device *dev, void *data, 
		return ret;



	obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle));

	if (obj == NULL) {

	if (&obj->base == NULL) {

		ret = -ENOENT;

		goto unlock;

	}
@@ -3382,7 +3382,7 @@ i915_gem_unpin_ioctl(struct drm_device *dev, void *data, 
		return ret;



	obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle));

	if (obj == NULL) {

	if (&obj->base == NULL) {

		ret = -ENOENT;

		goto unlock;

	}
@@ -3419,7 +3419,7 @@ i915_gem_busy_ioctl(struct drm_device *dev, void *data, 
		return ret;



	obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle));

	if (obj == NULL) {

	if (&obj->base == NULL) {

		ret = -ENOENT;

		goto unlock;

	}
@@ -3497,7 +3497,7 @@ i915_gem_madvise_ioctl(struct drm_device *dev, void *data, 
		return ret;



	obj = to_intel_bo(drm_gem_object_lookup(dev, file_priv, args->handle));

	if (obj == NULL) {

	if (&obj->base == NULL) {

		ret = -ENOENT;

		goto unlock;

	}

drivers/gpu/drm/i915/i915_gem_execbuffer.c

+2 −2
Original line number Diff line number Diff line
@@ -677,7 +677,7 @@ i915_gem_execbuffer_relocate_slow(struct drm_device *dev, 
	for (i = 0; i < count; i++) {

		obj = to_intel_bo(drm_gem_object_lookup(dev, file,

							exec[i].handle));

		if (obj == NULL) {

		if (&obj->base == NULL) {

			DRM_ERROR("Invalid object handle %d at index %d\n",

				   exec[i].handle, i);

			ret = -ENOENT;
@@ -1087,7 +1087,7 @@ i915_gem_do_execbuffer(struct drm_device *dev, void *data, 


		obj = to_intel_bo(drm_gem_object_lookup(dev, file,

							exec[i].handle));

		if (obj == NULL) {

		if (&obj->base == NULL) {

			DRM_ERROR("Invalid object handle %d at index %d\n",

				   exec[i].handle, i);

			/* prevent error path from reading uninitialized data */

drivers/gpu/drm/i915/i915_gem_tiling.c

+2 −2
Original line number Diff line number Diff line
@@ -286,7 +286,7 @@ i915_gem_set_tiling(struct drm_device *dev, void *data, 
	struct drm_i915_gem_object *obj;



	obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle));

	if (obj == NULL)

	if (&obj->base == NULL)

		return -ENOENT;



	if (!i915_tiling_ok(dev,
@@ -366,7 +366,7 @@ i915_gem_get_tiling(struct drm_device *dev, void *data, 
	struct drm_i915_gem_object *obj;



	obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle));

	if (obj == NULL)

	if (&obj->base == NULL)

		return -ENOENT;



	mutex_lock(&dev->struct_mutex);

drivers/gpu/drm/i915/intel_display.c

+2 −2
Original line number Diff line number Diff line
@@ -5324,7 +5324,7 @@ static int intel_crtc_cursor_set(struct drm_crtc *crtc, 
	}



	obj = to_intel_bo(drm_gem_object_lookup(dev, file, handle));

	if (!obj)

	if (&obj->base == NULL)

		return -ENOENT;



	if (obj->base.size < width * height * 4) {
@@ -6563,7 +6563,7 @@ intel_user_framebuffer_create(struct drm_device *dev, 
	int ret;



	obj = to_intel_bo(drm_gem_object_lookup(dev, filp, mode_cmd->handle));

	if (!obj)

	if (&obj->base == NULL)

		return ERR_PTR(-ENOENT);



	intel_fb = kzalloc(sizeof(*intel_fb), GFP_KERNEL);

drivers/gpu/drm/i915/intel_overlay.c

+1 −1
Original line number Diff line number Diff line
@@ -1156,7 +1156,7 @@ int intel_overlay_put_image(struct drm_device *dev, void *data, 


	new_bo = to_intel_bo(drm_gem_object_lookup(dev, file_priv,

						   put_image_rec->bo_handle));

	if (!new_bo) {

	if (&new_bo->base == NULL) {

		ret = -ENOENT;

		goto out_free;

	}