drm/i915: properly sanity check batch_start_offset

Check the edge case where batch_start_offset sits exactly on the batch
size.

v2: add new range_overflows variant to capture the special case where
the size is permitted to be zero, like with batch_len.

v3: other way around. the common case is the exclusive one which should
just be >=, with that we then just need to convert the three odd ball
cases that don't apply to use the new inclusive _end version.

Testcase: igt/gem_exec_params/invalid-batch-start-offset
Fixes: 0b5372727be3 ("drm/i915/cmdparser: Use cached vmappings")
Signed-off-by: Matthew Auld <matthew.auld@intel.com>
Cc: Mika Kuoppala <mika.kuoppala@linux.intel.com>
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Link: https://patchwork.freedesktop.org/patch/msgid/20200306094735.258285-1-matthew.auld@intel.com

diff --git a/drivers/gpu/drm/i915/display/intel_fbc.c b/drivers/gpu/drm/i915/display/intel_fbc.c
index 6cfe143..2d982c3 100644 (file)
--- a/drivers/gpu/drm/i915/display/intel_fbc.c
+++ b/drivers/gpu/drm/i915/display/intel_fbc.c
@@ -509,12 +509,12 @@ static int intel_fbc_alloc_cfb(struct drm_i915_private *dev_priv,
 
                fbc->compressed_llb = compressed_llb;
 
-               GEM_BUG_ON(range_overflows_t(u64, dev_priv->dsm.start,
-                                            fbc->compressed_fb.start,
-                                            U32_MAX));
-               GEM_BUG_ON(range_overflows_t(u64, dev_priv->dsm.start,
-                                            fbc->compressed_llb->start,
-                                            U32_MAX));
+               GEM_BUG_ON(range_overflows_end_t(u64, dev_priv->dsm.start,
+                                                fbc->compressed_fb.start,
+                                                U32_MAX));
+               GEM_BUG_ON(range_overflows_end_t(u64, dev_priv->dsm.start,
+                                                fbc->compressed_llb->start,
+                                                U32_MAX));
                intel_de_write(dev_priv, FBC_CFB_BASE,
                               dev_priv->dsm.start + fbc->compressed_fb.start);
                intel_de_write(dev_priv, FBC_LL_BASE,

diff --git a/drivers/gpu/drm/i915/gt/intel_rc6.c b/drivers/gpu/drm/i915/gt/intel_rc6.c
index 0392d2c..66c07c3 100644 (file)
--- a/drivers/gpu/drm/i915/gt/intel_rc6.c
+++ b/drivers/gpu/drm/i915/gt/intel_rc6.c
@@ -320,10 +320,10 @@ static int vlv_rc6_init(struct intel_rc6 *rc6)
                return PTR_ERR(pctx);
        }
 
-       GEM_BUG_ON(range_overflows_t(u64,
-                                    i915->dsm.start,
-                                    pctx->stolen->start,
-                                    U32_MAX));
+       GEM_BUG_ON(range_overflows_end_t(u64,
+                                        i915->dsm.start,
+                                        pctx->stolen->start,
+                                        U32_MAX));
        pctx_paddr = i915->dsm.start + pctx->stolen->start;
        intel_uncore_write(uncore, VLV_PCBR, pctx_paddr);
 

diff --git a/drivers/gpu/drm/i915/i915_utils.h b/drivers/gpu/drm/i915/i915_utils.h
index 024a9e2..26f3a4a 100644 (file)
--- a/drivers/gpu/drm/i915/i915_utils.h
+++ b/drivers/gpu/drm/i915/i915_utils.h
@@ -102,12 +102,24 @@ bool i915_error_injected(void);
        typeof(max) max__ = (max); \
        (void)(&start__ == &size__); \
        (void)(&start__ == &max__); \
-       start__ > max__ || size__ > max__ - start__; \
+       start__ >= max__ || size__ > max__ - start__; \
 })
 
 #define range_overflows_t(type, start, size, max) \
        range_overflows((type)(start), (type)(size), (type)(max))
 
+#define range_overflows_end(start, size, max) ({ \
+       typeof(start) start__ = (start); \
+       typeof(size) size__ = (size); \
+       typeof(max) max__ = (max); \
+       (void)(&start__ == &size__); \
+       (void)(&start__ == &max__); \
+       start__ > max__ || size__ > max__ - start__; \
+})
+
+#define range_overflows_end_t(type, start, size, max) \
+       range_overflows_end((type)(start), (type)(size), (type)(max))
+
 /* Note we don't consider signbits :| */
 #define overflows_type(x, T) \
        (sizeof(x) > sizeof(T) && (x) >> BITS_PER_TYPE(T))