Hello Matthew Brost,
The patch dd08ebf6c352: "drm/xe: Introduce a new DRM driver for Intel
GPUs" from Mar 30, 2023 (linux-next), leads to the following Smatch
static checker warning:
drivers/gpu/drm/xe/xe_bo.c:2246 xe_bo_dumb_create()
warn: potential integer overflow from user '((args->width * cpp)) + (((64)) - 1)'
drivers/gpu/drm/xe/xe_bo.c
2234 int xe_bo_dumb_create(struct drm_file *file_priv,
2235 struct drm_device *dev,
2236 struct drm_mode_create_dumb *args)
2237 {
2238 struct xe_device *xe = to_xe_device(dev);
2239 struct xe_bo *bo;
2240 uint32_t handle;
2241 int cpp = DIV_ROUND_UP(args->bpp, 8);
2242 int err;
2243 u32 page_size = max_t(u32, PAGE_SIZE,
2244 xe->info.vram_flags & XE_VRAM_FLAGS_NEED64K ? SZ_64K : SZ_4K);
2245
--> 2246 args->pitch = ALIGN(args->width * cpp, 64);
drm_mode_create_dumb() guarantees that "args->width * cpp" can't
overflow but if we pick "args->width * cpp" set to U32_MAX - 63 or above
then the ALIGN() can overflow to zero.
I should have picked INT_MAX as the limit in drm_mode_create_dumb()...
2247 args->size = ALIGN(mul_u32_u32(args->pitch, args->height),
2248 page_size);
2249
2250 bo = xe_bo_create_user(xe, NULL, NULL, args->size,
2251 DRM_XE_GEM_CPU_CACHING_WC,
2252 ttm_bo_type_device,
2253 XE_BO_CREATE_VRAM_IF_DGFX(xe_device_get_root_tile(xe)) |
2254 XE_BO_CREATE_USER_BIT | XE_BO_SCANOUT_BIT |
2255 XE_BO_NEEDS_CPU_ACCESS);
2256 if (IS_ERR(bo))
2257 return PTR_ERR(bo);
2258
2259 err = drm_gem_handle_create(file_priv, &bo->ttm.base, &handle);
2260 /* drop reference from allocate - handle holds it now */
2261 drm_gem_object_put(&bo->ttm.base);
2262 if (!err)
2263 args->handle = handle;
2264 return err;
2265 }
regards,
dan carpenter
