Quoting Ville Syrjala (2018-09-11 17:54:57)
> From: Ville Syrjälä <ville.syrjala@xxxxxxxxxxxxxxx>
>
> If we have framebuffers that are >= 4GiB in size we will overflow
> the fb size check in intel_fill_fb_info().
>
> Currently that is only possible with NV12 and CCS as offsets[1]
> may be anything between 0 and 0xffffffff. ofsets[0] is currently
> required to be 0 so we can't hit the overflow with any single
> plane format (thanks to max fb size of 8kx8k and max stride of
> 32 KiB).
>
> In the future we may allow almost any framebuffer to exceed 4GiB
> in size so we really should fix the overflow. Not that the overflow
> is particularly dangerous. It's mostly just a sanity check against
> insane userspace. The display engine can't write to memory anyway
> so I suppose in the worst case we might anger the hw by attempting
> scanout past the end of the ggtt, or we might scan out some data
> that we're not supposed to see from other parts of the ggtt.
>
> Note that triggering this overflow depends on the driver
> aligning the fb height to the next tile boundary to push the
> calculated size above 4GiB. With linear buffers the effective
> tile height is one so that never happens, and the core already
> has a check for 32bit overflow of offsets[]+pitches[]*height.
>
> Testcase: igt/kms_big_fb/x-tiled-addfb-size-offset-overflow
> Testcase: igt/kms_big_fb/y-tiled-addfb-size-offset-overflow
> Signed-off-by: Ville Syrjälä <ville.syrjala@xxxxxxxxxxxxxxx>
> ---
> drivers/gpu/drm/i915/intel_display.c | 7 ++++---
> 1 file changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
> index 2b77d9350a3a..2b474d049074 100644
> --- a/drivers/gpu/drm/i915/intel_display.c
> +++ b/drivers/gpu/drm/i915/intel_display.c
> @@ -2636,9 +2636,10 @@ intel_fill_fb_info(struct drm_i915_private *dev_priv,
> max_size = max(max_size, offset + size);
> }
>
> - if (max_size * tile_size > obj->base.size) {
> - DRM_DEBUG_KMS("fb too big for bo (need %u bytes, have %zu bytes)\n",
> - max_size * tile_size, obj->base.size);
> + if (mul_u32_u32(max_size, tile_size) > obj->base.size) {
> + DRM_DEBUG_KMS("fb too big for bo (need %llu bytes, have %zu bytes)\n",
> + (unsigned long long) mul_u32_u32(max_size, tile_size),
mul_u32_u32 returns u64 i.e. unsigned long long; %llu is the one true
format specifier for u64 (Linus decree #103789)
Reviewed-by: Chris Wilson <chris@xxxxxxxxxxxxxxxxxx>
-Chris
_______________________________________________
Intel-gfx mailing list
Intel-gfx@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
