Quoting Tvrtko Ursulin (2019-03-11 09:23:44) > > On 08/03/2019 16:47, Chris Wilson wrote: > > Quoting Tvrtko Ursulin (2019-03-08 16:27:22) > >> > >> On 08/03/2019 14:12, Chris Wilson wrote: > >>> +static int > >>> +set_engines(struct i915_gem_context *ctx, > >>> + const struct drm_i915_gem_context_param *args) > >>> +{ > >>> + struct i915_context_param_engines __user *user; > >>> + struct set_engines set = { .ctx = ctx }; > >>> + u64 size, extensions; > >>> + unsigned int n; > >>> + int err; > >>> + > >>> + user = u64_to_user_ptr(args->value); > >>> + size = args->size; > >>> + if (!size) > >>> + goto out; > >> > >> This prevents a hypothetical extension with empty map data. > > > > No... This is required for resetting and I think that's covered in what > > little docs there are. It's the set.nengine==0 test later > > that you mean to object to. But we can't do that as that's how we > > differentiate between modes at the moment. > > > > We could use ctx->nengine = 0 and ctx->engines = ZERO_PTR. > > size == sizeof(struct i915_context_param_engines) could mean reset - > meaning no map array provided. Nah, size=sizeof() => 0 [], size=0 => default map. > Meaning one could reset the map and still pass in extensions. I missed that you were pointing out we didn't follow the extensions on resetting. I'm not sure if that makes sense tbh. The extensions are written around the concept of applying to the new engines[], and if the use has explicitly removed the engines[] (distinct from defining a zero array), what extensions can apply? One hopes they end up -EINVAL. As they should -EINVAL, I guess it is no harm done to apply them. > >>> + BUILD_BUG_ON(!IS_ALIGNED(sizeof(*user), sizeof(*user->class_instance))); > >>> + if (size < sizeof(*user) || size % sizeof(*user->class_instance)) > >> > >> IS_ALIGNED for the second condition for consistency with the BUILD_BUG_ON? > >> > >>> + return -EINVAL; > >>> + > >>> + set.nengine = (size - sizeof(*user)) / sizeof(*user->class_instance); > >>> + if (set.nengine == 0 || set.nengine > I915_EXEC_RING_MASK + 1) > >> > >> I would prefer we drop the size restriction since it doesn't apply to > >> the engine map per se. > > > > u64 is a limit that will be non-trivial to lift. Marking the limits of > > the kernel doesn't restrict it being lifted later. > > My thinking is that u64 limit applies to the load balancing extension, > and the 64 engine limit applies to execbuf. Engine map itself is not > limited. But I guess it is a theoretical/pointless discussion at this point. I know what you mean, I'm just looking at that we use u64 around the uAPI for masks, and u8/unsigned long internally. So even going beyond BITS_PER_LONG is problematic. I'm in two minds. Yes, the limit doesn't apply to engines[] itself, but for practical reasons there is a limit, and until we can remove those, lifting the restriction here is immaterial :| > >>> +static int > >>> +get_engines(struct i915_gem_context *ctx, > >>> + struct drm_i915_gem_context_param *args) > >>> +{ > >>> + struct i915_context_param_engines *local; > >>> + unsigned int n, count, size; > >>> + int err = 0; > >>> + > >>> +restart: > >>> + count = READ_ONCE(ctx->nengine); > >>> + if (count > (INT_MAX - sizeof(*local)) / sizeof(*local->class_instance)) > >>> + return -ENOMEM; /* unrepresentable! */ > >> > >> Probably overly paranoid since we can't end up with this state set. > > > > And I thought you wanted many engines! Paranoia around kmalloc/user > > oveflows is always useful, because you know someone will send a patch > > later (and smatch doesn't really care as it only checks the limits of > > types and local constraints). > > Put a comment on what it is checking then. Why INT_MAX and not U32_MAX btw? Vague memories about what gets checked for overflow in drm_malloc_large. Nowadays, the in-trend is check_mul_overflow() with size_t. -Chris _______________________________________________ Intel-gfx mailing list Intel-gfx@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/intel-gfx