drm/i915: Large page offsets for pread/pwrite
authorChris Wilson <chris@chris-wilson.co.uk>
Fri, 12 Oct 2018 14:02:28 +0000 (15:02 +0100)
committerChris Wilson <chris@chris-wilson.co.uk>
Mon, 15 Oct 2018 11:52:03 +0000 (12:52 +0100)
Handle integer overflow when computing the sub-page length for shmem
backed pread/pwrite.

Reported-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Cc: stable@vger.kernel.org
Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20181012140228.29783-1-chris@chris-wilson.co.uk
drivers/gpu/drm/i915/i915_gem.c

index 7d45e71100bce7d3cba037dff76d08276da2ee68..93d09282710d5e7c597ff1d3a8b78724a1e0dacb 100644 (file)
@@ -1127,11 +1127,7 @@ i915_gem_shmem_pread(struct drm_i915_gem_object *obj,
        offset = offset_in_page(args->offset);
        for (idx = args->offset >> PAGE_SHIFT; remain; idx++) {
                struct page *page = i915_gem_object_get_page(obj, idx);
-               int length;
-
-               length = remain;
-               if (offset + length > PAGE_SIZE)
-                       length = PAGE_SIZE - offset;
+               unsigned int length = min_t(u64, remain, PAGE_SIZE - offset);
 
                ret = shmem_pread(page, offset, length, user_data,
                                  page_to_phys(page) & obj_do_bit17_swizzling,
@@ -1575,11 +1571,7 @@ i915_gem_shmem_pwrite(struct drm_i915_gem_object *obj,
        offset = offset_in_page(args->offset);
        for (idx = args->offset >> PAGE_SHIFT; remain; idx++) {
                struct page *page = i915_gem_object_get_page(obj, idx);
-               int length;
-
-               length = remain;
-               if (offset + length > PAGE_SIZE)
-                       length = PAGE_SIZE - offset;
+               unsigned int length = min_t(u64, remain, PAGE_SIZE - offset);
 
                ret = shmem_pwrite(page, offset, length, user_data,
                                   page_to_phys(page) & obj_do_bit17_swizzling,