drm/i915/gvt: Check if "pipe" is valid value.

Submitted by Aleksei Gimbitskii on June 4, 2019, 9:32 a.m.

Details

Message ID 20190604093250.19086-1-aleksei.gimbitskii@intel.com
State New
Headers show
Series "drm/i915/gvt: Check if "pipe" is valid value." ( rev: 1 ) in Intel GVT devel

Not browsing as part of any series.

Commit Message

Aleksei Gimbitskii June 4, 2019, 9:32 a.m.
Static code analyzer reported that array "irq->events" may use index
value bigger than its size. If "pipe" is equal to I915_MAX_PIPES this
problem may arise. To ensure that "pipe" are valid insert additional
check before passing "pipe" to SKL_FLIP_EVENT().

This patch fixed the critial issues #765,#777 reported by klocwork.

Signed-off-by: Aleksei Gimbitskii <aleksei.gimbitskii@intel.com>
Cc: Zhenyu Wang <zhenyuw@linux.intel.com>
Cc: Zhi Wang <zhi.a.wang@intel.com>
Cc: Colin Xu <colin.xu@intel.com>
---
 drivers/gpu/drm/i915/gvt/handlers.c | 21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

Patch hide | download patch | download mbox

diff --git a/drivers/gpu/drm/i915/gvt/handlers.c b/drivers/gpu/drm/i915/gvt/handlers.c
index 7732caa1a546..5a652ca732c2 100644
--- a/drivers/gpu/drm/i915/gvt/handlers.c
+++ b/drivers/gpu/drm/i915/gvt/handlers.c
@@ -748,12 +748,22 @@  static int south_chicken2_mmio_write(struct intel_vgpu *vgpu,
 #define DSPSURF_TO_PIPE(offset) \
 	calc_index(offset, _DSPASURF, _DSPBSURF, 0, DSPSURF(PIPE_C))
 
+#define valid_pipe(pipe) \
+	(pipe >= PIPE_A && pipe < I915_MAX_PIPES)
+
 static int pri_surf_mmio_write(struct intel_vgpu *vgpu, unsigned int offset,
 		void *p_data, unsigned int bytes)
 {
 	struct drm_i915_private *dev_priv = vgpu->gvt->dev_priv;
 	u32 pipe = DSPSURF_TO_PIPE(offset);
-	int event = SKL_FLIP_EVENT(pipe, PLANE_PRIMARY);
+	int event;
+
+	if (!valid_pipe(pipe)) {
+		WARN_ON(true);
+		return -EINVAL;
+	}
+
+	event = SKL_FLIP_EVENT(pipe, PLANE_PRIMARY);
 
 	write_vreg(vgpu, offset, p_data, bytes);
 	vgpu_vreg_t(vgpu, DSPSURFLIVE(pipe)) = vgpu_vreg(vgpu, offset);
@@ -775,7 +785,14 @@  static int spr_surf_mmio_write(struct intel_vgpu *vgpu, unsigned int offset,
 		void *p_data, unsigned int bytes)
 {
 	u32 pipe = SPRSURF_TO_PIPE(offset);
-	int event = SKL_FLIP_EVENT(pipe, PLANE_SPRITE0);
+	int event;
+
+	if (!valid_pipe(pipe)) {
+		WARN_ON(true);
+		return -EINVAL;
+	}
+
+	event = SKL_FLIP_EVENT(pipe, PLANE_SPRITE0);
 
 	write_vreg(vgpu, offset, p_data, bytes);
 	vgpu_vreg_t(vgpu, SPRSURFLIVE(pipe)) = vgpu_vreg(vgpu, offset);