drm/i915: Protect against drm_gem_object not being the first member

Dave Airlie spotted that we had a potential bug should we ever rearrange the drm_i915_gem_object so not the base drm_gem_object was not its first member. He noticed that we often convert the return of drm_gem_object_lookup() immediately into drm_i915_gem_object and then check the result for nullity. This is only valid when the base object is the first member and so the superobject has the same address. Play safe instead and use the compiler to convert back to the original return address for sanity testing. Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
author: Chris Wilson <chris@chris-wilson.co.uk> 2011-02-19 06:31:06 -0500
committer: Chris Wilson <chris@chris-wilson.co.uk> 2011-02-22 10:55:57 -0500
commit: c87252266352c5201e2925740018f52578fa92bb (patch)
tree: 3fb6490ce2fb1c62d536bb256a727c07abef45e4
parent: 548f245ba6a318ef93f4d79bcc15cfe59a86f0d5 (diff)
5 files changed, 16 insertions, 16 deletions
diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c
index a8768e2bbebc..f5094bb82d32 100644
--- a/drivers/gpu/drm/i915/i915_gem.c
+++ b/drivers/gpu/drm/i915/i915_gem.c
@@ -506,7 +506,7 @@ i915_gem_pread_ioctl(struct drm_device *dev, void *data,
                return ret;
        obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle));
-        if (obj == NULL) {
+        if (&obj->base == NULL) {
                ret = -ENOENT;
                goto unlock;
        }
@@ -949,7 +949,7 @@ i915_gem_pwrite_ioctl(struct drm_device *dev, void *data,
                return ret;
        obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle));
-        if (obj == NULL) {
+        if (&obj->base == NULL) {
                ret = -ENOENT;
                goto unlock;
        }
@@ -1045,7 +1045,7 @@ i915_gem_set_domain_ioctl(struct drm_device *dev, void *data,
                return ret;
        obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle));
-        if (obj == NULL) {
+        if (&obj->base == NULL) {
                ret = -ENOENT;
                goto unlock;
        }
@@ -1088,7 +1088,7 @@ i915_gem_sw_finish_ioctl(struct drm_device *dev, void *data,
                return ret;
        obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle));
-        if (obj == NULL) {
+        if (&obj->base == NULL) {
                ret = -ENOENT;
                goto unlock;
        }
@@ -1463,7 +1463,7 @@ i915_gem_mmap_gtt_ioctl(struct drm_device *dev, void *data,
                return ret;
        obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle));
-        if (obj == NULL) {
+        if (&obj->base == NULL) {
                ret = -ENOENT;
                goto unlock;
        }
@@ -3331,7 +3331,7 @@ i915_gem_pin_ioctl(struct drm_device *dev, void *data,
                return ret;
        obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle));
-        if (obj == NULL) {
+        if (&obj->base == NULL) {
                ret = -ENOENT;
                goto unlock;
        }
@@ -3382,7 +3382,7 @@ i915_gem_unpin_ioctl(struct drm_device *dev, void *data,
                return ret;
        obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle));
-        if (obj == NULL) {
+        if (&obj->base == NULL) {
                ret = -ENOENT;
                goto unlock;
        }
@@ -3419,7 +3419,7 @@ i915_gem_busy_ioctl(struct drm_device *dev, void *data,
                return ret;
        obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle));
-        if (obj == NULL) {
+        if (&obj->base == NULL) {
                ret = -ENOENT;
                goto unlock;
        }
@@ -3497,7 +3497,7 @@ i915_gem_madvise_ioctl(struct drm_device *dev, void *data,
                return ret;
        obj = to_intel_bo(drm_gem_object_lookup(dev, file_priv, args->handle));
-        if (obj == NULL) {
+        if (&obj->base == NULL) {
                ret = -ENOENT;
                goto unlock;
        }
diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
index 84fa24e6cca8..a72e7b2cb048 100644
--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
@@ -677,7 +677,7 @@ i915_gem_execbuffer_relocate_slow(struct drm_device *dev,
        for (i = 0; i < count; i++) {
                obj = to_intel_bo(drm_gem_object_lookup(dev, file,
                                                        exec[i].handle));
-                if (obj == NULL) {
+                if (&obj->base == NULL) {
                        DRM_ERROR("Invalid object handle %d at index %d\n",
                                   exec[i].handle, i);
                        ret = -ENOENT;
@@ -1087,7 +1087,7 @@ i915_gem_do_execbuffer(struct drm_device *dev, void *data,
                obj = to_intel_bo(drm_gem_object_lookup(dev, file,
                                                        exec[i].handle));
-                if (obj == NULL) {
+                if (&obj->base == NULL) {
                        DRM_ERROR("Invalid object handle %d at index %d\n",
                                   exec[i].handle, i);
                        /* prevent error path from reading uninitialized data */
diff --git a/drivers/gpu/drm/i915/i915_gem_tiling.c b/drivers/gpu/drm/i915/i915_gem_tiling.c
index a093d67b94e2..0a8969392829 100644
--- a/drivers/gpu/drm/i915/i915_gem_tiling.c
+++ b/drivers/gpu/drm/i915/i915_gem_tiling.c
@@ -286,7 +286,7 @@ i915_gem_set_tiling(struct drm_device *dev, void *data,
        struct drm_i915_gem_object *obj;
        obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle));
-        if (obj == NULL)
+        if (&obj->base == NULL)
                return -ENOENT;
        if (!i915_tiling_ok(dev,
@@ -366,7 +366,7 @@ i915_gem_get_tiling(struct drm_device *dev, void *data,
        struct drm_i915_gem_object *obj;
        obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle));
-        if (obj == NULL)
+        if (&obj->base == NULL)
                return -ENOENT;
        mutex_lock(&dev->struct_mutex);
diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
index 1a15438512f1..40fcbc91139c 100644
--- a/drivers/gpu/drm/i915/intel_display.c
+++ b/drivers/gpu/drm/i915/intel_display.c
@@ -5324,7 +5324,7 @@ static int intel_crtc_cursor_set(struct drm_crtc *crtc,
        }
        obj = to_intel_bo(drm_gem_object_lookup(dev, file, handle));
-        if (!obj)
+        if (&obj->base == NULL)
                return -ENOENT;
        if (obj->base.size < width * height * 4) {
@@ -6563,7 +6563,7 @@ intel_user_framebuffer_create(struct drm_device *dev,
        int ret;
        obj = to_intel_bo(drm_gem_object_lookup(dev, filp, mode_cmd->handle));
-        if (!obj)
+        if (&obj->base == NULL)
                return ERR_PTR(-ENOENT);
        intel_fb = kzalloc(sizeof(*intel_fb), GFP_KERNEL);
diff --git a/drivers/gpu/drm/i915/intel_overlay.c b/drivers/gpu/drm/i915/intel_overlay.c
index 29fb2174eaaa..50bc865139aa 100644
--- a/drivers/gpu/drm/i915/intel_overlay.c
+++ b/drivers/gpu/drm/i915/intel_overlay.c
@@ -1156,7 +1156,7 @@ int intel_overlay_put_image(struct drm_device *dev, void *data,
        new_bo = to_intel_bo(drm_gem_object_lookup(dev, file_priv,
                                                   put_image_rec->bo_handle));
-        if (!new_bo) {
+        if (&new_bo->base == NULL) {
                ret = -ENOENT;
                goto out_free;
        }
author	Chris Wilson <chris@chris-wilson.co.uk>	2011-02-19 06:31:06 -0500
committer	Chris Wilson <chris@chris-wilson.co.uk>	2011-02-22 10:55:57 -0500
commit	c87252266352c5201e2925740018f52578fa92bb (patch)
tree	3fb6490ce2fb1c62d536bb256a727c07abef45e4
parent	548f245ba6a318ef93f4d79bcc15cfe59a86f0d5 (diff)

diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c index a8768e2bbebc..f5094bb82d32 100644 --- a/drivers/gpu/drm/i915/i915_gem.c +++ b/drivers/gpu/drm/i915/i915_gem.c
@@ -506,7 +506,7 @@ i915_gem_pread_ioctl(struct drm_device dev, void data,
506	return ret;	506	return ret;
507		507
508	obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle));	508	obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle));
509	if (obj == NULL) {	509	if (&obj->base == NULL) {
510	ret = -ENOENT;	510	ret = -ENOENT;
511	goto unlock;	511	goto unlock;
512	}	512	}
@@ -949,7 +949,7 @@ i915_gem_pwrite_ioctl(struct drm_device dev, void data,
949	return ret;	949	return ret;
950		950
951	obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle));	951	obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle));
952	if (obj == NULL) {	952	if (&obj->base == NULL) {
953	ret = -ENOENT;	953	ret = -ENOENT;
954	goto unlock;	954	goto unlock;
955	}	955	}
@@ -1045,7 +1045,7 @@ i915_gem_set_domain_ioctl(struct drm_device dev, void data,
1045	return ret;	1045	return ret;
1046		1046
1047	obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle));	1047	obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle));
1048	if (obj == NULL) {	1048	if (&obj->base == NULL) {
1049	ret = -ENOENT;	1049	ret = -ENOENT;
1050	goto unlock;	1050	goto unlock;
1051	}	1051	}
@@ -1088,7 +1088,7 @@ i915_gem_sw_finish_ioctl(struct drm_device dev, void data,
1088	return ret;	1088	return ret;
1089		1089
1090	obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle));	1090	obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle));
1091	if (obj == NULL) {	1091	if (&obj->base == NULL) {
1092	ret = -ENOENT;	1092	ret = -ENOENT;
1093	goto unlock;	1093	goto unlock;
1094	}	1094	}
@@ -1463,7 +1463,7 @@ i915_gem_mmap_gtt_ioctl(struct drm_device dev, void data,
1463	return ret;	1463	return ret;
1464		1464
1465	obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle));	1465	obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle));
1466	if (obj == NULL) {	1466	if (&obj->base == NULL) {
1467	ret = -ENOENT;	1467	ret = -ENOENT;
1468	goto unlock;	1468	goto unlock;
1469	}	1469	}
@@ -3331,7 +3331,7 @@ i915_gem_pin_ioctl(struct drm_device dev, void data,
3331	return ret;	3331	return ret;
3332		3332
3333	obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle));	3333	obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle));
3334	if (obj == NULL) {	3334	if (&obj->base == NULL) {
3335	ret = -ENOENT;	3335	ret = -ENOENT;
3336	goto unlock;	3336	goto unlock;
3337	}	3337	}
@@ -3382,7 +3382,7 @@ i915_gem_unpin_ioctl(struct drm_device dev, void data,
3382	return ret;	3382	return ret;
3383		3383
3384	obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle));	3384	obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle));
3385	if (obj == NULL) {	3385	if (&obj->base == NULL) {
3386	ret = -ENOENT;	3386	ret = -ENOENT;
3387	goto unlock;	3387	goto unlock;
3388	}	3388	}
@@ -3419,7 +3419,7 @@ i915_gem_busy_ioctl(struct drm_device dev, void data,
3419	return ret;	3419	return ret;
3420		3420
3421	obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle));	3421	obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle));
3422	if (obj == NULL) {	3422	if (&obj->base == NULL) {
3423	ret = -ENOENT;	3423	ret = -ENOENT;
3424	goto unlock;	3424	goto unlock;
3425	}	3425	}
@@ -3497,7 +3497,7 @@ i915_gem_madvise_ioctl(struct drm_device dev, void data,
3497	return ret;	3497	return ret;
3498		3498
3499	obj = to_intel_bo(drm_gem_object_lookup(dev, file_priv, args->handle));	3499	obj = to_intel_bo(drm_gem_object_lookup(dev, file_priv, args->handle));
3500	if (obj == NULL) {	3500	if (&obj->base == NULL) {
3501	ret = -ENOENT;	3501	ret = -ENOENT;
3502	goto unlock;	3502	goto unlock;
3503	}	3503	}


diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c index 84fa24e6cca8..a72e7b2cb048 100644 --- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c +++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
@@ -677,7 +677,7 @@ i915_gem_execbuffer_relocate_slow(struct drm_device *dev,
677	for (i = 0; i < count; i++) {	677	for (i = 0; i < count; i++) {
678	obj = to_intel_bo(drm_gem_object_lookup(dev, file,	678	obj = to_intel_bo(drm_gem_object_lookup(dev, file,
679	exec[i].handle));	679	exec[i].handle));
680	if (obj == NULL) {	680	if (&obj->base == NULL) {
681	DRM_ERROR("Invalid object handle %d at index %d\n",	681	DRM_ERROR("Invalid object handle %d at index %d\n",
682	exec[i].handle, i);	682	exec[i].handle, i);
683	ret = -ENOENT;	683	ret = -ENOENT;
@@ -1087,7 +1087,7 @@ i915_gem_do_execbuffer(struct drm_device dev, void data,
1087		1087
1088	obj = to_intel_bo(drm_gem_object_lookup(dev, file,	1088	obj = to_intel_bo(drm_gem_object_lookup(dev, file,
1089	exec[i].handle));	1089	exec[i].handle));
1090	if (obj == NULL) {	1090	if (&obj->base == NULL) {
1091	DRM_ERROR("Invalid object handle %d at index %d\n",	1091	DRM_ERROR("Invalid object handle %d at index %d\n",
1092	exec[i].handle, i);	1092	exec[i].handle, i);
1093	/* prevent error path from reading uninitialized data */	1093	/* prevent error path from reading uninitialized data */


diff --git a/drivers/gpu/drm/i915/i915_gem_tiling.c b/drivers/gpu/drm/i915/i915_gem_tiling.c index a093d67b94e2..0a8969392829 100644 --- a/drivers/gpu/drm/i915/i915_gem_tiling.c +++ b/drivers/gpu/drm/i915/i915_gem_tiling.c
@@ -286,7 +286,7 @@ i915_gem_set_tiling(struct drm_device dev, void data,
286	struct drm_i915_gem_object *obj;	286	struct drm_i915_gem_object *obj;
287		287
288	obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle));	288	obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle));
289	if (obj == NULL)	289	if (&obj->base == NULL)
290	return -ENOENT;	290	return -ENOENT;
291		291
292	if (!i915_tiling_ok(dev,	292	if (!i915_tiling_ok(dev,
@@ -366,7 +366,7 @@ i915_gem_get_tiling(struct drm_device dev, void data,
366	struct drm_i915_gem_object *obj;	366	struct drm_i915_gem_object *obj;
367		367
368	obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle));	368	obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle));
369	if (obj == NULL)	369	if (&obj->base == NULL)
370	return -ENOENT;	370	return -ENOENT;
371		371
372	mutex_lock(&dev->struct_mutex);	372	mutex_lock(&dev->struct_mutex);


diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c index 1a15438512f1..40fcbc91139c 100644 --- a/drivers/gpu/drm/i915/intel_display.c +++ b/drivers/gpu/drm/i915/intel_display.c
@@ -5324,7 +5324,7 @@ static int intel_crtc_cursor_set(struct drm_crtc *crtc,
5324	}	5324	}
5325		5325
5326	obj = to_intel_bo(drm_gem_object_lookup(dev, file, handle));	5326	obj = to_intel_bo(drm_gem_object_lookup(dev, file, handle));
5327	if (!obj)	5327	if (&obj->base == NULL)
5328	return -ENOENT;	5328	return -ENOENT;
5329		5329
5330	if (obj->base.size < width * height * 4) {	5330	if (obj->base.size < width * height * 4) {
@@ -6563,7 +6563,7 @@ intel_user_framebuffer_create(struct drm_device *dev,
6563	int ret;	6563	int ret;
6564		6564
6565	obj = to_intel_bo(drm_gem_object_lookup(dev, filp, mode_cmd->handle));	6565	obj = to_intel_bo(drm_gem_object_lookup(dev, filp, mode_cmd->handle));
6566	if (!obj)	6566	if (&obj->base == NULL)
6567	return ERR_PTR(-ENOENT);	6567	return ERR_PTR(-ENOENT);
6568		6568
6569	intel_fb = kzalloc(sizeof(*intel_fb), GFP_KERNEL);	6569	intel_fb = kzalloc(sizeof(*intel_fb), GFP_KERNEL);


diff --git a/drivers/gpu/drm/i915/intel_overlay.c b/drivers/gpu/drm/i915/intel_overlay.c index 29fb2174eaaa..50bc865139aa 100644 --- a/drivers/gpu/drm/i915/intel_overlay.c +++ b/drivers/gpu/drm/i915/intel_overlay.c
@@ -1156,7 +1156,7 @@ int intel_overlay_put_image(struct drm_device dev, void data,
1156		1156
1157	new_bo = to_intel_bo(drm_gem_object_lookup(dev, file_priv,	1157	new_bo = to_intel_bo(drm_gem_object_lookup(dev, file_priv,
1158	put_image_rec->bo_handle));	1158	put_image_rec->bo_handle));
1159	if (!new_bo) {	1159	if (&new_bo->base == NULL) {
1160	ret = -ENOENT;	1160	ret = -ENOENT;
1161	goto out_free;	1161	goto out_free;
1162	}	1162	}