From: Maarten Lankhorst <maarten.lankhorst@canonical.com>
Date: Sun, 7 Jul 2013 08:40:19 +0000 (+0200)
Subject: drm/nouveau: do not allow negative sizes for now
X-Git-Tag: v3.12-rc1~227^2~2^2~19
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=0108bc808107b97e101b15af9705729626be6447;p=kernel%2Fkernel-generic.git

drm/nouveau: do not allow negative sizes for now

The API allows up to 64-bits allocations, but size is handled as int
inside nouveau almost everywhere. Until this is fixed it's better to
prevent negative sizes.

The 256 kB before INT_MAX is paranoia, because of the large page
aligning below that could flip it above INT_MAX.

Signed-off-by: Maarten Lankhorst <maarten.lankhorst@canonical.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
---

diff --git a/drivers/gpu/drm/nouveau/nouveau_bo.c b/drivers/gpu/drm/nouveau/nouveau_bo.c
index 459a445..4e7ee5f 100644
--- a/drivers/gpu/drm/nouveau/nouveau_bo.c
+++ b/drivers/gpu/drm/nouveau/nouveau_bo.c
@@ -198,6 +198,12 @@ nouveau_bo_new(struct drm_device *dev, int size, int align,
 	size_t acc_size;
 	int ret;
 	int type = ttm_bo_type_device;
+	int max_size = INT_MAX & ~((1 << drm->client.base.vm->vmm->lpg_shift) - 1);
+
+	if (size <= 0 || size > max_size) {
+		nv_warn(drm, "skipped size %x\n", (u32)size);
+		return -EINVAL;
+	}
 
 	if (sg)
 		type = ttm_bo_type_sg;