drm/i915: Protect against drm_gem_object not being the first member

Dave Airlie spotted that we had a potential bug should we ever rearrange
the drm_i915_gem_object so not the base drm_gem_object was not its first
member. He noticed that we often convert the return of
drm_gem_object_lookup() immediately into drm_i915_gem_object and then
check the result for nullity. This is only valid when the base object is
the first member and so the superobject has the same address. Play safe
instead and use the compiler to convert back to the original return
address for sanity testing.

Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>

diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c
index a8768e2bbebc6401450e78d837dfc48566edcd46..f5094bb82d32bf03d401b46d199ab23db01e77c0 100644 (file)
--- a/drivers/gpu/drm/i915/i915_gem.c
+++ b/drivers/gpu/drm/i915/i915_gem.c
@@ -506,7 +506,7 @@ i915_gem_pread_ioctl(struct drm_device *dev, void *data,
                return ret;
 
        obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle));
-       if (obj == NULL) {
+       if (&obj->base == NULL) {
                ret = -ENOENT;
                goto unlock;
        }
@@ -949,7 +949,7 @@ i915_gem_pwrite_ioctl(struct drm_device *dev, void *data,
                return ret;
 
        obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle));
-       if (obj == NULL) {
+       if (&obj->base == NULL) {
                ret = -ENOENT;
                goto unlock;
        }
@@ -1045,7 +1045,7 @@ i915_gem_set_domain_ioctl(struct drm_device *dev, void *data,
                return ret;
 
        obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle));
-       if (obj == NULL) {
+       if (&obj->base == NULL) {
                ret = -ENOENT;
                goto unlock;
        }
@@ -1088,7 +1088,7 @@ i915_gem_sw_finish_ioctl(struct drm_device *dev, void *data,
                return ret;
 
        obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle));
-       if (obj == NULL) {
+       if (&obj->base == NULL) {
                ret = -ENOENT;
                goto unlock;
        }
@@ -1463,7 +1463,7 @@ i915_gem_mmap_gtt_ioctl(struct drm_device *dev, void *data,
                return ret;
 
        obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle));
-       if (obj == NULL) {
+       if (&obj->base == NULL) {
                ret = -ENOENT;
                goto unlock;
        }
@@ -3331,7 +3331,7 @@ i915_gem_pin_ioctl(struct drm_device *dev, void *data,
                return ret;
 
        obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle));
-       if (obj == NULL) {
+       if (&obj->base == NULL) {
                ret = -ENOENT;
                goto unlock;
        }
@@ -3382,7 +3382,7 @@ i915_gem_unpin_ioctl(struct drm_device *dev, void *data,
                return ret;
 
        obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle));
-       if (obj == NULL) {
+       if (&obj->base == NULL) {
                ret = -ENOENT;
                goto unlock;
        }
@@ -3419,7 +3419,7 @@ i915_gem_busy_ioctl(struct drm_device *dev, void *data,
                return ret;
 
        obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle));
-       if (obj == NULL) {
+       if (&obj->base == NULL) {
                ret = -ENOENT;
                goto unlock;
        }
@@ -3497,7 +3497,7 @@ i915_gem_madvise_ioctl(struct drm_device *dev, void *data,
                return ret;
 
        obj = to_intel_bo(drm_gem_object_lookup(dev, file_priv, args->handle));
-       if (obj == NULL) {
+       if (&obj->base == NULL) {
                ret = -ENOENT;
                goto unlock;
        }

diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
index 84fa24e6cca84cbb8807d5cd2cb5aea272832da8..a72e7b2cb04810e613e76a48a727de6c1ead363e 100644 (file)
--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
@@ -677,7 +677,7 @@ i915_gem_execbuffer_relocate_slow(struct drm_device *dev,
        for (i = 0; i < count; i++) {
                obj = to_intel_bo(drm_gem_object_lookup(dev, file,
                                                        exec[i].handle));
-               if (obj == NULL) {
+               if (&obj->base == NULL) {
                        DRM_ERROR("Invalid object handle %d at index %d\n",
                                   exec[i].handle, i);
                        ret = -ENOENT;
@@ -1087,7 +1087,7 @@ i915_gem_do_execbuffer(struct drm_device *dev, void *data,
 
                obj = to_intel_bo(drm_gem_object_lookup(dev, file,
                                                        exec[i].handle));
-               if (obj == NULL) {
+               if (&obj->base == NULL) {
                        DRM_ERROR("Invalid object handle %d at index %d\n",
                                   exec[i].handle, i);
                        /* prevent error path from reading uninitialized data */

diff --git a/drivers/gpu/drm/i915/i915_gem_tiling.c b/drivers/gpu/drm/i915/i915_gem_tiling.c
index a093d67b94e28a94363712a339803942f50bd4a4..0a8969392829c0a0a2f3af20dff2f33c8ae87f0b 100644 (file)
--- a/drivers/gpu/drm/i915/i915_gem_tiling.c
+++ b/drivers/gpu/drm/i915/i915_gem_tiling.c
@@ -286,7 +286,7 @@ i915_gem_set_tiling(struct drm_device *dev, void *data,
        struct drm_i915_gem_object *obj;
 
        obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle));
-       if (obj == NULL)
+       if (&obj->base == NULL)
                return -ENOENT;
 
        if (!i915_tiling_ok(dev,
@@ -366,7 +366,7 @@ i915_gem_get_tiling(struct drm_device *dev, void *data,
        struct drm_i915_gem_object *obj;
 
        obj = to_intel_bo(drm_gem_object_lookup(dev, file, args->handle));
-       if (obj == NULL)
+       if (&obj->base == NULL)
                return -ENOENT;
 
        mutex_lock(&dev->struct_mutex);

diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
index 1a15438512f1524883581af59acdc2f20fccd1fe..40fcbc91139c87d82827c5a5bced8ae255ea7a6f 100644 (file)
--- a/drivers/gpu/drm/i915/intel_display.c
+++ b/drivers/gpu/drm/i915/intel_display.c
@@ -5324,7 +5324,7 @@ static int intel_crtc_cursor_set(struct drm_crtc *crtc,
        }
 
        obj = to_intel_bo(drm_gem_object_lookup(dev, file, handle));
-       if (!obj)
+       if (&obj->base == NULL)
                return -ENOENT;
 
        if (obj->base.size < width * height * 4) {
@@ -6563,7 +6563,7 @@ intel_user_framebuffer_create(struct drm_device *dev,
        int ret;
 
        obj = to_intel_bo(drm_gem_object_lookup(dev, filp, mode_cmd->handle));
-       if (!obj)
+       if (&obj->base == NULL)
                return ERR_PTR(-ENOENT);
 
        intel_fb = kzalloc(sizeof(*intel_fb), GFP_KERNEL);

diff --git a/drivers/gpu/drm/i915/intel_overlay.c b/drivers/gpu/drm/i915/intel_overlay.c
index 29fb2174eaaaf9c9faff0dcbc4f16b7d1b7c4ff7..50bc865139aa2cec1069c5f3ae7e80e55a7adeee 100644 (file)
--- a/drivers/gpu/drm/i915/intel_overlay.c
+++ b/drivers/gpu/drm/i915/intel_overlay.c
@@ -1156,7 +1156,7 @@ int intel_overlay_put_image(struct drm_device *dev, void *data,
 
        new_bo = to_intel_bo(drm_gem_object_lookup(dev, file_priv,
                                                   put_image_rec->bo_handle));
-       if (!new_bo) {
+       if (&new_bo->base == NULL) {
                ret = -ENOENT;
                goto out_free;
        }