]> git.baikalelectronics.ru Git - kernel.git/commitdiff
drm/amdgpu: validate size and offset of user fence BO
authorChristian König <christian.koenig@amd.com>
Fri, 9 Sep 2016 09:21:43 +0000 (11:21 +0200)
committerAlex Deucher <alexander.deucher@amd.com>
Wed, 14 Sep 2016 19:10:43 +0000 (15:10 -0400)
We need to validate the offset to make sure that we don't write after the BO.

Additional to that a page should be enough and can make address space
handling much easier.

Signed-off-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c

index 9480be45b45f45c0039faafaf7a437fd0914da4b..b8412bcbad2a2355ed13d78ebb0a0078ea75d48d 100644 (file)
@@ -91,6 +91,7 @@ static int amdgpu_cs_user_fence_chunk(struct amdgpu_cs_parser *p,
                                      uint32_t *offset)
 {
        struct drm_gem_object *gobj;
+       unsigned long size;
 
        gobj = drm_gem_object_lookup(p->filp, data->handle);
        if (gobj == NULL)
@@ -101,6 +102,11 @@ static int amdgpu_cs_user_fence_chunk(struct amdgpu_cs_parser *p,
        p->uf_entry.tv.bo = &p->uf_entry.robj->tbo;
        p->uf_entry.tv.shared = true;
        p->uf_entry.user_pages = NULL;
+
+       size = amdgpu_bo_size(p->uf_entry.robj);
+       if (size != PAGE_SIZE || (data->offset + 8) > size)
+               return -EINVAL;
+
        *offset = data->offset;
 
        drm_gem_object_unreference_unlocked(gobj);