Ping?
On 04/09/2018 08:16 AM, Tom St Denis wrote:
> We don't need to check the alignment of the offset and there was
> potential a buffer overflow as well.
>
> Signed-off-by: Tom St Denis <tom.stdenis at amd.com>
> ---
> drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
> index c98e59721444..b1ea300008e5 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
> @@ -507,6 +507,9 @@ static ssize_t amdgpu_debugfs_wave_read(struct file *f, char __user *buf,
> return result;
> }
>
> +// read at most 1024 words
> +#define AMDGPU_DEBUGFS_MAX_SGPR_READ 1024
> +
> static ssize_t amdgpu_debugfs_gpr_read(struct file *f, char __user *buf,
> size_t size, loff_t *pos)
> {
> @@ -515,7 +518,7 @@ static ssize_t amdgpu_debugfs_gpr_read(struct file *f, char __user *buf,
> ssize_t result = 0;
> uint32_t offset, se, sh, cu, wave, simd, thread, bank, *data;
>
> - if (size & 3 || *pos & 3)
> + if (size & 3 || size > (4 * AMDGPU_DEBUGFS_MAX_SGPR_READ))
> return -EINVAL;
>
> /* decode offset */
> @@ -528,7 +531,8 @@ static ssize_t amdgpu_debugfs_gpr_read(struct file *f, char __user *buf,
> thread = (*pos & GENMASK_ULL(59, 52)) >> 52;
> bank = (*pos & GENMASK_ULL(61, 60)) >> 60;
>
> - data = kmalloc_array(1024, sizeof(*data), GFP_KERNEL);
> + data = kmalloc_array(AMDGPU_DEBUGFS_MAX_SGPR_READ, sizeof(*data),
> + GFP_KERNEL);
> if (!data)
> return -ENOMEM;
>
>
