Hello Chris, Is there an integer overflow in validate_exec_list()? drivers/gpu/drm/i915/i915_gem.c 3633 size_t length = exec[i].relocation_count * sizeof(struct drm_i915_gem_relocation_entry); 3634 3635 if (!access_ok(VERIFY_READ, ptr, length)) 3636 return -EFAULT; 3637 My concern is that if relocation_count is larger than 0x8000000 the multiplication can wrap. This code was added in 2549d6c2 "drm/i915: Avoid vmallocing a buffer for the relocations" regards, dan carpenter _______________________________________________ dri-devel mailing list dri-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/dri-devel
