Re: [PATCH] drm/tegra: Check offsets of a submitted command buffer and of relocations

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 14.05.2017 23:47, Dmitry Osipenko wrote:
>  	/* copy and resolve relocations from submit */
>  	while (num_relocs--) {
> +		struct host1x_reloc *reloc;
> +		struct tegra_bo *obj;
> +
>  		err = host1x_reloc_copy_from_user(&job->relocarray[num_relocs],
>  						  &relocs[num_relocs], drm,
>  						  file);
>  		if (err < 0)
>  			goto fail;
> +
> +		reloc = &job->relocarray[num_relocs];
> +		obj = host1x_to_tegra_bo(reloc->cmdbuf.bo);
> +
> +		if (reloc->cmdbuf.offset & 3 ||
> +		    reloc->cmdbuf.offset > obj->gem.size) {
> +			err = -EINVAL;
> +			goto fail;
> +		}
> +
> +		obj = host1x_to_tegra_bo(reloc->target.bo);
> +
> +		if (reloc->target.offset & 3 ||
> +		    reloc->target.offset > obj->gem.size) {
> +			err = -EINVAL;
> +			goto fail;
> +		}
>  	}

The relocation offsets should be compared as '>=' as well.

-- 
Dmitry
_______________________________________________
dri-devel mailing list
dri-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/dri-devel
[Index of Archives]     [Linux DRI Users]     [Linux Intel Graphics]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [XFree86]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [XFree86]
  Powered by Linux