On 05/23/2017 03:14 AM, Dmitry Osipenko wrote:
This fixes an OOPS in case of out-of-bounds accessing of a kmap'ed cmdbuf
(non-IOMMU allocation) while patching the relocations in do_relocs().
Signed-off-by: Dmitry Osipenko <digetx@xxxxxxxxx>
---
drivers/gpu/drm/tegra/gem.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/gpu/drm/tegra/gem.c b/drivers/gpu/drm/tegra/gem.c
index 424569b53e57..ca0d4439e97b 100644
--- a/drivers/gpu/drm/tegra/gem.c
+++ b/drivers/gpu/drm/tegra/gem.c
@@ -74,6 +74,9 @@ static void *tegra_bo_kmap(struct host1x_bo *bo, unsigned int page)
{
struct tegra_bo *obj = host1x_to_tegra_bo(bo);
+ if (page * PAGE_SIZE >= obj->gem.size)
+ return NULL;
+
The multiplication here could overflow, so it needs the same u64
treatment to catch all problem situations. I'm not sure if this is
required, though, with the other bounds check patches in this series.
if (obj->vaddr)
return obj->vaddr + page * PAGE_SIZE;
else if (obj->gem.import_attach)
_______________________________________________
dri-devel mailing list
dri-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/dri-devel