From: Russell King <rmk+kernel@xxxxxxxxxxxxxxxx> Ensure that we reject command buffers which are fully populated, as we always need to append two words for a LINK command to the end of the buffer. Signed-off-by: Russell King <rmk+kernel@xxxxxxxxxxxxxxxx> --- drivers/staging/etnaviv/etnaviv_gem_submit.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/drivers/staging/etnaviv/etnaviv_gem_submit.c b/drivers/staging/etnaviv/etnaviv_gem_submit.c index dd87fdfe7ab5..f8b733a0e313 100644 --- a/drivers/staging/etnaviv/etnaviv_gem_submit.c +++ b/drivers/staging/etnaviv/etnaviv_gem_submit.c @@ -348,6 +348,7 @@ int etnaviv_ioctl_gem_submit(struct drm_device *dev, void *data, void __user *userptr = to_user_ptr(args->cmds + (i * sizeof(submit_cmd))); struct etnaviv_gem_object *etnaviv_obj; + unsigned max_size; ret = copy_from_user(&submit_cmd, userptr, sizeof(submit_cmd)); if (ret) { @@ -373,8 +374,13 @@ int etnaviv_ioctl_gem_submit(struct drm_device *dev, void *data, goto out; } - if ((submit_cmd.size + submit_cmd.submit_offset) >= - etnaviv_obj->base.size) { + /* + * We must have space to add a LINK command at the end of + * the command buffer. + */ + max_size = etnaviv_obj->base.size - 8; + + if ((submit_cmd.size + submit_cmd.submit_offset) > max_size) { DRM_ERROR("invalid cmdstream size: %u\n", submit_cmd.size); ret = -EINVAL; goto out; -- 2.1.4 _______________________________________________ dri-devel mailing list dri-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/dri-devel