[PATCH 4/5] drm/i915: check for allocation overflow in error state capture

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Pretty harmless since actually binding such a giant thing would be
really hard to pull off - it doesn't fit into the gtt of any shipping
gpu right now.

Signed-off-by: Daniel Vetter <daniel.vetter@xxxxxxxx>
---
 drivers/gpu/drm/i915/i915_gpu_error.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/i915/i915_gpu_error.c b/drivers/gpu/drm/i915/i915_gpu_error.c
index 763283e..6c80636 100644
--- a/drivers/gpu/drm/i915/i915_gpu_error.c
+++ b/drivers/gpu/drm/i915/i915_gpu_error.c
@@ -478,7 +478,7 @@ static void i915_error_state_free(struct kref *error_ref)
 static struct drm_i915_error_object *
 i915_error_object_create_sized(struct drm_i915_private *dev_priv,
 			       struct drm_i915_gem_object *src,
-			       const int num_pages)
+			       const unsigned int num_pages)
 {
 	struct drm_i915_error_object *dst;
 	int i;
@@ -487,6 +487,12 @@ i915_error_object_create_sized(struct drm_i915_private *dev_priv,
 	if (src == NULL || src->pages == NULL)
 		return NULL;
 
+	if (num_pages > (UINT_MAX - sizeof(*dst)) / sizeof(u32 *)) {
+		DRM_DEBUG("error object with overflowing num_pages %u\n",
+			  num_pages);
+		return NULL;
+	}
+
 	dst = kmalloc(sizeof(*dst) + num_pages * sizeof(u32 *), GFP_ATOMIC);
 	if (dst == NULL)
 		return NULL;
-- 
1.8.4.rc3

_______________________________________________
Intel-gfx mailing list
Intel-gfx@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/intel-gfx




[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]
  Powered by Linux