On Mon, Feb 29, 2016 at 05:11:02PM +0000, Matthew Auld wrote: > When binding pages for a partial view we should check that the offset + > size is valid relative to the size of the gem object. > > Cc: Joonas Lahtinen <joonas.lahtinen@xxxxxxxxxxxxxxx> > Signed-off-by: Matthew Auld <matthew.auld@xxxxxxxxx> > --- > drivers/gpu/drm/i915/i915_gem_gtt.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/drivers/gpu/drm/i915/i915_gem_gtt.c b/drivers/gpu/drm/i915/i915_gem_gtt.c > index 49e4f26..a477bb2 100644 > --- a/drivers/gpu/drm/i915/i915_gem_gtt.c > +++ b/drivers/gpu/drm/i915/i915_gem_gtt.c > @@ -3500,6 +3500,10 @@ intel_partial_pages(const struct i915_ggtt_view *view, > struct sg_page_iter obj_sg_iter; > int ret = -ENOMEM; > > + if (view->params.partial.offset + view->params.partial.size > > + obj->pages->nents) > + return ERR_PTR(-EINVAL); It seems to me that if we hit this, there must a bug somewhere higher up. > + > st = kmalloc(sizeof(*st), GFP_KERNEL); > if (!st) > goto err_st_alloc; > -- > 2.4.3 > > _______________________________________________ > Intel-gfx mailing list > Intel-gfx@xxxxxxxxxxxxxxxxxxxxx > https://lists.freedesktop.org/mailman/listinfo/intel-gfx -- Ville Syrjälä Intel OTC _______________________________________________ Intel-gfx mailing list Intel-gfx@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/intel-gfx
