On 01.06.2017 21:01, Mikko Perttunen wrote:
> On 05/23/2017 03:14 AM, Dmitry Osipenko wrote:
>> This fixes an OOPS in case of out-of-bounds accessing of a kmap'ed cmdbuf
>> (non-IOMMU allocation) while patching the relocations in do_relocs().
>>
>> Signed-off-by: Dmitry Osipenko <digetx@xxxxxxxxx>
>> ---
>> drivers/gpu/drm/tegra/gem.c | 3 +++
>> 1 file changed, 3 insertions(+)
>>
>> diff --git a/drivers/gpu/drm/tegra/gem.c b/drivers/gpu/drm/tegra/gem.c
>> index 424569b53e57..ca0d4439e97b 100644
>> --- a/drivers/gpu/drm/tegra/gem.c
>> +++ b/drivers/gpu/drm/tegra/gem.c
>> @@ -74,6 +74,9 @@ static void *tegra_bo_kmap(struct host1x_bo *bo, unsigned
>> int page)
>> {
>> struct tegra_bo *obj = host1x_to_tegra_bo(bo);
>> + if (page * PAGE_SIZE >= obj->gem.size)
>> + return NULL;
>> +
>
> The multiplication here could overflow, so it needs the same u64 treatment to
> catch all problem situations. I'm not sure if this is required, though, with the
> other bounds check patches in this series.
>
Right, I'll checks once more if this patch is still needed, thank you.
>> if (obj->vaddr)
>> return obj->vaddr + page * PAGE_SIZE;
>> else if (obj->gem.import_attach)
>>
--
Dmitry
--
To unsubscribe from this list: send the line "unsubscribe linux-tegra" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
