On Thu, Jun 11, 2020 at 09:37:42AM +0800, Miles Chen wrote:
> @@ -2601,7 +2603,17 @@ i915_gem_execbuffer2_ioctl(struct drm_device *dev, void *data,
> unsigned int i;
>
> /* Copy the new buffer offsets back to the user's exec list. */
> - user_access_begin();
> + /*
> + * Note: count * sizeof(*user_exec_list) does not overflow,
> + * because we checked 'count' in check_buffer_count().
> + *
> + * And this range already got effectively checked earlier
> + * when we did the "copy_from_user()" above.
> + */
> + if (!user_access_begin(VERIFY_WRITE, user_exec_list,
> + count * sizeof(*user_exec_list)))
> + goto end_user;
> +
> for (i = 0; i < args->buffer_count; i++) {
> if (!(exec2_list[i].offset & UPDATE))
> continue;
No one seems to have test-built this code, it fails here on the 4.14.y
kernel :(
I'll go fix it up, but please, always at the very least, test build your
patches before sending them out...
thanks,
greg k-h
