On Thu, 2020-06-11 at 13:15 +0200, Greg KH wrote:
> On Thu, Jun 11, 2020 at 09:37:42AM +0800, Miles Chen wrote:
> > @@ -2601,7 +2603,17 @@ i915_gem_execbuffer2_ioctl(struct drm_device *dev, void *data,
> > unsigned int i;
> >
> > /* Copy the new buffer offsets back to the user's exec list. */
> > - user_access_begin();
> > + /*
> > + * Note: count * sizeof(*user_exec_list) does not overflow,
> > + * because we checked 'count' in check_buffer_count().
> > + *
> > + * And this range already got effectively checked earlier
> > + * when we did the "copy_from_user()" above.
> > + */
> > + if (!user_access_begin(VERIFY_WRITE, user_exec_list,
> > + count * sizeof(*user_exec_list)))
> > + goto end_user;
> > +
> > for (i = 0; i < args->buffer_count; i++) {
> > if (!(exec2_list[i].offset & UPDATE))
> > continue;
>
> No one seems to have test-built this code, it fails here on the 4.14.y
> kernel :(
>
> I'll go fix it up, but please, always at the very least, test build your
> patches before sending them out...
>
> thanks,
Sorry for the breakage. It won't happen next time.
cheers,
Miles
>
> greg k-h
