From patchwork Mon May  8 20:34:58 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jordan Crouse <jcrouse@codeaurora.org>
X-Patchwork-Id: 9716657
Return-Path: <dri-devel-bounces@lists.freedesktop.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	F290B60365 for <patchwork-dri-devel@patchwork.kernel.org>;
	Mon,  8 May 2017 20:35:45 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E8211204BA
	for <patchwork-dri-devel@patchwork.kernel.org>;
	Mon,  8 May 2017 20:35:45 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id DCBF126224; Mon,  8 May 2017 20:35:45 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 9A396204BA
	for <patchwork-dri-devel@patchwork.kernel.org>;
	Mon,  8 May 2017 20:35:45 +0000 (UTC)
Received: from gabe.freedesktop.org (localhost [127.0.0.1])
	by gabe.freedesktop.org (Postfix) with ESMTP id 797F66E2BB;
	Mon,  8 May 2017 20:35:20 +0000 (UTC)
X-Original-To: dri-devel@lists.freedesktop.org
Delivered-To: dri-devel@lists.freedesktop.org
Received: from smtp.codeaurora.org (smtp.codeaurora.org [198.145.29.96])
	by gabe.freedesktop.org (Postfix) with ESMTPS id 4BEAD6E1A0;
	Mon,  8 May 2017 20:35:14 +0000 (UTC)
Received: by smtp.codeaurora.org (Postfix, from userid 1000)
	id 38966607E6; Mon,  8 May 2017 20:35:14 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org;
	s=default; t=1494275714;
	bh=KCu0PJa1V8dcLJFkqXfGDTLqtf4kr+t+71R0ohmEIcA=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=FqiYKsYOjFz+LFTCm3BwUTw3oxABONyqGHz5VBPyFB5HJoeIA6uVIkaF5/w3nsfSM
	6/FbfmwO7xbHd3AX8LxTAeyPe0VDljmrdiRHI3wVqtHcRo+x/t6POwPppqKoFYPPLS
	jWL5457y4t5VSJC5vzBZKSC2IOfGQbvzkY7f2fQ8=
Received: from jcrouse-lnx.qualcomm.com (i-global254.qualcomm.com
	[199.106.103.254])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits))
	(No client certificate requested)
	(Authenticated sender: jcrouse@smtp.codeaurora.org)
	by smtp.codeaurora.org (Postfix) with ESMTPSA id 9FB706077D;
	Mon,  8 May 2017 20:35:13 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org;
	s=default; t=1494275714;
	bh=KCu0PJa1V8dcLJFkqXfGDTLqtf4kr+t+71R0ohmEIcA=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=FqiYKsYOjFz+LFTCm3BwUTw3oxABONyqGHz5VBPyFB5HJoeIA6uVIkaF5/w3nsfSM
	6/FbfmwO7xbHd3AX8LxTAeyPe0VDljmrdiRHI3wVqtHcRo+x/t6POwPppqKoFYPPLS
	jWL5457y4t5VSJC5vzBZKSC2IOfGQbvzkY7f2fQ8=
DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org 9FB706077D
Authentication-Results: pdx-caf-mail.web.codeaurora.org;
	dmarc=none (p=none dis=none) header.from=codeaurora.org
Authentication-Results: pdx-caf-mail.web.codeaurora.org;
	spf=none smtp.mailfrom=jcrouse@codeaurora.org
From: Jordan Crouse <jcrouse@codeaurora.org>
To: freedreno@lists.freedesktop.org
Subject: [PATCH 02/13] drm/msm: Fix the check for the command size
Date: Mon,  8 May 2017 14:34:58 -0600
Message-Id: <1494275709-25782-3-git-send-email-jcrouse@codeaurora.org>
X-Mailer: git-send-email 1.9.1
In-Reply-To: <1494275709-25782-1-git-send-email-jcrouse@codeaurora.org>
References: <1494275709-25782-1-git-send-email-jcrouse@codeaurora.org>
Cc: linux-arm-msm@vger.kernel.org, dri-devel@lists.freedesktop.org
X-BeenThere: dri-devel@lists.freedesktop.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Direct Rendering Infrastructure - Development
	<dri-devel.lists.freedesktop.org>
List-Unsubscribe: <https://lists.freedesktop.org/mailman/options/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <https://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <https://lists.freedesktop.org/mailman/listinfo/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>
X-Virus-Scanned: ClamAV using ClamSMTP

The overrun check for the size of submitted commands is off by one.
It should allow the offset plus the size to be equal to the
size of the memory object when the command stream is very tightly
constructed.

Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
---
 drivers/gpu/drm/msm/msm_gem_submit.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c
index 1c545eb..c51cf03 100644
--- a/drivers/gpu/drm/msm/msm_gem_submit.c
+++ b/drivers/gpu/drm/msm/msm_gem_submit.c
@@ -496,8 +496,9 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data,
 			goto out;
 		}
 
-		if ((submit_cmd.size + submit_cmd.submit_offset) >=
-				msm_obj->base.size) {
+		if (!(submit_cmd.size) ||
+			((submit_cmd.size + submit_cmd.submit_offset) >
+				msm_obj->base.size)) {
 			DRM_ERROR("invalid cmdstream size: %u\n", submit_cmd.size);
 			ret = -EINVAL;
 			goto out;