| Message ID | 20170514204734.22130-2-digetx@gmail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On 14.05.2017 23:47, Dmitry Osipenko wrote: > This fixes an OOPS in case of out-of-bounds accessing of a kmap'ed commands > buffer CMA while patching relocations in do_relocs(). > > Signed-off-by: Dmitry Osipenko <digetx@gmail.com> > --- > drivers/gpu/drm/tegra/gem.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/gpu/drm/tegra/gem.c b/drivers/gpu/drm/tegra/gem.c > index 424569b53e57..b76d7ac75696 100644 > --- a/drivers/gpu/drm/tegra/gem.c > +++ b/drivers/gpu/drm/tegra/gem.c > @@ -74,6 +74,9 @@ static void *tegra_bo_kmap(struct host1x_bo *bo, unsigned int page) > { > struct tegra_bo *obj = host1x_to_tegra_bo(bo); > > + if (page * PAGE_SIZE > obj->gem.size) > + return NULL; > + > if (obj->vaddr) > return obj->vaddr + page * PAGE_SIZE; > else if (obj->gem.import_attach) > It should be '>=', I'll wait for the review comments before sending out a new version of the patch.
diff --git a/drivers/gpu/drm/tegra/gem.c b/drivers/gpu/drm/tegra/gem.c index 424569b53e57..b76d7ac75696 100644 --- a/drivers/gpu/drm/tegra/gem.c +++ b/drivers/gpu/drm/tegra/gem.c @@ -74,6 +74,9 @@ static void *tegra_bo_kmap(struct host1x_bo *bo, unsigned int page) { struct tegra_bo *obj = host1x_to_tegra_bo(bo); + if (page * PAGE_SIZE > obj->gem.size) + return NULL; + if (obj->vaddr) return obj->vaddr + page * PAGE_SIZE; else if (obj->gem.import_attach)
This fixes an OOPS in case of out-of-bounds accessing of a kmap'ed commands buffer CMA while patching relocations in do_relocs(). Signed-off-by: Dmitry Osipenko <digetx@gmail.com> --- drivers/gpu/drm/tegra/gem.c | 3 +++ 1 file changed, 3 insertions(+)