[PATCH 03/22] drm/tegra: Check whether page belongs to BO in tegra_bo_kmap()
Dmitry Osipenko
digetx at gmail.com
Thu Jun 1 18:32:43 UTC 2017
On 01.06.2017 21:01, Mikko Perttunen wrote:
> On 05/23/2017 03:14 AM, Dmitry Osipenko wrote:
>> This fixes an OOPS in case of out-of-bounds accessing of a kmap'ed cmdbuf
>> (non-IOMMU allocation) while patching the relocations in do_relocs().
>>
>> Signed-off-by: Dmitry Osipenko <digetx at gmail.com>
>> ---
>> drivers/gpu/drm/tegra/gem.c | 3 +++
>> 1 file changed, 3 insertions(+)
>>
>> diff --git a/drivers/gpu/drm/tegra/gem.c b/drivers/gpu/drm/tegra/gem.c
>> index 424569b53e57..ca0d4439e97b 100644
>> --- a/drivers/gpu/drm/tegra/gem.c
>> +++ b/drivers/gpu/drm/tegra/gem.c
>> @@ -74,6 +74,9 @@ static void *tegra_bo_kmap(struct host1x_bo *bo, unsigned
>> int page)
>> {
>> struct tegra_bo *obj = host1x_to_tegra_bo(bo);
>> + if (page * PAGE_SIZE >= obj->gem.size)
>> + return NULL;
>> +
>
> The multiplication here could overflow, so it needs the same u64 treatment to
> catch all problem situations. I'm not sure if this is required, though, with the
> other bounds check patches in this series.
>
Right, I'll checks once more if this patch is still needed, thank you.
>> if (obj->vaddr)
>> return obj->vaddr + page * PAGE_SIZE;
>> else if (obj->gem.import_attach)
>>
--
Dmitry
More information about the dri-devel
mailing list