[PATCH] drm/tegra: Check whether page belongs to BO in tegra_bo_kmap()
Dmitry Osipenko
digetx at gmail.com
Mon May 15 07:54:36 UTC 2017
On 14.05.2017 23:47, Dmitry Osipenko wrote:
> This fixes an OOPS in case of out-of-bounds accessing of a kmap'ed commands
> buffer CMA while patching relocations in do_relocs().
>
> Signed-off-by: Dmitry Osipenko <digetx at gmail.com>
> ---
> drivers/gpu/drm/tegra/gem.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/gpu/drm/tegra/gem.c b/drivers/gpu/drm/tegra/gem.c
> index 424569b53e57..b76d7ac75696 100644
> --- a/drivers/gpu/drm/tegra/gem.c
> +++ b/drivers/gpu/drm/tegra/gem.c
> @@ -74,6 +74,9 @@ static void *tegra_bo_kmap(struct host1x_bo *bo, unsigned int page)
> {
> struct tegra_bo *obj = host1x_to_tegra_bo(bo);
>
> + if (page * PAGE_SIZE > obj->gem.size)
> + return NULL;
> +
> if (obj->vaddr)
> return obj->vaddr + page * PAGE_SIZE;
> else if (obj->gem.import_attach)
>
It should be '>=', I'll wait for the review comments before sending out a new
version of the patch.
--
Dmitry
More information about the dri-devel
mailing list