[PATCH] drm/tegra: Check offsets of a submitted command buffer and of relocations
Dmitry Osipenko
digetx at gmail.com
Mon May 15 08:01:59 UTC 2017
On 14.05.2017 23:47, Dmitry Osipenko wrote:
> /* copy and resolve relocations from submit */
> while (num_relocs--) {
> + struct host1x_reloc *reloc;
> + struct tegra_bo *obj;
> +
> err = host1x_reloc_copy_from_user(&job->relocarray[num_relocs],
> &relocs[num_relocs], drm,
> file);
> if (err < 0)
> goto fail;
> +
> + reloc = &job->relocarray[num_relocs];
> + obj = host1x_to_tegra_bo(reloc->cmdbuf.bo);
> +
> + if (reloc->cmdbuf.offset & 3 ||
> + reloc->cmdbuf.offset > obj->gem.size) {
> + err = -EINVAL;
> + goto fail;
> + }
> +
> + obj = host1x_to_tegra_bo(reloc->target.bo);
> +
> + if (reloc->target.offset & 3 ||
> + reloc->target.offset > obj->gem.size) {
> + err = -EINVAL;
> + goto fail;
> + }
> }
The relocation offsets should be compared as '>=' as well.
--
Dmitry
More information about the dri-devel
mailing list