[PATCH 03/22] drm/tegra: Check whether page belongs to BO in tegra_bo_kmap()
Erik Faye-Lund
kusmabite at gmail.com
Tue May 23 00:21:19 UTC 2017
On Tue, May 23, 2017 at 2:14 AM, Dmitry Osipenko <digetx at gmail.com> wrote:
> This fixes an OOPS in case of out-of-bounds accessing of a kmap'ed cmdbuf
> (non-IOMMU allocation) while patching the relocations in do_relocs().
>
> Signed-off-by: Dmitry Osipenko <digetx at gmail.com>
> ---
> drivers/gpu/drm/tegra/gem.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/gpu/drm/tegra/gem.c b/drivers/gpu/drm/tegra/gem.c
> index 424569b53e57..ca0d4439e97b 100644
> --- a/drivers/gpu/drm/tegra/gem.c
> +++ b/drivers/gpu/drm/tegra/gem.c
> @@ -74,6 +74,9 @@ static void *tegra_bo_kmap(struct host1x_bo *bo, unsigned int page)
> {
> struct tegra_bo *obj = host1x_to_tegra_bo(bo);
>
> + if (page * PAGE_SIZE >= obj->gem.size)
> + return NULL;
> +
> if (obj->vaddr)
> return obj->vaddr + page * PAGE_SIZE;
> else if (obj->gem.import_attach)
> --
> 2.13.0
>
Reviewed-by: Erik Faye-Lund <kusmabite at gmail.com>
More information about the dri-devel
mailing list