[Intel-gfx] [PATCH 4/5] drm/i915: check for allocation overflow in error state capture
Daniel Vetter
daniel.vetter at ffwll.ch
Thu Sep 19 12:18:35 CEST 2013
Pretty harmless since actually binding such a giant thing would be
really hard to pull off - it doesn't fit into the gtt of any shipping
gpu right now.
Signed-off-by: Daniel Vetter <daniel.vetter at ffwll.ch>
---
drivers/gpu/drm/i915/i915_gpu_error.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/i915/i915_gpu_error.c b/drivers/gpu/drm/i915/i915_gpu_error.c
index 763283e..6c80636 100644
--- a/drivers/gpu/drm/i915/i915_gpu_error.c
+++ b/drivers/gpu/drm/i915/i915_gpu_error.c
@@ -478,7 +478,7 @@ static void i915_error_state_free(struct kref *error_ref)
static struct drm_i915_error_object *
i915_error_object_create_sized(struct drm_i915_private *dev_priv,
struct drm_i915_gem_object *src,
- const int num_pages)
+ const unsigned int num_pages)
{
struct drm_i915_error_object *dst;
int i;
@@ -487,6 +487,12 @@ i915_error_object_create_sized(struct drm_i915_private *dev_priv,
if (src == NULL || src->pages == NULL)
return NULL;
+ if (num_pages > (UINT_MAX - sizeof(*dst)) / sizeof(u32 *)) {
+ DRM_DEBUG("error object with overflowing num_pages %u\n",
+ num_pages);
+ return NULL;
+ }
+
dst = kmalloc(sizeof(*dst) + num_pages * sizeof(u32 *), GFP_ATOMIC);
if (dst == NULL)
return NULL;
--
1.8.4.rc3
More information about the Intel-gfx
mailing list