| Message ID | 04637a55694493bdd8267a7f19798d7968568087.1495498184.git.digetx@gmail.com |
|---|---|
| State | Superseded, archived |
| Headers | show |
On Tue, May 23, 2017 at 2:14 AM, Dmitry Osipenko <digetx@gmail.com> wrote: > This fixes an OOPS in case of out-of-bounds accessing of a kmap'ed cmdbuf > (non-IOMMU allocation) while patching the relocations in do_relocs(). > > Signed-off-by: Dmitry Osipenko <digetx@gmail.com> > --- > drivers/gpu/drm/tegra/gem.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/gpu/drm/tegra/gem.c b/drivers/gpu/drm/tegra/gem.c > index 424569b53e57..ca0d4439e97b 100644 > --- a/drivers/gpu/drm/tegra/gem.c > +++ b/drivers/gpu/drm/tegra/gem.c > @@ -74,6 +74,9 @@ static void *tegra_bo_kmap(struct host1x_bo *bo, unsigned int page) > { > struct tegra_bo *obj = host1x_to_tegra_bo(bo); > > + if (page * PAGE_SIZE >= obj->gem.size) > + return NULL; > + > if (obj->vaddr) > return obj->vaddr + page * PAGE_SIZE; > else if (obj->gem.import_attach) > -- > 2.13.0 > Reviewed-by: Erik Faye-Lund <kusmabite@gmail.com> -- To unsubscribe from this list: send the line "unsubscribe linux-tegra" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On 05/23/2017 03:14 AM, Dmitry Osipenko wrote: > This fixes an OOPS in case of out-of-bounds accessing of a kmap'ed cmdbuf > (non-IOMMU allocation) while patching the relocations in do_relocs(). > > Signed-off-by: Dmitry Osipenko <digetx@gmail.com> > --- > drivers/gpu/drm/tegra/gem.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/gpu/drm/tegra/gem.c b/drivers/gpu/drm/tegra/gem.c > index 424569b53e57..ca0d4439e97b 100644 > --- a/drivers/gpu/drm/tegra/gem.c > +++ b/drivers/gpu/drm/tegra/gem.c > @@ -74,6 +74,9 @@ static void *tegra_bo_kmap(struct host1x_bo *bo, unsigned int page) > { > struct tegra_bo *obj = host1x_to_tegra_bo(bo); > > + if (page * PAGE_SIZE >= obj->gem.size) > + return NULL; > + The multiplication here could overflow, so it needs the same u64 treatment to catch all problem situations. I'm not sure if this is required, though, with the other bounds check patches in this series. > if (obj->vaddr) > return obj->vaddr + page * PAGE_SIZE; > else if (obj->gem.import_attach) > -- To unsubscribe from this list: send the line "unsubscribe linux-tegra" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On 01.06.2017 21:01, Mikko Perttunen wrote: > On 05/23/2017 03:14 AM, Dmitry Osipenko wrote: >> This fixes an OOPS in case of out-of-bounds accessing of a kmap'ed cmdbuf >> (non-IOMMU allocation) while patching the relocations in do_relocs(). >> >> Signed-off-by: Dmitry Osipenko <digetx@gmail.com> >> --- >> drivers/gpu/drm/tegra/gem.c | 3 +++ >> 1 file changed, 3 insertions(+) >> >> diff --git a/drivers/gpu/drm/tegra/gem.c b/drivers/gpu/drm/tegra/gem.c >> index 424569b53e57..ca0d4439e97b 100644 >> --- a/drivers/gpu/drm/tegra/gem.c >> +++ b/drivers/gpu/drm/tegra/gem.c >> @@ -74,6 +74,9 @@ static void *tegra_bo_kmap(struct host1x_bo *bo, unsigned >> int page) >> { >> struct tegra_bo *obj = host1x_to_tegra_bo(bo); >> + if (page * PAGE_SIZE >= obj->gem.size) >> + return NULL; >> + > > The multiplication here could overflow, so it needs the same u64 treatment to > catch all problem situations. I'm not sure if this is required, though, with the > other bounds check patches in this series. > Right, I'll checks once more if this patch is still needed, thank you. >> if (obj->vaddr) >> return obj->vaddr + page * PAGE_SIZE; >> else if (obj->gem.import_attach) >>
diff --git a/drivers/gpu/drm/tegra/gem.c b/drivers/gpu/drm/tegra/gem.c index 424569b53e57..ca0d4439e97b 100644 --- a/drivers/gpu/drm/tegra/gem.c +++ b/drivers/gpu/drm/tegra/gem.c @@ -74,6 +74,9 @@ static void *tegra_bo_kmap(struct host1x_bo *bo, unsigned int page) { struct tegra_bo *obj = host1x_to_tegra_bo(bo); + if (page * PAGE_SIZE >= obj->gem.size) + return NULL; + if (obj->vaddr) return obj->vaddr + page * PAGE_SIZE; else if (obj->gem.import_attach)
This fixes an OOPS in case of out-of-bounds accessing of a kmap'ed cmdbuf (non-IOMMU allocation) while patching the relocations in do_relocs(). Signed-off-by: Dmitry Osipenko <digetx@gmail.com> --- drivers/gpu/drm/tegra/gem.c | 3 +++ 1 file changed, 3 insertions(+)