drm/amdgpu: validate size and offset of user fence BO

We need to validate the offset to make sure that we don't write after the BO. Additional to that a page should be enough and can make address space handling much easier. Signed-off-by: Christian König <christian.koenig@amd.com> Reviewed-by: Alex Deucher <alexander.deucher@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>

drm/amdgpu: validate size and offset of user fence BO
We need to validate the offset to make sure that we don't write after the BO. Additional to that a page should be enough and can make address space handling much easier. Signed-off-by: Christian König <christian.koenig@amd.com> Reviewed-by: Alex Deucher <alexander.deucher@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
aa29040b · Christian König · Alex Deucher · 7c732ea6 · aa29040b
Commit aa29040b authored Sep 09, 2016 by Christian König Committed by Alex Deucher Sep 14, 2016
Show whitespace changes
Inline Side-by-side

Showing with 6 additions and 0 deletions

drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c +6 -0

No files found.
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
@@ -91,6 +91,7 @@ static int amdgpu_cs_user_fence_chunk(struct amdgpu_cs_parser *p,
 				      uint32_t *offset)
 {
 	struct drm_gem_object *gobj;
+	unsigned long size;
 	gobj = drm_gem_object_lookup(p->filp, data->handle);
 	if (gobj == NULL)
@@ -101,6 +102,11 @@ static int amdgpu_cs_user_fence_chunk(struct amdgpu_cs_parser *p,
 	p->uf_entry.tv.bo = &p->uf_entry.robj->tbo;
 	p->uf_entry.tv.shared = true;
 	p->uf_entry.user_pages = NULL;
+	size = amdgpu_bo_size(p->uf_entry.robj);
+	if (size != PAGE_SIZE || (data->offset + 8) > size)
+		return -EINVAL;
 	*offset = data->offset;
 	drm_gem_object_unreference_unlocked(gobj);