Skip to content

L
linux
Commit df6d075a authored by Chris Wilson's avatar Chris Wilson
Browse files
Options

Merge branch 'drm-intel-fixes' into drm-intel-next

parents f87ea761 7dcd2499
Show whitespace changes
Inline Side-by-side
Showing with 24 additions and 20 deletions
drivers/gpu/drm/i915/i915_gem.c
View file @ df6d075a
...@@ -583,14 +583,17 @@ i915_gem_pread_ioctl(struct drm_device *dev, void *data, ...@@ -583,14 +583,17 @@ i915_gem_pread_ioctl(struct drm_device *dev, void *data,
return -ENOENT; return -ENOENT;
obj_priv = to_intel_bo(obj); obj_priv = to_intel_bo(obj);
/* Bounds check source. /* Bounds check source. */
* if (args->offset > obj->size || args->size > obj->size - args->offset) {
* XXX: This could use review for overflow issues... ret = -EINVAL;
*/ goto err;
if (args->offset > obj->size || args->size > obj->size || }
args->offset + args->size > obj->size) {
drm_gem_object_unreference_unlocked(obj); if (!access_ok(VERIFY_WRITE,
return -EINVAL; (char __user *)(uintptr_t)args->data_ptr,
args->size)) {
ret = -EFAULT;
goto err;
} }
if (i915_gem_object_needs_bit17_swizzle(obj)) { if (i915_gem_object_needs_bit17_swizzle(obj)) {
...@@ -602,8 +605,8 @@ i915_gem_pread_ioctl(struct drm_device *dev, void *data, ...@@ -602,8 +605,8 @@ i915_gem_pread_ioctl(struct drm_device *dev, void *data,
file_priv); file_priv);
} }
err:
drm_gem_object_unreference_unlocked(obj); drm_gem_object_unreference_unlocked(obj);
return ret; return ret;
} }
...@@ -692,8 +695,6 @@ i915_gem_gtt_pwrite_fast(struct drm_device *dev, struct drm_gem_object *obj, ...@@ -692,8 +695,6 @@ i915_gem_gtt_pwrite_fast(struct drm_device *dev, struct drm_gem_object *obj,
user_data = (char __user *) (uintptr_t) args->data_ptr; user_data = (char __user *) (uintptr_t) args->data_ptr;
remain = args->size; remain = args->size;
if (!access_ok(VERIFY_READ, user_data, remain))
return -EFAULT;
ret = i915_mutex_lock_interruptible(dev); ret = i915_mutex_lock_interruptible(dev);
if (ret) if (ret)
...@@ -1055,14 +1056,17 @@ i915_gem_pwrite_ioctl(struct drm_device *dev, void *data, ...@@ -1055,14 +1056,17 @@ i915_gem_pwrite_ioctl(struct drm_device *dev, void *data,
return -ENOENT; return -ENOENT;
obj_priv = to_intel_bo(obj); obj_priv = to_intel_bo(obj);
/* Bounds check destination. /* Bounds check destination. */
* if (args->offset > obj->size || args->size > obj->size - args->offset) {
* XXX: This could use review for overflow issues... ret = -EINVAL;
*/ goto err;
if (args->offset > obj->size || args->size > obj->size || }
args->offset + args->size > obj->size) {
drm_gem_object_unreference_unlocked(obj); if (!access_ok(VERIFY_READ,
return -EINVAL; (char __user *)(uintptr_t)args->data_ptr,
args->size)) {
ret = -EFAULT;
goto err;
} }
/* We can only do the GTT pwrite on untiled buffers, as otherwise /* We can only do the GTT pwrite on untiled buffers, as otherwise
...@@ -1096,8 +1100,8 @@ i915_gem_pwrite_ioctl(struct drm_device *dev, void *data, ...@@ -1096,8 +1100,8 @@ i915_gem_pwrite_ioctl(struct drm_device *dev, void *data,
DRM_INFO("pwrite failed %d\n", ret); DRM_INFO("pwrite failed %d\n", ret);
#endif #endif
err:
drm_gem_object_unreference_unlocked(obj); drm_gem_object_unreference_unlocked(obj);
return ret; return ret;
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7