mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-06 02:50:43 +00:00
Code Issues Releases Wiki Activity
linux-stable/drivers/gpu
History
Chris Wilson d710fc16ff drm/i915: Prevent overflow of execbuf.buffer_count and num_cliprects 
We check whether the multiplies will overflow prior to calling
kmalloc_array so that we can respond with -EINVAL for the invalid user
arguments rather than treating it as an -ENOMEM that would otherwise
occur. However, as Dan Carpenter pointed out, we did an addition on the
unsigned int prior to passing to kmalloc_array where it would be
promoted to size_t for the calculation, thereby allowing it to overflow
and underallocate.

v2: buffer_count is currently limited to INT_MAX because we treat it as
signaled variable for LUT_HANDLE in eb_lookup_vma
v3: Move common checks for eb1/eb2 into the same function
v4: Put the check back for nfence*sizeof(user_fence) overflow
v5: access_ok uses ULONG_MAX but kvmalloc_array uses SIZE_MAX
v6: size_t and unsigned long are not type-equivalent on 32b

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20171116105059.25142-1-chris@chris-wilson.co.uk
Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
2017-11-16 14:17:08 +00:00
..
drm drm/i915: Prevent overflow of execbuf.buffer_count and num_cliprects 2017-11-16 14:17:08 +00:00
host1x gpu: host1x: Fix incorrect comment for channel_request 2017-10-20 14:19:52 +02:00
ipu-v3 gpu: ipu-v3: pre: implement workaround for ERR009624 2017-10-11 12:04:24 +02:00
vga vgaarb: Factor out EFI and fallback default device selection 2017-10-18 10:04:56 +02:00
Makefile