From: Russell King <rmk+ker...@arm.linux.org.uk>
Ensure that we reject command buffers which are fully populated, as
we always need to append two words for a LINK command to the end of
the buffer.
Signed-off-by: Russell King <rmk+kernel at arm.linux.org.uk>
---
drivers/staging/etnaviv/etnaviv_gem_submit.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/etnaviv/etnaviv_gem_submit.c
b/drivers/staging/etnaviv/etnaviv_gem_submit.c
index dd87fdfe7ab5..f8b733a0e313 100644
--- a/drivers/staging/etnaviv/etnaviv_gem_submit.c
+++ b/drivers/staging/etnaviv/etnaviv_gem_submit.c
@@ -348,6 +348,7 @@ int etnaviv_ioctl_gem_submit(struct drm_device *dev, void
*data,
void __user *userptr =
to_user_ptr(args->cmds + (i * sizeof(submit_cmd)));
struct etnaviv_gem_object *etnaviv_obj;
+ unsigned max_size;
ret = copy_from_user(&submit_cmd, userptr, sizeof(submit_cmd));
if (ret) {
@@ -373,8 +374,13 @@ int etnaviv_ioctl_gem_submit(struct drm_device *dev, void
*data,
goto out;
}
- if ((submit_cmd.size + submit_cmd.submit_offset) >=
- etnaviv_obj->base.size) {
+ /*
+ * We must have space to add a LINK command at the end of
+ * the command buffer.
+ */
+ max_size = etnaviv_obj->base.size - 8;
+
+ if ((submit_cmd.size + submit_cmd.submit_offset) > max_size) {
DRM_ERROR("invalid cmdstream size: %u\n",
submit_cmd.size);
ret = -EINVAL;
goto out;
--
2.1.4
