Re: [PATCH] drm/tegra: Check offsets of a submitted command buffer and of relocations

Dmitry Osipenko Mon, 15 May 2017 17:51:59 -0700

On 14.05.2017 23:47, Dmitry Osipenko wrote:
>       /* copy and resolve relocations from submit */
>       while (num_relocs--) {
> +             struct host1x_reloc *reloc;
> +             struct tegra_bo *obj;
> +
>               err = host1x_reloc_copy_from_user(&job->relocarray[num_relocs],
>                                                 &relocs[num_relocs], drm,
>                                                 file);
>               if (err < 0)
>                       goto fail;
> +
> +             reloc = &job->relocarray[num_relocs];
> +             obj = host1x_to_tegra_bo(reloc->cmdbuf.bo);
> +
> +             if (reloc->cmdbuf.offset & 3 ||
> +                 reloc->cmdbuf.offset > obj->gem.size) {
> +                     err = -EINVAL;
> +                     goto fail;
> +             }
> +
> +             obj = host1x_to_tegra_bo(reloc->target.bo);
> +
> +             if (reloc->target.offset & 3 ||
> +                 reloc->target.offset > obj->gem.size) {
> +                     err = -EINVAL;
> +                     goto fail;
> +             }
>       }


The relocation offsets should be compared as '>=' as well.

-- 
Dmitry
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel

Re: [PATCH] drm/tegra: Check offsets of a submitted command buffer and of relocations

Reply via email to