On 29/02/16 17:11, Matthew Auld wrote:
When binding pages for a partial view we should check that the offset +
size is valid relative to the size of the gem object.
Cc: Joonas Lahtinen <joonas.lahti...@linux.intel.com>
Signed-off-by: Matthew Auld <matthew.a...@intel.com>
---
drivers/gpu/drm/i915/i915_gem_gtt.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/gpu/drm/i915/i915_gem_gtt.c
b/drivers/gpu/drm/i915/i915_gem_gtt.c
index 49e4f26..a477bb2 100644
--- a/drivers/gpu/drm/i915/i915_gem_gtt.c
+++ b/drivers/gpu/drm/i915/i915_gem_gtt.c
@@ -3500,6 +3500,10 @@ intel_partial_pages(const struct i915_ggtt_view *view,
struct sg_page_iter obj_sg_iter;
int ret = -ENOMEM;
+ if (view->params.partial.offset + view->params.partial.size >
+ obj->pages->nents)
+ return ERR_PTR(-EINVAL);
+
obj->pages->nents is not guaranteed to be equal to number of pages but
can be less than due sg entry coalescing.
I suggest replacing with a check against "obj->base.size >> PAGE_SHIFT".
st = kmalloc(sizeof(*st), GFP_KERNEL);
if (!st)
goto err_st_alloc;
Regards,
Tvrtko
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
