Loading drivers/gpu/drm/i915/i915_gem.c +24 −20 Original line number Original line Diff line number Diff line Loading @@ -583,14 +583,17 @@ i915_gem_pread_ioctl(struct drm_device *dev, void *data, return -ENOENT; return -ENOENT; obj_priv = to_intel_bo(obj); obj_priv = to_intel_bo(obj); /* Bounds check source. /* Bounds check source. */ * if (args->offset > obj->size || args->size > obj->size - args->offset) { * XXX: This could use review for overflow issues... ret = -EINVAL; */ goto err; if (args->offset > obj->size || args->size > obj->size || } args->offset + args->size > obj->size) { drm_gem_object_unreference_unlocked(obj); if (!access_ok(VERIFY_WRITE, return -EINVAL; (char __user *)(uintptr_t)args->data_ptr, args->size)) { ret = -EFAULT; goto err; } } if (i915_gem_object_needs_bit17_swizzle(obj)) { if (i915_gem_object_needs_bit17_swizzle(obj)) { Loading @@ -602,8 +605,8 @@ i915_gem_pread_ioctl(struct drm_device *dev, void *data, file_priv); file_priv); } } err: drm_gem_object_unreference_unlocked(obj); drm_gem_object_unreference_unlocked(obj); return ret; return ret; } } Loading Loading @@ -692,8 +695,6 @@ i915_gem_gtt_pwrite_fast(struct drm_device *dev, struct drm_gem_object *obj, user_data = (char __user *) (uintptr_t) args->data_ptr; user_data = (char __user *) (uintptr_t) args->data_ptr; remain = args->size; remain = args->size; if (!access_ok(VERIFY_READ, user_data, remain)) return -EFAULT; ret = i915_mutex_lock_interruptible(dev); ret = i915_mutex_lock_interruptible(dev); if (ret) if (ret) Loading Loading @@ -1055,14 +1056,17 @@ i915_gem_pwrite_ioctl(struct drm_device *dev, void *data, return -ENOENT; return -ENOENT; obj_priv = to_intel_bo(obj); obj_priv = to_intel_bo(obj); /* Bounds check destination. /* Bounds check destination. */ * if (args->offset > obj->size || args->size > obj->size - args->offset) { * XXX: This could use review for overflow issues... ret = -EINVAL; */ goto err; if (args->offset > obj->size || args->size > obj->size || } args->offset + args->size > obj->size) { drm_gem_object_unreference_unlocked(obj); if (!access_ok(VERIFY_READ, return -EINVAL; (char __user *)(uintptr_t)args->data_ptr, args->size)) { ret = -EFAULT; goto err; } } /* We can only do the GTT pwrite on untiled buffers, as otherwise /* We can only do the GTT pwrite on untiled buffers, as otherwise Loading Loading @@ -1096,8 +1100,8 @@ i915_gem_pwrite_ioctl(struct drm_device *dev, void *data, DRM_INFO("pwrite failed %d\n", ret); DRM_INFO("pwrite failed %d\n", ret); #endif #endif err: drm_gem_object_unreference_unlocked(obj); drm_gem_object_unreference_unlocked(obj); return ret; return ret; } } Loading Loading
drivers/gpu/drm/i915/i915_gem.c +24 −20 Original line number Original line Diff line number Diff line Loading @@ -583,14 +583,17 @@ i915_gem_pread_ioctl(struct drm_device *dev, void *data, return -ENOENT; return -ENOENT; obj_priv = to_intel_bo(obj); obj_priv = to_intel_bo(obj); /* Bounds check source. /* Bounds check source. */ * if (args->offset > obj->size || args->size > obj->size - args->offset) { * XXX: This could use review for overflow issues... ret = -EINVAL; */ goto err; if (args->offset > obj->size || args->size > obj->size || } args->offset + args->size > obj->size) { drm_gem_object_unreference_unlocked(obj); if (!access_ok(VERIFY_WRITE, return -EINVAL; (char __user *)(uintptr_t)args->data_ptr, args->size)) { ret = -EFAULT; goto err; } } if (i915_gem_object_needs_bit17_swizzle(obj)) { if (i915_gem_object_needs_bit17_swizzle(obj)) { Loading @@ -602,8 +605,8 @@ i915_gem_pread_ioctl(struct drm_device *dev, void *data, file_priv); file_priv); } } err: drm_gem_object_unreference_unlocked(obj); drm_gem_object_unreference_unlocked(obj); return ret; return ret; } } Loading Loading @@ -692,8 +695,6 @@ i915_gem_gtt_pwrite_fast(struct drm_device *dev, struct drm_gem_object *obj, user_data = (char __user *) (uintptr_t) args->data_ptr; user_data = (char __user *) (uintptr_t) args->data_ptr; remain = args->size; remain = args->size; if (!access_ok(VERIFY_READ, user_data, remain)) return -EFAULT; ret = i915_mutex_lock_interruptible(dev); ret = i915_mutex_lock_interruptible(dev); if (ret) if (ret) Loading Loading @@ -1055,14 +1056,17 @@ i915_gem_pwrite_ioctl(struct drm_device *dev, void *data, return -ENOENT; return -ENOENT; obj_priv = to_intel_bo(obj); obj_priv = to_intel_bo(obj); /* Bounds check destination. /* Bounds check destination. */ * if (args->offset > obj->size || args->size > obj->size - args->offset) { * XXX: This could use review for overflow issues... ret = -EINVAL; */ goto err; if (args->offset > obj->size || args->size > obj->size || } args->offset + args->size > obj->size) { drm_gem_object_unreference_unlocked(obj); if (!access_ok(VERIFY_READ, return -EINVAL; (char __user *)(uintptr_t)args->data_ptr, args->size)) { ret = -EFAULT; goto err; } } /* We can only do the GTT pwrite on untiled buffers, as otherwise /* We can only do the GTT pwrite on untiled buffers, as otherwise Loading Loading @@ -1096,8 +1100,8 @@ i915_gem_pwrite_ioctl(struct drm_device *dev, void *data, DRM_INFO("pwrite failed %d\n", ret); DRM_INFO("pwrite failed %d\n", ret); #endif #endif err: drm_gem_object_unreference_unlocked(obj); drm_gem_object_unreference_unlocked(obj); return ret; return ret; } } Loading
