From: Jani Nikula <jani.nikula@linux.intel.com>
To: "Ville Syrjälä" <ville.syrjala@linux.intel.com>,
"Chris Wilson" <chris@chris-wilson.co.uk>
Cc: intel-gfx@lists.freedesktop.org, stable@vger.kernel.org
Subject: Re: [Intel-gfx] [PATCH] drm/i915: Validate execbuffer start/length arguments against the target bo
Date: Thu, 28 Apr 2016 11:51:51 +0300 [thread overview]
Message-ID: <878tzyi09k.fsf@intel.com> (raw)
In-Reply-To: <20151120153825.GS4437@intel.com>
On Fri, 20 Nov 2015, Ville Syrjälä <ville.syrjala@linux.intel.com> wrote:
> On Fri, Nov 20, 2015 at 03:11:04PM +0000, Chris Wilson wrote:
>> The offset within and the length of the command sequence to execute are
>> supplied by the user with respect to the batch buffer. We should be
>> validating that region is wholly contained within the batch buffer;
>> make it so.
>>
>> Reported-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
>> Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
>> Cc: stable@vger.kernel.org
>> ---
>> drivers/gpu/drm/i915/i915_gem_execbuffer.c | 7 +++++++
>> 1 file changed, 7 insertions(+)
>>
>> diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
>> index a4c243cec4aa..e38284c1b89f 100644
>> --- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
>> +++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
>> @@ -1462,6 +1462,13 @@ i915_gem_do_execbuffer(struct drm_device *dev, void *data,
>> /* take note of the batch buffer before we might reorder the lists */
>> batch_obj = eb_get_batch(eb);
>>
>> + if (args->batch_len > batch_obj->base.size ||
>> + args->batch_start_offset > batch_obj->base.size - args->batch_len) {
>
> lgtm. No possibility of overflow doing it that way.
>
> Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
>
>> + DRM_DEBUG("Attempting to execute commands from beyond the bounds of the batch object\n");
>> + ret = -EINVAL;
>> + goto err;
>> + }
>> +
>> /* Move the objects en-masse into the GTT, evicting if necessary. */
>> need_relocs = (args->flags & I915_EXEC_NO_RELOC) == 0;
>> ret = i915_gem_execbuffer_reserve(ring, &eb->vmas, ctx, &need_relocs);
>> --
>> 2.6.2
>>
>> _______________________________________________
>> Intel-gfx mailing list
>> Intel-gfx@lists.freedesktop.org
>> http://lists.freedesktop.org/mailman/listinfo/intel-gfx
--
Jani Nikula, Intel Open Source Technology Center
next prev parent reply other threads:[~2016-04-28 8:51 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-20 15:11 [PATCH] drm/i915: Validate execbuffer start/length arguments against the target bo Chris Wilson
2015-11-20 15:11 ` Chris Wilson
2015-11-20 15:38 ` [Intel-gfx] " Ville Syrjälä
2015-11-20 15:38 ` Ville Syrjälä
2016-04-28 8:51 ` Jani Nikula [this message]
2016-04-28 8:54 ` Jani Nikula
2016-04-28 8:54 ` [Intel-gfx] " Jani Nikula
2016-04-28 9:02 ` Chris Wilson
2016-04-28 9:02 ` Chris Wilson
2016-04-28 11:14 ` Dave Gordon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=878tzyi09k.fsf@intel.com \
--to=jani.nikula@linux.intel.com \
--cc=chris@chris-wilson.co.uk \
--cc=intel-gfx@lists.freedesktop.org \
--cc=stable@vger.kernel.org \
--cc=ville.syrjala@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.