From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jordan Crouse Subject: [PATCH 02/13] drm/msm: Fix the check for the command size Date: Mon, 8 May 2017 14:34:58 -0600 Message-ID: <1494275709-25782-3-git-send-email-jcrouse@codeaurora.org> References: <1494275709-25782-1-git-send-email-jcrouse@codeaurora.org> Return-path: Received: from smtp.codeaurora.org ([198.145.29.96]:55116 "EHLO smtp.codeaurora.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751568AbdEHUfO (ORCPT ); Mon, 8 May 2017 16:35:14 -0400 In-Reply-To: <1494275709-25782-1-git-send-email-jcrouse@codeaurora.org> Sender: linux-arm-msm-owner@vger.kernel.org List-Id: linux-arm-msm@vger.kernel.org To: freedreno@lists.freedesktop.org Cc: dri-devel@lists.freedesktop.org, linux-arm-msm@vger.kernel.org The overrun check for the size of submitted commands is off by one. It should allow the offset plus the size to be equal to the size of the memory object when the command stream is very tightly constructed. Signed-off-by: Jordan Crouse --- drivers/gpu/drm/msm/msm_gem_submit.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c index 1c545eb..c51cf03 100644 --- a/drivers/gpu/drm/msm/msm_gem_submit.c +++ b/drivers/gpu/drm/msm/msm_gem_submit.c @@ -496,8 +496,9 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data, goto out; } - if ((submit_cmd.size + submit_cmd.submit_offset) >= - msm_obj->base.size) { + if (!(submit_cmd.size) || + ((submit_cmd.size + submit_cmd.submit_offset) > + msm_obj->base.size)) { DRM_ERROR("invalid cmdstream size: %u\n", submit_cmd.size); ret = -EINVAL; goto out; -- 1.9.1