|
|
@@ -583,14 +583,17 @@ i915_gem_pread_ioctl(struct drm_device *dev, void *data,
|
|
|
return -ENOENT;
|
|
|
obj_priv = to_intel_bo(obj);
|
|
|
|
|
|
- /* Bounds check source.
|
|
|
- *
|
|
|
- * XXX: This could use review for overflow issues...
|
|
|
- */
|
|
|
- if (args->offset > obj->size || args->size > obj->size ||
|
|
|
- args->offset + args->size > obj->size) {
|
|
|
- drm_gem_object_unreference_unlocked(obj);
|
|
|
- return -EINVAL;
|
|
|
+ /* Bounds check source. */
|
|
|
+ if (args->offset > obj->size || args->size > obj->size - args->offset) {
|
|
|
+ ret = -EINVAL;
|
|
|
+ goto err;
|
|
|
+ }
|
|
|
+
|
|
|
+ if (!access_ok(VERIFY_WRITE,
|
|
|
+ (char __user *)(uintptr_t)args->data_ptr,
|
|
|
+ args->size)) {
|
|
|
+ ret = -EFAULT;
|
|
|
+ goto err;
|
|
|
}
|
|
|
|
|
|
if (i915_gem_object_needs_bit17_swizzle(obj)) {
|
|
|
@@ -602,8 +605,8 @@ i915_gem_pread_ioctl(struct drm_device *dev, void *data,
|
|
|
file_priv);
|
|
|
}
|
|
|
|
|
|
+err:
|
|
|
drm_gem_object_unreference_unlocked(obj);
|
|
|
-
|
|
|
return ret;
|
|
|
}
|
|
|
|
|
|
@@ -692,8 +695,6 @@ i915_gem_gtt_pwrite_fast(struct drm_device *dev, struct drm_gem_object *obj,
|
|
|
|
|
|
user_data = (char __user *) (uintptr_t) args->data_ptr;
|
|
|
remain = args->size;
|
|
|
- if (!access_ok(VERIFY_READ, user_data, remain))
|
|
|
- return -EFAULT;
|
|
|
|
|
|
ret = i915_mutex_lock_interruptible(dev);
|
|
|
if (ret)
|
|
|
@@ -1055,14 +1056,17 @@ i915_gem_pwrite_ioctl(struct drm_device *dev, void *data,
|
|
|
return -ENOENT;
|
|
|
obj_priv = to_intel_bo(obj);
|
|
|
|
|
|
- /* Bounds check destination.
|
|
|
- *
|
|
|
- * XXX: This could use review for overflow issues...
|
|
|
- */
|
|
|
- if (args->offset > obj->size || args->size > obj->size ||
|
|
|
- args->offset + args->size > obj->size) {
|
|
|
- drm_gem_object_unreference_unlocked(obj);
|
|
|
- return -EINVAL;
|
|
|
+ /* Bounds check destination. */
|
|
|
+ if (args->offset > obj->size || args->size > obj->size - args->offset) {
|
|
|
+ ret = -EINVAL;
|
|
|
+ goto err;
|
|
|
+ }
|
|
|
+
|
|
|
+ if (!access_ok(VERIFY_READ,
|
|
|
+ (char __user *)(uintptr_t)args->data_ptr,
|
|
|
+ args->size)) {
|
|
|
+ ret = -EFAULT;
|
|
|
+ goto err;
|
|
|
}
|
|
|
|
|
|
/* We can only do the GTT pwrite on untiled buffers, as otherwise
|
|
|
@@ -1096,8 +1100,8 @@ i915_gem_pwrite_ioctl(struct drm_device *dev, void *data,
|
|
|
DRM_INFO("pwrite failed %d\n", ret);
|
|
|
#endif
|
|
|
|
|
|
+err:
|
|
|
drm_gem_object_unreference_unlocked(obj);
|
|
|
-
|
|
|
return ret;
|
|
|
}
|
|
|
|
Chris Wilson