drm/i915: Sanity check pread/pwrite (ce9d419d) · Commits · e / devices / android_kernel_oneplus_sm8150

drivers/gpu/drm/i915/i915_gem.c

+20 −8

Original line number	Diff line number	Diff line
		@@ -477,8 +477,15 @@ i915_gem_pread_ioctl(struct drm_device dev, void data,
		*/
		if (args->offset > obj->size \|\| args->size > obj->size \|\|
		args->offset + args->size > obj->size) {
		drm_gem_object_unreference_unlocked(obj);
		return -EINVAL;
		ret = -EINVAL;
		goto err;
		}

		if (!access_ok(VERIFY_WRITE,
		(char __user *)(uintptr_t)args->data_ptr,
		args->size)) {
		ret = -EFAULT;
		goto err;
		}

		if (i915_gem_object_needs_bit17_swizzle(obj)) {
		@@ -490,8 +497,8 @@ i915_gem_pread_ioctl(struct drm_device dev, void data,
		file_priv);
		}

		err:
		drm_gem_object_unreference_unlocked(obj);

		return ret;
		}

		@@ -580,8 +587,6 @@ i915_gem_gtt_pwrite_fast(struct drm_device dev, struct drm_gem_object obj,

		user_data = (char __user *) (uintptr_t) args->data_ptr;
		remain = args->size;
		if (!access_ok(VERIFY_READ, user_data, remain))
		return -EFAULT;


		mutex_lock(&dev->struct_mutex);
		@@ -940,8 +945,15 @@ i915_gem_pwrite_ioctl(struct drm_device dev, void data,
		*/
		if (args->offset > obj->size \|\| args->size > obj->size \|\|
		args->offset + args->size > obj->size) {
		drm_gem_object_unreference_unlocked(obj);
		return -EINVAL;
		ret = -EINVAL;
		goto err;
		}

		if (!access_ok(VERIFY_READ,
		(char __user *)(uintptr_t)args->data_ptr,
		args->size)) {
		ret = -EFAULT;
		goto err;
		}

		/* We can only do the GTT pwrite on untiled buffers, as otherwise
		@@ -975,8 +987,8 @@ i915_gem_pwrite_ioctl(struct drm_device dev, void data,
		DRM_INFO("pwrite failed %d\n", ret);
		#endif

		err:
		drm_gem_object_unreference_unlocked(obj);

		return ret;
		}