[PATCH 19/21] drm/i915: Rephrase pwrite bounds checking to avoid any potential overflow
From: Chris Wilson
Date: Sun Sep 26 2010 - 15:21:44 EST
commit 7dcd2499deab8f10011713c40bc2f309c9b65077 upstream.
... and do the same for pread.
Signed-off-by: Chris Wilson <chris@xxxxxxxxxxxxxxxxxx>
Cc: stable@xxxxxxxxxx
[Backported to Debian's 2.6.32 by dann frazier <dannf@xxxxxxxxxx>]
Signed-off-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx>
Signed-off-by: Stefan Bader <stefan.bader@xxxxxxxxxxxxx>
---
drivers/gpu/drm/i915/i915_gem.c | 16 ++++------------
1 files changed, 4 insertions(+), 12 deletions(-)
diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c
index 366abe3..a34fd44 100644
--- a/drivers/gpu/drm/i915/i915_gem.c
+++ b/drivers/gpu/drm/i915/i915_gem.c
@@ -482,12 +482,8 @@ i915_gem_pread_ioctl(struct drm_device *dev, void *data,
return -EBADF;
obj_priv = obj->driver_private;
- /* Bounds check source.
- *
- * XXX: This could use review for overflow issues...
- */
- if (args->offset > obj->size || args->size > obj->size ||
- args->offset + args->size > obj->size) {
+ /* Bounds check source. */
+ if (args->offset > obj->size || args->size > obj->size - args->offset) {
ret = -EINVAL;
goto err;
}
@@ -960,12 +956,8 @@ i915_gem_pwrite_ioctl(struct drm_device *dev, void *data,
return -EBADF;
obj_priv = obj->driver_private;
- /* Bounds check destination.
- *
- * XXX: This could use review for overflow issues...
- */
- if (args->offset > obj->size || args->size > obj->size ||
- args->offset + args->size > obj->size) {
+ /* Bounds check destination. */
+ if (args->offset > obj->size || args->size > obj->size - args->offset) {
ret = -EINVAL;
goto err;
}
--
1.7.0.4
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/