projects / firefly-linux-kernel-4.4.55.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
drm/amdgpu: info leak in amdgpu_gem_metadata_ioctl()
[firefly-linux-kernel-4.4.55.git] / drivers / gpu / drm / amd / amdgpu / amdgpu_gem.c
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
index 2f39fea10bd1f881a8b8c6ee167405dc6c1fdb8e..b82fab2cc888b97d87785ae03b4cc5a94710a32e 100644 (file)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
@@ -427,6 +427,10 @@ int amdgpu_gem_metadata_ioctl(struct drm_device *dev, void *data,
                                           &args->data.data_size_bytes,
                                           &args->data.flags);
        } else if (args->op == AMDGPU_GEM_METADATA_OP_SET_METADATA) {
+               if (args->data.data_size_bytes > sizeof(args->data.data)) {
+                       r = -EINVAL;
+                       goto unreserve;
+               }
                r = amdgpu_bo_set_tiling_flags(robj, args->data.tiling_info);
                if (!r)
                        r = amdgpu_bo_set_metadata(robj, args->data.data,
@@ -434,6 +438,7 @@ int amdgpu_gem_metadata_ioctl(struct drm_device *dev, void *data,
                                                   args->data.flags);
        }
 
+unreserve:
        amdgpu_bo_unreserve(robj);
 out:
        drm_gem_object_unreference_unlocked(gobj);
Unnamed repository; edit this file 'description' to name the repository.