Skip to content
Snippets Groups Projects
Commit cbd75e97 authored by Thomas Hellstrom's avatar Thomas Hellstrom
Browse files

drm/vmwgfx: Make sure user-space can't DMA across buffer object boundaries v2


We already check that the buffer object we're accessing is registered with
the file. Now also make sure that we can't DMA across buffer object boundaries.

v2: Code commenting update.

Cc: stable@vger.kernel.org
Signed-off-by: default avatarThomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: default avatarJakob Bornecrantz <jakob@vmware.com>
parent abaafc0a
Branches
Tags
No related merge requests found
...@@ -1214,14 +1214,36 @@ static int vmw_cmd_dma(struct vmw_private *dev_priv, ...@@ -1214,14 +1214,36 @@ static int vmw_cmd_dma(struct vmw_private *dev_priv,
SVGA3dCmdSurfaceDMA dma; SVGA3dCmdSurfaceDMA dma;
} *cmd; } *cmd;
int ret; int ret;
SVGA3dCmdSurfaceDMASuffix *suffix;
uint32_t bo_size;
cmd = container_of(header, struct vmw_dma_cmd, header); cmd = container_of(header, struct vmw_dma_cmd, header);
suffix = (SVGA3dCmdSurfaceDMASuffix *)((unsigned long) &cmd->dma +
header->size - sizeof(*suffix));
/* Make sure device and verifier stays in sync. */
if (unlikely(suffix->suffixSize != sizeof(*suffix))) {
DRM_ERROR("Invalid DMA suffix size.\n");
return -EINVAL;
}
ret = vmw_translate_guest_ptr(dev_priv, sw_context, ret = vmw_translate_guest_ptr(dev_priv, sw_context,
&cmd->dma.guest.ptr, &cmd->dma.guest.ptr,
&vmw_bo); &vmw_bo);
if (unlikely(ret != 0)) if (unlikely(ret != 0))
return ret; return ret;
/* Make sure DMA doesn't cross BO boundaries. */
bo_size = vmw_bo->base.num_pages * PAGE_SIZE;
if (unlikely(cmd->dma.guest.ptr.offset > bo_size)) {
DRM_ERROR("Invalid DMA offset.\n");
return -EINVAL;
}
bo_size -= cmd->dma.guest.ptr.offset;
if (unlikely(suffix->maximumOffset > bo_size))
suffix->maximumOffset = bo_size;
ret = vmw_cmd_res_check(dev_priv, sw_context, vmw_res_surface, ret = vmw_cmd_res_check(dev_priv, sw_context, vmw_res_surface,
user_surface_converter, &cmd->dma.host.sid, user_surface_converter, &cmd->dma.host.sid,
NULL); NULL);
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment