From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.opensec.fr ([82.236.169.210]:35230 "EHLO mail.opensec.fr" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726991AbeICCTh (ORCPT ); Sun, 2 Sep 2018 22:19:37 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Sun, 02 Sep 2018 23:55:52 +0200 From: Loic To: stable@vger.kernel.org Cc: matthew.auld@intel.com Subject: [PATCH] drm/i915/userptr: reject zero user_size Message-ID: <96064ba53fbbc69be28c7e7116eaa398@opensec.fr> Sender: stable-owner@vger.kernel.org List-ID: Hello, Tested without any problem so please picked up this. From: Matthew Auld [ Upstream commit c11c7bfd213495784b22ef82a69b6489f8d0092f ] Operating on a zero sized GEM userptr object will lead to explosions. Fixes: 5cc9ed4b9a7a ("drm/i915: Introduce mapping of user pages into video memory (userptr) ioctl") Testcase: igt/gem_userptr_blits/input-checking Signed-off-by: Matthew Auld Cc: Chris Wilson Reviewed-by: Chris Wilson Signed-off-by: Chris Wilson Link: https://patchwork.freedesktop.org/patch/msgid/20180502195021.30900-1-matthew.auld@intel.com --- drivers/gpu/drm/i915/i915_gem_userptr.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/gpu/drm/i915/i915_gem_userptr.c b/drivers/gpu/drm/i915/i915_gem_userptr.c index d596a8302ca3c..854bd51b9478a 100644 --- a/drivers/gpu/drm/i915/i915_gem_userptr.c +++ b/drivers/gpu/drm/i915/i915_gem_userptr.c @@ -778,6 +778,9 @@ i915_gem_userptr_ioctl(struct drm_device *dev, I915_USERPTR_UNSYNCHRONIZED)) return -EINVAL; + if (!args->user_size) + return -EINVAL; + if (offset_in_page(args->user_ptr | args->user_size)) return -EINVAL; -- 2.17.1