projects / GitHub / exynos8895 / android_kernel_samsung_universal8895.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ce9d419)
drm/i915: Rephrase pwrite bounds checking to avoid any potential overflow
authorChris Wilson <chris@chris-wilson.co.uk>
Sun, 26 Sep 2010 19:21:44 +0000 (20:21 +0100)
committerChris Wilson <chris@chris-wilson.co.uk>
Sun, 3 Oct 2010 13:16:18 +0000 (14:16 +0100)
... and do the same for pread.

Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: stable@kernel.org
drivers/gpu/drm/i915/i915_gem.c patch | blob | blame | history

diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c
index 7749e78a7300d9bebdd0f36a6ae7fbb4d97e6db0..aa959c4a1836238354d7674cdaa52b3a195013d5 100644 (file)
--- a/drivers/gpu/drm/i915/i915_gem.c
+++ b/drivers/gpu/drm/i915/i915_gem.c
@@ -471,12 +471,8 @@ i915_gem_pread_ioctl(struct drm_device *dev, void *data,
                return -ENOENT;
        obj_priv = to_intel_bo(obj);
 
-       /* Bounds check source.
-        *
-        * XXX: This could use review for overflow issues...
-        */
-       if (args->offset > obj->size || args->size > obj->size ||
-           args->offset + args->size > obj->size) {
+       /* Bounds check source.  */
+       if (args->offset > obj->size || args->size > obj->size - args->offset) {
                ret = -EINVAL;
                goto err;
        }
@@ -939,12 +935,8 @@ i915_gem_pwrite_ioctl(struct drm_device *dev, void *data,
                return -ENOENT;
        obj_priv = to_intel_bo(obj);
 
-       /* Bounds check destination.
-        *
-        * XXX: This could use review for overflow issues...
-        */
-       if (args->offset > obj->size || args->size > obj->size ||
-           args->offset + args->size > obj->size) {
+       /* Bounds check destination. */
+       if (args->offset > obj->size || args->size > obj->size - args->offset) {
                ret = -EINVAL;
                goto err;
        }