drm/msm: Fix missing VM_BIND offset/range validation

We need to reject the MAP op if offset+range is larger than the BO size.

Reported-by: Connor Abbott <cwabbott0@gmail.com>
Fixes: 2e6a8a1fe2b2 ("drm/msm: Add VM_BIND ioctl")
Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
Tested-by: Connor Abbott <cwabbott0@gmail.com>
Patchwork: https://patchwork.freedesktop.org/patch/669781/

diff --git a/drivers/gpu/drm/msm/msm_gem_vma.c b/drivers/gpu/drm/msm/msm_gem_vma.c
index 209154be5efcc00b6f69bf199810305d8d037dc0..381a0853c05ba3fc86f1589478578db702d6fa69 100644 (file)
--- a/drivers/gpu/drm/msm/msm_gem_vma.c
+++ b/drivers/gpu/drm/msm/msm_gem_vma.c
@@ -1080,6 +1080,12 @@ vm_bind_job_lookup_ops(struct msm_vm_bind_job *job, struct drm_msm_vm_bind *args
 
                op->obj = obj;
                cnt++;
+
+               if ((op->range + op->obj_offset) > obj->size) {
+                       ret = UERR(EINVAL, dev, "invalid range: %016llx + %016llx > %016zx\n",
+                                  op->range, op->obj_offset, obj->size);
+                       goto out_unlock;
+               }
        }
 
        *nr_bos = cnt;