On Thu, Jun 11, 2020 at 09:37:42AM +0800, Miles Chen wrote:
@@ -2601,7 +2603,17 @@ i915_gem_execbuffer2_ioctl(struct drm_device *dev, void *data, unsigned int i; /* Copy the new buffer offsets back to the user's exec list. */
user_access_begin();
/*
* Note: count * sizeof(*user_exec_list) does not overflow,
* because we checked 'count' in check_buffer_count().
*
* And this range already got effectively checked earlier
* when we did the "copy_from_user()" above.
*/
if (!user_access_begin(VERIFY_WRITE, user_exec_list,
count * sizeof(*user_exec_list)))
goto end_user;
- for (i = 0; i < args->buffer_count; i++) { if (!(exec2_list[i].offset & UPDATE)) continue;
No one seems to have test-built this code, it fails here on the 4.14.y kernel :(
I'll go fix it up, but please, always at the very least, test build your patches before sending them out...
thanks,
greg k-h