tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

drm/xe: Validate user fence during creation

Fail invalid addresses during user fence creation.

Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs")
Signed-off-by: Matthew Brost <matthew.brost@intel.com>
Reviewed-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Reviewed-by: Nirmoy Das <nirmoy.das@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20240717140429.1396820-1-matthew.brost@intel.com

Matthew Brost 0fde907d 275aa53f

+8 -4
+8 -4
drivers/gpu/drm/xe/xe_sync.c
··· 53 53 u64 value) 54 54 { 55 55 struct xe_user_fence *ufence; 56 + u64 __user *ptr = u64_to_user_ptr(addr); 57 + 58 + if (!access_ok(ptr, sizeof(ptr))) 59 + return ERR_PTR(-EFAULT); 56 60 57 61 ufence = kmalloc(sizeof(*ufence), GFP_KERNEL); 58 62 if (!ufence) 59 - return NULL; 63 + return ERR_PTR(-ENOMEM); 60 64 61 65 ufence->xe = xe; 62 66 kref_init(&ufence->refcount); 63 - ufence->addr = u64_to_user_ptr(addr); 67 + ufence->addr = ptr; 64 68 ufence->value = value; 65 69 ufence->mm = current->mm; 66 70 mmgrab(ufence->mm); ··· 187 183 } else { 188 184 sync->ufence = user_fence_create(xe, sync_in.addr, 189 185 sync_in.timeline_value); 190 - if (XE_IOCTL_DBG(xe, !sync->ufence)) 191 - return -ENOMEM; 186 + if (XE_IOCTL_DBG(xe, IS_ERR(sync->ufence))) 187 + return PTR_ERR(sync->ufence); 192 188 } 193 189 194 190 break;