From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Tue, 16 Jun 2015 10:49:32 +0000 (+0300)
Subject: drm/amdkfd: fix some range checks in address watch ioctl
X-Git-Tag: Ubuntu-snapdragon-4.4.0-1029.32~6297^2~15^2
X-Git-Url: https://git.proxmox.com/?a=commitdiff_plain;h=7861c7a4ca5c637f3cad1e343602a15e857140fd;p=mirror_ubuntu-zesty-kernel.git

drm/amdkfd: fix some range checks in address watch ioctl

buf_size_in_bytes must be large enough to hold ->num_watch_points and
watch_mode so I have added a sizeof(int) * 2 to the minimum size.

Also we have to subtract sizeof(*args) from the max args_idx limit so
that it matches the allocation.  Also I changed a > to >= for the last
compare.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Oded Gabbay <oded.gabbay@gmail.com>
---

diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
index 96c904b3acb7..c991973019d0 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
@@ -553,7 +553,7 @@ static int kfd_ioctl_dbg_address_watch(struct file *filep,
 	/* Validate arguments */
 
 	if ((args->buf_size_in_bytes > MAX_ALLOWED_AW_BUFF_SIZE) ||
-		(args->buf_size_in_bytes <= sizeof(*args)) ||
+		(args->buf_size_in_bytes <= sizeof(*args) + sizeof(int) * 2) ||
 		(cmd_from_user == NULL))
 		return -EINVAL;
 
@@ -590,7 +590,7 @@ static int kfd_ioctl_dbg_address_watch(struct file *filep,
 	/* skip over the addresses buffer */
 	args_idx += sizeof(aw_info.watch_address) * aw_info.num_watch_points;
 
-	if (args_idx >= args->buf_size_in_bytes) {
+	if (args_idx >= args->buf_size_in_bytes - sizeof(*args)) {
 		kfree(args_buff);
 		return -EINVAL;
 	}
@@ -614,7 +614,7 @@ static int kfd_ioctl_dbg_address_watch(struct file *filep,
 		args_idx += sizeof(aw_info.watch_mask);
 	}
 
-	if (args_idx > args->buf_size_in_bytes) {
+	if (args_idx >= args->buf_size_in_bytes - sizeof(args)) {
 		kfree(args_buff);
 		return -EINVAL;
 	}