Commit 9408c450 authored by Nirmoy Das's avatar Nirmoy Das
Browse files

drm/xe/ufence: Prefetch ufence addr to catch bogus address 

access_ok() only checks for addr overflow so also try to read the addr
to catch invalid addr sent from userspace.

Link: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/1630


Cc: Francois Dugast <francois.dugast@intel.com>
Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Cc: Matthew Auld <matthew.auld@intel.com>
Cc: Matthew Brost <matthew.brost@intel.com>
Reviewed-by: default avatarMatthew Brost <matthew.brost@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20241016082304.66009-2-nirmoy.das@intel.com


Signed-off-by: default avatarNirmoy Das <nirmoy.das@intel.com>
parent a9fbeabe

drivers/gpu/drm/xe/xe_sync.c

+2 −1
Original line number Diff line number Diff line
@@ -54,8 +54,9 @@ static struct xe_user_fence *user_fence_create(struct xe_device *xe, u64 addr, 
{

	struct xe_user_fence *ufence;

	u64 __user *ptr = u64_to_user_ptr(addr);

	u64 __maybe_unused prefetch_val;



	if (!access_ok(ptr, sizeof(*ptr)))

	if (get_user(prefetch_val, ptr))

		return ERR_PTR(-EFAULT);



	ufence = kzalloc(sizeof(*ufence), GFP_KERNEL);