From: Takashi Iwai <tiwai@suse.de>
Subject: drm/i915: Add missing access_ok() checks
Patch-mainline: Never, SLE15 only
References: CVE-2018-20669, bsc#1122971

This is a partial backport of the upstream commit 594cc251fdd0
("make 'user_access_begin()' do 'access_ok()'").

Essentially we add the missing access_ok() checks to the two known
places in drm/i915 that were reported in the CVE above.

Signed-off-by: Takashi Iwai <tiwai@suse.de>

---
 drivers/gpu/drm/i915/i915_gem_execbuffer.c |   13 +++++++++++++
 1 file changed, 13 insertions(+)

--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
@@ -1567,6 +1567,8 @@ static int eb_copy_relocations(const str
 		 * happened we would make the mistake of assuming that the
 		 * relocations were valid.
 		 */
+		if (unlikely(!access_ok(VERIFY_WRITE, urelocs, size)))
+			goto end_user;
 		user_access_begin();
 		for (copied = 0; copied < nreloc; copied++)
 			unsafe_put_user(-1,
@@ -2621,6 +2623,17 @@ i915_gem_execbuffer2(struct drm_device *
 		unsigned int i;
 
 		/* Copy the new buffer offsets back to the user's exec list. */
+		/*
+		 * Note: count * sizeof(*user_exec_list) does not overflow,
+		 * because we checked 'count' in check_buffer_count().
+		 *
+		 * And this range already got effectively checked earlier
+		 * when we did the "copy_from_user()" above.
+		 */
+		if (unlikely(!access_ok(VERIFY_WRITE, user_exec_list,
+					count * sizeof(*user_exec_list))))
+			goto end_user;
+
 		user_access_begin();
 		for (i = 0; i < args->buffer_count; i++) {
 			if (!(exec2_list[i].offset & UPDATE))