msm: kgsl: Verify the offset of the profiling buffer

If a command is using a profiling buffer, make sure that the offset is within the bounds of the specified memory descriptor. Change-Id: Ic0dedbadc77e8eccd957136467bd0c56a1af2dab Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
author: Jordan Crouse <jcrouse@codeaurora.org> 2019-09-09 10:41:36 -0600
committer: Gerrit - the friendly Code Review server <code-review@localhost> 2019-09-17 02:17:16 -0700
commit: 377294f396ea671c2da183da455daa512d968552 (patch)
tree: 638bb1f7d50b8a70b62ed1f7dbbea1547d60f026
parent: 6e94fb15c868d3599ea8cad7f0aa81786b79baaf (diff)
1 files changed, 20 insertions, 4 deletions
diff --git a/drivers/gpu/msm/kgsl_drawobj.c b/drivers/gpu/msm/kgsl_drawobj.c
index 4e3788b4fed6..9ba15b61af00 100644
--- a/drivers/gpu/msm/kgsl_drawobj.c
+++ b/drivers/gpu/msm/kgsl_drawobj.c
@@ -614,13 +614,29 @@ static void add_profiling_buffer(struct kgsl_device *device,
 		return;
 	}
 
-	cmdobj->profiling_buf_entry = entry;
 
-	if (id != 0)
+	if (!id) {
+		cmdobj->profiling_buffer_gpuaddr = gpuaddr;
+	} else {
+		u64 off = offset + sizeof(struct kgsl_drawobj_profiling_buffer);
+
+		/*
+		 * Make sure there is enough room in the object to store the
+		 * entire profiling buffer object
+		 */
+		if (off < offset || off >= entry->memdesc.size) {
+			dev_err(device->dev,
+				"ignore invalid profile offset ctxt %d id %d offset %lld gpuaddr %llx size %lld\n",
+			drawobj->context->id, id, offset, gpuaddr, size);
+			kgsl_mem_entry_put(entry);
+			return;
+		}
+
 		cmdobj->profiling_buffer_gpuaddr =
 			entry->memdesc.gpuaddr + offset;
-	else
-		cmdobj->profiling_buffer_gpuaddr = gpuaddr;
+	}
+
+	cmdobj->profiling_buf_entry = entry;
 }
 
 /**
author	Jordan Crouse <jcrouse@codeaurora.org>	2019-09-09 10:41:36 -0600
committer	Gerrit - the friendly Code Review server <code-review@localhost>	2019-09-17 02:17:16 -0700
commit	377294f396ea671c2da183da455daa512d968552 (patch)
tree	638bb1f7d50b8a70b62ed1f7dbbea1547d60f026
parent	6e94fb15c868d3599ea8cad7f0aa81786b79baaf (diff)