diff options
| author | Kamal Agrawal <kamaagra@codeaurora.org> | 2021-09-13 15:59:25 +0530 |
|---|---|---|
| committer | Rajesh Kemisetti <rajeshk@codeaurora.org> | 2021-09-29 12:17:49 +0530 |
| commit | 49068436dc0b152c256677ce9ea635e5ef8a5ea8 (patch) | |
| tree | 4697ae135f108d66ab7ada86a3af7a7e98cbf4e4 | |
| parent | 0e53eed15ab18553324a86339c81708ece464eb3 (diff) | |
msm: kgsl: Fix out of bound write in adreno_profile_submit_time
Make sure there is enough room in the memory descriptor to store the
entire profiling buffer object.
Change-Id: I1e1c73097bb2bba9645b0a3c66fdbbc71d8ba8fa
Signed-off-by: Kamal Agrawal <kamaagra@codeaurora.org>
| -rw-r--r-- | drivers/gpu/msm/kgsl_drawobj.c | 35 |
1 files changed, 11 insertions, 24 deletions
diff --git a/drivers/gpu/msm/kgsl_drawobj.c b/drivers/gpu/msm/kgsl_drawobj.c index 9ba15b61af00..bc11111bb74f 100644 --- a/drivers/gpu/msm/kgsl_drawobj.c +++ b/drivers/gpu/msm/kgsl_drawobj.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2016-2017,2019, The Linux Foundation. All rights reserved. +/* Copyright (c) 2016-2017,2019,2021, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -585,6 +585,7 @@ static void add_profiling_buffer(struct kgsl_device *device, { struct kgsl_mem_entry *entry; struct kgsl_drawobj *drawobj = DRAWOBJ(cmdobj); + u64 start; if (!(drawobj->flags & KGSL_DRAWOBJ_PROFILING)) return; @@ -601,7 +602,14 @@ static void add_profiling_buffer(struct kgsl_device *device, gpuaddr); if (entry != NULL) { - if (!kgsl_gpuaddr_in_memdesc(&entry->memdesc, gpuaddr, size)) { + start = id ? (entry->memdesc.gpuaddr + offset) : gpuaddr; + /* + * Make sure there is enough room in the object to store the + * entire profiling buffer object + */ + if (!kgsl_gpuaddr_in_memdesc(&entry->memdesc, gpuaddr, size) || + !kgsl_gpuaddr_in_memdesc(&entry->memdesc, start, + sizeof(struct kgsl_drawobj_profiling_buffer))) { kgsl_mem_entry_put(entry); entry = NULL; } @@ -614,28 +622,7 @@ static void add_profiling_buffer(struct kgsl_device *device, return; } - - if (!id) { - cmdobj->profiling_buffer_gpuaddr = gpuaddr; - } else { - u64 off = offset + sizeof(struct kgsl_drawobj_profiling_buffer); - - /* - * Make sure there is enough room in the object to store the - * entire profiling buffer object - */ - if (off < offset || off >= entry->memdesc.size) { - dev_err(device->dev, - "ignore invalid profile offset ctxt %d id %d offset %lld gpuaddr %llx size %lld\n", - drawobj->context->id, id, offset, gpuaddr, size); - kgsl_mem_entry_put(entry); - return; - } - - cmdobj->profiling_buffer_gpuaddr = - entry->memdesc.gpuaddr + offset; - } - + cmdobj->profiling_buffer_gpuaddr = start; cmdobj->profiling_buf_entry = entry; } |