diff options
author | Peter Daifuku <pdaifuku@nvidia.com> | 2017-05-23 13:32:33 -0400 |
---|---|---|
committer | mobile promotions <svcmobile_promotions@nvidia.com> | 2017-07-28 00:41:21 -0400 |
commit | 02acac71b3def0f9a9c63eb7ca2e49e57c46e64d (patch) | |
tree | a236f428770d2a1cf62d33cc56be78b8568b92b7 | |
parent | f391f53c089ec12fcc501c491430380b668e3cbf (diff) |
gpu: nvgpu: avoid possible ovrflw in dmabuf check
In gk20a_vm_map_buffer, when checking dmabuf size, avoid possible
overflow of buffer offset + buffer size
Bug 1793926
Change-Id: Iaa85bbd2942546015a233f34388309c6ba01412c
Signed-off-by: Peter Daifuku <pdaifuku@nvidia.com>
Reviewed-on: http://git-master/r/1488051
(cherry picked from commit 62346ede6c0863d36dc5d91527647130a13eff53)
Reviewed-on: http://git-master/r/1501696
(cherry picked from commit 745c273ac80fad14f019b7c59bb797c4e22f4781)
Reviewed-on: https://git-master.nvidia.com/r/1528182
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Alex Waterman <alexw@nvidia.com>
Reviewed-by: Vladislav Buzov <vbuzov@nvidia.com>
Reviewed-by: Terje Bergstrom <tbergstrom@nvidia.com>
-rw-r--r-- | drivers/gpu/nvgpu/gk20a/mm_gk20a.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/drivers/gpu/nvgpu/gk20a/mm_gk20a.c b/drivers/gpu/nvgpu/gk20a/mm_gk20a.c index c4dfb1b3..f4395116 100644 --- a/drivers/gpu/nvgpu/gk20a/mm_gk20a.c +++ b/drivers/gpu/nvgpu/gk20a/mm_gk20a.c | |||
@@ -1997,7 +1997,15 @@ int nvgpu_vm_map_buffer(struct vm_gk20a *vm, | |||
1997 | return PTR_ERR(dmabuf); | 1997 | return PTR_ERR(dmabuf); |
1998 | } | 1998 | } |
1999 | 1999 | ||
2000 | if (dmabuf->size < (buffer_offset + mapping_size)) { | 2000 | /* verify that we're not overflowing the buffer, i.e. |
2001 | * (buffer_offset + mapping_size)> dmabuf->size. | ||
2002 | * | ||
2003 | * Since buffer_offset + mapping_size could overflow, first check | ||
2004 | * that mapping size < dmabuf_size, at which point we can subtract | ||
2005 | * mapping_size from both sides for the final comparison. | ||
2006 | */ | ||
2007 | if ((mapping_size > dmabuf->size) || | ||
2008 | (buffer_offset > (dmabuf->size - mapping_size))) { | ||
2001 | nvgpu_err(gk20a_from_vm(vm), | 2009 | nvgpu_err(gk20a_from_vm(vm), |
2002 | "buf size %llx < (offset(%llx) + map_size(%llx))\n", | 2010 | "buf size %llx < (offset(%llx) + map_size(%llx))\n", |
2003 | (u64)dmabuf->size, buffer_offset, mapping_size); | 2011 | (u64)dmabuf->size, buffer_offset, mapping_size); |