diff options
author | Andrew Evans <andrewevans@google.com> | 2023-10-02 13:27:49 -0700 |
---|---|---|
committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2023-10-05 19:49:23 +0000 |
commit | c40b78b8e7a0cc71c1cd04400955539358e5c50b (patch) | |
tree | 589c2350ec346e54aabda8458f257b8e2b8f03d7 | |
parent | 967881a258a5dccb137b209f204fe5709092dea0 (diff) | |
download | graphics-c40b78b8e7a0cc71c1cd04400955539358e5c50b.tar.gz |
Merge KGSL security fixes into android13-msm-pixelwatch-5.15
msm: kgsl: Limit the syncpoint count for AUX commands
msm: kgsl: Prevent wrap around during user address mapping
Bug: 299649795
Bug: 300941008
Signed-off-by: Andrew Evans <andrewevans@google.com>
(cherry picked from https://partner-android-review.googlesource.com/q/commit:abecb8dd35388c365dfa69617949ffb0997b25e6)
Merged-In: I01a27482be96fa5c68b593fbd84f9189834afb96
Change-Id: I01a27482be96fa5c68b593fbd84f9189834afb96
-rw-r--r-- | kgsl.c | 4 | ||||
-rw-r--r-- | kgsl_iommu.c | 14 |
2 files changed, 14 insertions, 4 deletions
@@ -2304,6 +2304,10 @@ long kgsl_ioctl_gpu_aux_command(struct kgsl_device_private *dev_priv, (KGSL_GPU_AUX_COMMAND_BIND | KGSL_GPU_AUX_COMMAND_TIMELINE))) return -EINVAL; + if ((param->flags & KGSL_GPU_AUX_COMMAND_SYNC) && + (param->numsyncs > KGSL_MAX_SYNCPOINTS)) + return -EINVAL; + context = kgsl_context_get_owner(dev_priv, param->context_id); if (!context) return -EINVAL; diff --git a/kgsl_iommu.c b/kgsl_iommu.c index 23fee14..7dc6c04 100644 --- a/kgsl_iommu.c +++ b/kgsl_iommu.c @@ -1971,14 +1971,20 @@ static uint64_t kgsl_iommu_find_svm_region(struct kgsl_pagetable *pagetable, static bool iommu_addr_in_svm_ranges(struct kgsl_pagetable *pagetable, u64 gpuaddr, u64 size) { + u64 end = gpuaddr + size; + + /* Make sure size is not zero and we don't wrap around */ + if (end <= gpuaddr) + return false; + if ((gpuaddr >= pagetable->compat_va_start && gpuaddr < pagetable->compat_va_end) && - ((gpuaddr + size) > pagetable->compat_va_start && - (gpuaddr + size) <= pagetable->compat_va_end)) + (end > pagetable->compat_va_start && + end <= pagetable->compat_va_end)) return true; if ((gpuaddr >= pagetable->svm_start && gpuaddr < pagetable->svm_end) && - ((gpuaddr + size) > pagetable->svm_start && - (gpuaddr + size) <= pagetable->svm_end)) + (end > pagetable->svm_start && + end <= pagetable->svm_end)) return true; return false; |