Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 32388a27 authored by Rajesh Kemisetti's avatar Rajesh Kemisetti Committed by Archana Sriram
Browse files

msm: kgsl: Add missing check for snapshot IB dump 



During ringbuffer parsing, same IB can exist multiple times
but size validation happens only for the first time.
This leads to out of bound access if the subsequent sizes are
greater than the allocated size.

Add a check to make sure that requested size is within the
allocated range.

Change-Id: Ie5d3c02c1669de2e6188821399e985f0991aa57c
Signed-off-by: default avatarRajesh Kemisetti <rajeshk@codeaurora.org>
Signed-off-by: default avatarArchana Sriram <apsrir@codeaurora.org>
parent 0ced5701

drivers/gpu/msm/adreno_snapshot.c

+13 −0
Original line number Diff line number Diff line
@@ -58,6 +58,19 @@ void kgsl_snapshot_push_object(struct kgsl_device *device, 
	for (index = 0; index < objbufptr; index++) {

		if (objbuf[index].gpuaddr == gpuaddr &&

			objbuf[index].entry->priv == process) {

			/*

			 * Check if newly requested size is within the

			 * allocated range or not, otherwise continue

			 * with previous size.

			 */

			if (!kgsl_gpuaddr_in_memdesc(

				&objbuf[index].entry->memdesc,

				gpuaddr, dwords << 2)) {

				dev_err(device->dev,

					"snapshot: gpuaddr 0x%016llX size is less than requested\n",

					gpuaddr);

				return;

			}



			objbuf[index].size = max_t(uint64_t,

						objbuf[index].size,