msm: kgsl: Fix out of bound write in adreno_profile_submit_time (39ec1c1e) · Commits · e / devices / android_kernel_oneplus_sm7250

drivers/gpu/msm/kgsl_drawobj.c

+11 −24

Original line number	Diff line number	Diff line
		// SPDX-License-Identifier: GPL-2.0-only
		/*
		* Copyright (c) 2016-2020, The Linux Foundation. All rights reserved.
		* Copyright (c) 2016-2021, The Linux Foundation. All rights reserved.
		*/

		/*
		@@ -558,6 +558,7 @@ static void add_profiling_buffer(struct kgsl_device *device,
		{
		struct kgsl_mem_entry *entry;
		struct kgsl_drawobj *drawobj = DRAWOBJ(cmdobj);
		u64 start;

		if (!(drawobj->flags & KGSL_DRAWOBJ_PROFILING))
		return;
		@@ -574,7 +575,14 @@ static void add_profiling_buffer(struct kgsl_device *device,
		gpuaddr);

		if (entry != NULL) {
		if (!kgsl_gpuaddr_in_memdesc(&entry->memdesc, gpuaddr, size)) {
		start = id ? (entry->memdesc.gpuaddr + offset) : gpuaddr;
		/*
		* Make sure there is enough room in the object to store the
		* entire profiling buffer object
		*/
		if (!kgsl_gpuaddr_in_memdesc(&entry->memdesc, gpuaddr, size) \|\|
		!kgsl_gpuaddr_in_memdesc(&entry->memdesc, start,
		sizeof(struct kgsl_drawobj_profiling_buffer))) {
		kgsl_mem_entry_put(entry);
		entry = NULL;
		}
		@@ -587,28 +595,7 @@ static void add_profiling_buffer(struct kgsl_device *device,
		return;
		}


		if (!id) {
		cmdobj->profiling_buffer_gpuaddr = gpuaddr;
		} else {
		u64 off = offset + sizeof(struct kgsl_drawobj_profiling_buffer);

		/*
		* Make sure there is enough room in the object to store the
		* entire profiling buffer object
		*/
		if (off < offset \|\| off >= entry->memdesc.size) {
		dev_err(device->dev,
		"ignore invalid profile offset ctxt %d id %d offset %lld gpuaddr %llx size %lld\n",
		drawobj->context->id, id, offset, gpuaddr, size);
		kgsl_mem_entry_put(entry);
		return;
		}

		cmdobj->profiling_buffer_gpuaddr =
		entry->memdesc.gpuaddr + offset;
		}

		cmdobj->profiling_buffer_gpuaddr = start;
		cmdobj->profiling_buf_entry = entry;
		}