From 206d951aa1a257548c0f2c2ccbcc14e8dd839af2 Mon Sep 17 00:00:00 2001 From: Shridhar Rasal Date: Mon, 9 Jan 2017 11:26:34 +0530 Subject: [PATCH] video: tegra: host: dla: check buffer count per task To avoid possible buffer overflow, add check for max number of buffers count per task. Min buffer check count was already present. Bug 1806862 CID 38902 Change-Id: I48ef974ed8cbc0972a758b79fc3c525aed2b8478 Signed-off-by: Shridhar Rasal Reviewed-on: http://git-master/r/1281988 Reviewed-by: svccoveritychecker GVS: Gerrit_Virtual_Submit Reviewed-by: Prashant Gaikwad --- drivers/video/tegra/host/nvdla/nvdla.h | 5 +++++ drivers/video/tegra/host/nvdla/nvdla_ioctl.c | 6 ++++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/video/tegra/host/nvdla/nvdla.h b/drivers/video/tegra/host/nvdla/nvdla.h index 9d178dd9..227ba6cf 100644 --- a/drivers/video/tegra/host/nvdla/nvdla.h +++ b/drivers/video/tegra/host/nvdla/nvdla.h @@ -48,6 +48,11 @@ */ #define MAX_NVDLA_TASK_COUNT 32 + +/** + * Maximum number of buffers per task + */ +#define MAX_NVDLA_PIN_BUFFERS 64 /** * Trace Buffer Size */ diff --git a/drivers/video/tegra/host/nvdla/nvdla_ioctl.c b/drivers/video/tegra/host/nvdla/nvdla_ioctl.c index ba738b9c..cb30d644 100644 --- a/drivers/video/tegra/host/nvdla/nvdla_ioctl.c +++ b/drivers/video/tegra/host/nvdla/nvdla_ioctl.c @@ -108,7 +108,8 @@ static int nvdla_pin(struct nvdla_private *priv, void *arg) } count = buf_list->num_buffers; - if (count == 0 || !buf_list->buffers) { + if (count == 0 || count > MAX_NVDLA_PIN_BUFFERS || + !buf_list->buffers) { nvdla_dbg_err(pdev, "Inval cnt arg for pin\n"); err = -EINVAL; goto fail_to_get_val_cnt; @@ -150,7 +151,8 @@ static int nvdla_unpin(struct nvdla_private *priv, void *arg) } count = buf_list->num_buffers; - if (count == 0 || !buf_list->buffers) { + if (count == 0 || count > MAX_NVDLA_PIN_BUFFERS || + !buf_list->buffers) { nvdla_dbg_err(pdev, "Inval count argument for unpin\n"); err = -EINVAL; goto fail_to_get_val_cnt;