nv-tegra-mirror/linux-nv-oot
1
0
Fork 0
mirror of git://nv-tegra.nvidia.com/linux-nv-oot.git synced 2025-12-24 10:11:26 +03:00
Code Issues Packages Projects Releases Wiki Activity

drivers: pva: check cb_size against memory size

Browse Source 
verify that circular buffer size is within the allocated buffer
when checking address range for bot source and destination.

Bug 4432254

Change-Id: I265f2c4b9f46cf24db8bd86cf5abf3f9b2e67994
Signed-off-by: omar <onemri@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/c/linux-nv-oot/+/3046464
GVS: Gerrit_Virtual_Submit <buildbot_gerritrpt@nvidia.com>
This commit is contained in:
omar
2024-01-04 16:57:45 -08:00
committed by mobile promotions
parent a6d28bc2c8
commit 637dd81935
1 changed files with 21 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
drivers/video/tegra/host/pva/pva_dma.c
View File

@@ -1,5 +1,5 @@
// SPDX-License-Identifier: GPL-2.0-only
// SPDX-FileCopyrightText: Copyright (c) 2021-2023 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
// SPDX-FileCopyrightText: Copyright (c) 2021-2024 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
#include <linux/kernel.h>
#include <linux/seq_file.h>
@@ -195,16 +195,20 @@ static int32_t check_address_range(struct nvpva_dma_descriptor const *desc,
/* 2nd destination dim */
s[1] = (int64_t)desc->dstLinePitch * last_ty;
if (desc->dstCbEnable == 1U) {
int64_t excursion = (s[1] + last_tx + 1) * bppSize;
/* ((DLP_ADV * (Ty-1)) + Tx) * BPP <= DB_SIZE */
if (((s[1] + last_tx + 1) * bppSize) <=
(int64_t)desc->dstCbSize)
return 0;
if (((uint64_t)desc->dstCbSize > max_size)
|| (dst2 && ((uint64_t)desc->dstCbSize > max_size2))
|| (excursion > (int64_t)desc->dstCbSize)
|| (desc->dstFormat == 1)) {
pr_err("invalid dst cb");
return -EINVAL;
}
pr_err("invalid dst cb advance");
return -EINVAL;
return 0;
}
err = pitch_linear_eq_offset(desc, &offset, desc->surfBLOffset,
block_height_log2, desc->bytePerPixel, true, false);
if (err)
@@ -225,12 +229,18 @@ static int32_t check_address_range(struct nvpva_dma_descriptor const *desc,
/* 2nd source dim */
s[1] = (int64_t)desc->srcLinePitch * last_ty;
if (desc->srcCbEnable == 1U) {
int64_t excursion = (s[1] + last_tx + 1) * bppSize;
/* ((SLP_ADV * (Ty-1)) + Tx) * BPP <= SB_SIZE */
if (((s[1] + last_tx + 1) * bppSize) <=
(int64_t)desc->srcCbSize)
return 0;
pr_err("invalid src cb");
if (((uint64_t)desc->srcCbSize > max_size)
|| (dst2 && ((uint64_t)desc->srcCbSize > max_size2))
|| (excursion > (int64_t)desc->srcCbSize)
|| (desc->srcFormat == 1)) {
pr_err("invalid src cb");
return -EINVAL;
}
return 0;
}
err = pitch_linear_eq_offset(desc, &offset, desc->surfBLOffset,