From 9b114d628c8ae40e96869ba04ca99863e131c511 Mon Sep 17 00:00:00 2001 From: Sagar Kamble Date: Tue, 8 Jan 2019 11:12:27 +0530 Subject: [PATCH] gpu: nvgpu: check bl_size with imem size in bl_bootstrap Currently nvgpu gets the destination offset in imem by directly subtra- cting bl_size from imem size however there can be underflow if bl_size is larger than imem size. Add check for that. JIRA NVGPU-1732 Change-Id: I88477beee273201fc6075c7ab8d77eb9b2a17ca5 Signed-off-by: Sagar Kamble Reviewed-on: https://git-master.nvidia.com/r/1989989 Reviewed-by: svc-mobile-coverity Reviewed-by: svc-mobile-misra Reviewed-by: svc-misra-checker Reviewed-by: Mahantesh Kumbar GVS: Gerrit_Virtual_Submit Reviewed-by: Alex Waterman Reviewed-by: mobile promotions Tested-by: mobile promotions --- drivers/gpu/nvgpu/common/falcon/falcon_gk20a.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/nvgpu/common/falcon/falcon_gk20a.c b/drivers/gpu/nvgpu/common/falcon/falcon_gk20a.c index b5753516f..046389c14 100644 --- a/drivers/gpu/nvgpu/common/falcon/falcon_gk20a.c +++ b/drivers/gpu/nvgpu/common/falcon/falcon_gk20a.c @@ -454,6 +454,7 @@ static int gk20a_falcon_bl_bootstrap(struct nvgpu_falcon *flcn, struct gk20a *g = flcn->g; u32 base_addr = flcn->flcn_base; u32 virt_addr = 0; + u32 imem_size; u32 dst = 0; int err = 0; @@ -465,8 +466,15 @@ static int gk20a_falcon_bl_bootstrap(struct nvgpu_falcon *flcn, } /* copy bootloader to TOP of IMEM */ - dst = (falcon_falcon_hwcfg_imem_size_v(gk20a_readl(g, - base_addr + falcon_falcon_hwcfg_r())) << 8) - bl_info->bl_size; + imem_size = falcon_falcon_hwcfg_imem_size_v(gk20a_readl(g, + base_addr + falcon_falcon_hwcfg_r())) << 8; + + if (bl_info->bl_size > imem_size) { + err = -EINVAL; + goto exit; + } + + dst = imem_size - bl_info->bl_size; err = gk20a_falcon_copy_to_imem(flcn, dst, (u8 *)(bl_info->bl_src), bl_info->bl_size, (u8)0, false, bl_info->bl_start_tag);