diff options
author | Ofir Bitton <obitton@habana.ai> | 2020-07-30 10:00:10 +0300 |
---|---|---|
committer | Oded Gabbay <oded.gabbay@gmail.com> | 2020-08-22 12:47:56 +0300 |
commit | bf6d10963ed0db290e9aba05a97bfc4c72c7c0e4 (patch) | |
tree | 1e00b1b712f6feb71e4b561b93c9f6483ae07688 /drivers/misc | |
parent | f1aae40e8dbd2655e3b10cae381a1e8292b19d57 (diff) |
habanalabs: Validate user address before mapping
User address must be validated before driver performs address map.
Signed-off-by: Ofir Bitton <obitton@habana.ai>
Reviewed-by: Oded Gabbay <oded.gabbay@gmail.com>
Signed-off-by: Oded Gabbay <oded.gabbay@gmail.com>
Diffstat (limited to 'drivers/misc')
-rw-r--r-- | drivers/misc/habanalabs/common/command_buffer.c | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/drivers/misc/habanalabs/common/command_buffer.c b/drivers/misc/habanalabs/common/command_buffer.c index 7c38c4f7f9c0..a8004911c977 100644 --- a/drivers/misc/habanalabs/common/command_buffer.c +++ b/drivers/misc/habanalabs/common/command_buffer.c @@ -10,6 +10,7 @@ #include <linux/mm.h> #include <linux/slab.h> +#include <linux/uaccess.h> #include <linux/genalloc.h> static void cb_fini(struct hl_device *hdev, struct hl_cb *cb) @@ -300,7 +301,7 @@ int hl_cb_mmap(struct hl_fpriv *hpriv, struct vm_area_struct *vma) struct hl_device *hdev = hpriv->hdev; struct hl_cb *cb; phys_addr_t address; - u32 handle; + u32 handle, user_cb_size; int rc; handle = vma->vm_pgoff; @@ -314,7 +315,8 @@ int hl_cb_mmap(struct hl_fpriv *hpriv, struct vm_area_struct *vma) } /* Validation check */ - if ((vma->vm_end - vma->vm_start) != ALIGN(cb->size, PAGE_SIZE)) { + user_cb_size = vma->vm_end - vma->vm_start; + if (user_cb_size != ALIGN(cb->size, PAGE_SIZE)) { dev_err(hdev->dev, "CB mmap failed, mmap size 0x%lx != 0x%x cb size\n", vma->vm_end - vma->vm_start, cb->size); @@ -322,6 +324,16 @@ int hl_cb_mmap(struct hl_fpriv *hpriv, struct vm_area_struct *vma) goto put_cb; } + if (!access_ok((void __user *) (uintptr_t) vma->vm_start, + user_cb_size)) { + dev_err(hdev->dev, + "user pointer is invalid - 0x%lx\n", + vma->vm_start); + + rc = -EINVAL; + goto put_cb; + } + spin_lock(&cb->lock); if (cb->mmap) { |