| commit | 8f66d3aa1735bc95ae58d846a157357e8d41abb8 | [log] [tgz] |
|---|---|---|
| author | Chris Wilson <[email protected]> | Thu Jun 29 13:59:26 2017 +0100 |
| committer | Gustavo Padovan <[email protected]> | Thu Jun 29 18:52:05 2017 -0300 |
| tree | ed1f9f6ba317a12164091b82101bcb515e3c8ae2 | |
| parent | 61894b02716f122dd7662d5d89f5b2245ca551e2 [diff] [blame] |
dma-buf/sw-sync: Prevent user overflow on timeline advance The timeline is u32, which limits any single advance to INT_MAX so that we can detect all fences that need signaling. Signed-off-by: Chris Wilson <[email protected]> Cc: Sumit Semwal <[email protected]> Cc: Sean Paul <[email protected]> Cc: Gustavo Padovan <[email protected]> Reviewed-by: Sean Paul <[email protected]> Signed-off-by: Gustavo Padovan <[email protected]> Link: http://patchwork.freedesktop.org/patch/msgid/[email protected]
diff --git a/drivers/dma-buf/sw_sync.c b/drivers/dma-buf/sw_sync.c index 4d5d8c5..0e676d0 100644 --- a/drivers/dma-buf/sw_sync.c +++ b/drivers/dma-buf/sw_sync.c
@@ -345,6 +345,11 @@ static long sw_sync_ioctl_inc(struct sync_timeline *obj, unsigned long arg) if (copy_from_user(&value, (void __user *)arg, sizeof(value))) return -EFAULT; + while (value > INT_MAX) { + sync_timeline_signal(obj, INT_MAX); + value -= INT_MAX; + } + sync_timeline_signal(obj, value); return 0;