From: Chris Wilson Date: Thu, 29 Jun 2017 12:59:26 +0000 (+0100) Subject: dma-buf/sw-sync: Prevent user overflow on timeline advance X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=8f66d3aa1735bc95ae58d846a157357e8d41abb8;p=GitHub%2Fmoto-9609%2Fandroid_kernel_motorola_exynos9610.git dma-buf/sw-sync: Prevent user overflow on timeline advance The timeline is u32, which limits any single advance to INT_MAX so that we can detect all fences that need signaling. Signed-off-by: Chris Wilson Cc: Sumit Semwal Cc: Sean Paul Cc: Gustavo Padovan Reviewed-by: Sean Paul Signed-off-by: Gustavo Padovan Link: http://patchwork.freedesktop.org/patch/msgid/20170629125930.821-3-chris@chris-wilson.co.uk --- diff --git a/drivers/dma-buf/sw_sync.c b/drivers/dma-buf/sw_sync.c index 4d5d8c5e2534..0e676d08aa70 100644 --- a/drivers/dma-buf/sw_sync.c +++ b/drivers/dma-buf/sw_sync.c @@ -345,6 +345,11 @@ static long sw_sync_ioctl_inc(struct sync_timeline *obj, unsigned long arg) if (copy_from_user(&value, (void __user *)arg, sizeof(value))) return -EFAULT; + while (value > INT_MAX) { + sync_timeline_signal(obj, INT_MAX); + value -= INT_MAX; + } + sync_timeline_signal(obj, value); return 0;