From 88e7e589568488ff983950c083d456bc072ca393 Mon Sep 17 00:00:00 2001 From: Liam Mark <lmark@codeaurora.org> Date: Mon, 4 Dec 2017 10:58:55 -0800 Subject: [PATCH] ion: ensure CMO target is valid Cleanup ION cache maintenance code to properly validate the target of userspace cache maintenance requests. Bug: 72957321 Change-Id: I55b8e3584c59634f95250bc7c0bce5d8d70e6a13 Signed-off-by: Liam Mark <lmark@codeaurora.org> Signed-off-by: Swetha Chikkaboraiah <schikk@codeaurora.org> --- drivers/staging/android/ion/ion.c | 5 +++++ drivers/staging/android/ion/msm/msm_ion.c | 10 +++++----- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c index c283701a5887..5973e5b76146 100755 --- a/drivers/staging/android/ion/ion.c +++ b/drivers/staging/android/ion/ion.c @@ -1480,6 +1480,11 @@ static int ion_sync_for_device(struct ion_client *client, int fd) } buffer = dmabuf->priv; + if (buffer->flags & ION_FLAG_SECURE) { + pr_err("%s: cannot sync a secure dmabuf\n", __func__); + dma_buf_put(dmabuf); + return -EINVAL; + } dma_sync_sg_for_device(NULL, buffer->sg_table->sgl, buffer->sg_table->nents, DMA_BIDIRECTIONAL); dma_buf_put(dmabuf); diff --git a/drivers/staging/android/ion/msm/msm_ion.c b/drivers/staging/android/ion/msm/msm_ion.c index 8e10e0cddd74..828826254657 100644 --- a/drivers/staging/android/ion/msm/msm_ion.c +++ b/drivers/staging/android/ion/msm/msm_ion.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2011-2014, The Linux Foundation. All rights reserved. +/* Copyright (c) 2011-2014,2016,2018 The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -722,11 +722,11 @@ long msm_ion_custom_ioctl(struct ion_client *client, down_read(&mm->mmap_sem); - start = (unsigned long) data.flush_data.vaddr; - end = (unsigned long) data.flush_data.vaddr - + data.flush_data.length; + start = (unsigned long)data.flush_data.vaddr + + data.flush_data.offset; + end = start + data.flush_data.length; - if (start && check_vaddr_bounds(start, end)) { + if (check_vaddr_bounds(start, end)) { pr_err("%s: virtual address %p is out of bounds\n", __func__, data.flush_data.vaddr); ret = -EINVAL; -- GitLab