diff options
author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2020-07-20 10:01:58 +0200 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2020-07-20 10:01:58 +0200 |
commit | b62e185184e9d210000fcf2af39aac52d73562c8 (patch) | |
tree | bcc9b664671b859bfb77860d1bd4df10059a35d9 | |
parent | Merge tag 'fpga-late-fixes-for-5.8' of git://git.kernel.org/pub/scm/linux/ker... (diff) | |
parent | habanalabs: prevent possible out-of-bounds array access (diff) | |
download | linux-b62e185184e9d210000fcf2af39aac52d73562c8.tar.xz linux-b62e185184e9d210000fcf2af39aac52d73562c8.zip |
Merge tag 'misc-habanalabs-fixes-2020-07-19' of git://people.freedesktop.org/~gabbayo/linux into char-misc-linus
Oded writes:
This tag contains a single bug fix for 5.8-rc7:
- Check that an index is in valid range before using it to access an
array. The index is received from the user. This is to prevent a
possible out-of-bounds access error.
* tag 'misc-habanalabs-fixes-2020-07-19' of git://people.freedesktop.org/~gabbayo/linux:
habanalabs: prevent possible out-of-bounds array access
-rw-r--r-- | drivers/misc/habanalabs/command_submission.c | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/drivers/misc/habanalabs/command_submission.c b/drivers/misc/habanalabs/command_submission.c index b0f62cbbdc87..f3a8f113865d 100644 --- a/drivers/misc/habanalabs/command_submission.c +++ b/drivers/misc/habanalabs/command_submission.c @@ -499,11 +499,19 @@ static int validate_queue_index(struct hl_device *hdev, struct asic_fixed_properties *asic = &hdev->asic_prop; struct hw_queue_properties *hw_queue_prop; + /* This must be checked here to prevent out-of-bounds access to + * hw_queues_props array + */ + if (chunk->queue_index >= HL_MAX_QUEUES) { + dev_err(hdev->dev, "Queue index %d is invalid\n", + chunk->queue_index); + return -EINVAL; + } + hw_queue_prop = &asic->hw_queues_props[chunk->queue_index]; - if ((chunk->queue_index >= HL_MAX_QUEUES) || - (hw_queue_prop->type == QUEUE_TYPE_NA)) { - dev_err(hdev->dev, "Queue index %d is invalid\n", + if (hw_queue_prop->type == QUEUE_TYPE_NA) { + dev_err(hdev->dev, "Queue index %d is not applicable\n", chunk->queue_index); return -EINVAL; } |