diff options
author | Konsta Holtta <kholtta@nvidia.com> | 2016-03-08 06:58:11 -0500 |
---|---|---|
committer | Terje Bergstrom <tbergstrom@nvidia.com> | 2016-03-15 19:21:44 -0400 |
commit | ec023c3ff70a263deedfacd8dfc8af907f830e06 (patch) | |
tree | 831ba196a3da418fc4492c866d711d8234dee126 /drivers/gpu/nvgpu/gk20a | |
parent | 471c14f76eca230c8b9ab5c92965a545f3d7dce0 (diff) |
gpu: nvgpu: validate error notifier offset
Make sure that the notifier object fits within the supplied buffer.
Bug 1739183
Bug 1739932
Change-Id: I713574ce797ffc23cec10b5114f469dbadc68f1e
Signed-off-by: Konsta Holtta <kholtta@nvidia.com>
Reviewed-on: http://git-master/r/1026410
(cherry picked from commit f476b93eb19b962b8760457102448bd533efc54d)
Reviewed-on: http://git-master/r/1028737
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Terje Bergstrom <tbergstrom@nvidia.com>
Diffstat (limited to 'drivers/gpu/nvgpu/gk20a')
-rw-r--r-- | drivers/gpu/nvgpu/gk20a/channel_gk20a.c | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/drivers/gpu/nvgpu/gk20a/channel_gk20a.c b/drivers/gpu/nvgpu/gk20a/channel_gk20a.c index 1f63bbd8..94d12a3d 100644 --- a/drivers/gpu/nvgpu/gk20a/channel_gk20a.c +++ b/drivers/gpu/nvgpu/gk20a/channel_gk20a.c | |||
@@ -712,10 +712,12 @@ static int gk20a_channel_set_wdt_status(struct channel_gk20a *ch, | |||
712 | } | 712 | } |
713 | 713 | ||
714 | static int gk20a_init_error_notifier(struct channel_gk20a *ch, | 714 | static int gk20a_init_error_notifier(struct channel_gk20a *ch, |
715 | struct nvgpu_set_error_notifier *args) { | 715 | struct nvgpu_set_error_notifier *args) |
716 | void *va; | 716 | { |
717 | 717 | struct device *dev = dev_from_gk20a(ch->g); | |
718 | struct dma_buf *dmabuf; | 718 | struct dma_buf *dmabuf; |
719 | void *va; | ||
720 | u64 end = args->offset + sizeof(struct nvgpu_notification); | ||
719 | 721 | ||
720 | if (!args->mem) { | 722 | if (!args->mem) { |
721 | pr_err("gk20a_init_error_notifier: invalid memory handle\n"); | 723 | pr_err("gk20a_init_error_notifier: invalid memory handle\n"); |
@@ -731,6 +733,13 @@ static int gk20a_init_error_notifier(struct channel_gk20a *ch, | |||
731 | pr_err("Invalid handle: %d\n", args->mem); | 733 | pr_err("Invalid handle: %d\n", args->mem); |
732 | return -EINVAL; | 734 | return -EINVAL; |
733 | } | 735 | } |
736 | |||
737 | if (end > dmabuf->size || end < sizeof(struct nvgpu_notification)) { | ||
738 | dma_buf_put(dmabuf); | ||
739 | gk20a_err(dev, "gk20a_init_error_notifier: invalid offset\n"); | ||
740 | return -EINVAL; | ||
741 | } | ||
742 | |||
734 | /* map handle */ | 743 | /* map handle */ |
735 | va = dma_buf_vmap(dmabuf); | 744 | va = dma_buf_vmap(dmabuf); |
736 | if (!va) { | 745 | if (!va) { |