gpu: nvgpu: validate error notifier offset

Make sure that the notifier object fits within the supplied buffer. Bug 1739183 Bug 1739932 Change-Id: I713574ce797ffc23cec10b5114f469dbadc68f1e Signed-off-by: Konsta Holtta <kholtta@nvidia.com> Reviewed-on: http://git-master/r/1026410 (cherry picked from commit f476b93eb19b962b8760457102448bd533efc54d) Reviewed-on: http://git-master/r/1028737 Reviewed-by: Automatic_Commit_Validation_User GVS: Gerrit_Virtual_Submit Reviewed-by: Terje Bergstrom <tbergstrom@nvidia.com>
author: Konsta Holtta <kholtta@nvidia.com> 2016-03-08 06:58:11 -0500
committer: Terje Bergstrom <tbergstrom@nvidia.com> 2016-03-15 19:21:44 -0400
commit: ec023c3ff70a263deedfacd8dfc8af907f830e06 (patch)
tree: 831ba196a3da418fc4492c866d711d8234dee126 /drivers
parent: 471c14f76eca230c8b9ab5c92965a545f3d7dce0 (diff)
1 files changed, 12 insertions, 3 deletions
diff --git a/drivers/gpu/nvgpu/gk20a/channel_gk20a.c b/drivers/gpu/nvgpu/gk20a/channel_gk20a.c
index 1f63bbd8..94d12a3d 100644
--- a/drivers/gpu/nvgpu/gk20a/channel_gk20a.c
+++ b/drivers/gpu/nvgpu/gk20a/channel_gk20a.c
@@ -712,10 +712,12 @@ static int gk20a_channel_set_wdt_status(struct channel_gk20a *ch,
 }
 static int gk20a_init_error_notifier(struct channel_gk20a *ch,
-                struct nvgpu_set_error_notifier *args) {
+                struct nvgpu_set_error_notifier *args)
-        void *va;
+{
+        struct device *dev = dev_from_gk20a(ch->g);
        struct dma_buf *dmabuf;
+        void *va;
+        u64 end = args->offset + sizeof(struct nvgpu_notification);
        if (!args->mem) {
                pr_err("gk20a_init_error_notifier: invalid memory handle\n");
@@ -731,6 +733,13 @@ static int gk20a_init_error_notifier(struct channel_gk20a *ch,
                pr_err("Invalid handle: %d\n", args->mem);
                return -EINVAL;
        }
+        if (end > dmabuf->size || end < sizeof(struct nvgpu_notification)) {
+                dma_buf_put(dmabuf);
+                gk20a_err(dev, "gk20a_init_error_notifier: invalid offset\n");
+                return -EINVAL;
+        }
        /* map handle */
        va = dma_buf_vmap(dmabuf);
        if (!va) {
author	Konsta Holtta <kholtta@nvidia.com>	2016-03-08 06:58:11 -0500
committer	Terje Bergstrom <tbergstrom@nvidia.com>	2016-03-15 19:21:44 -0400
commit	ec023c3ff70a263deedfacd8dfc8af907f830e06 (patch)
tree	831ba196a3da418fc4492c866d711d8234dee126 /drivers
parent	471c14f76eca230c8b9ab5c92965a545f3d7dce0 (diff)

diff --git a/drivers/gpu/nvgpu/gk20a/channel_gk20a.c b/drivers/gpu/nvgpu/gk20a/channel_gk20a.c index 1f63bbd8..94d12a3d 100644 --- a/drivers/gpu/nvgpu/gk20a/channel_gk20a.c +++ b/drivers/gpu/nvgpu/gk20a/channel_gk20a.c
@@ -712,10 +712,12 @@ static int gk20a_channel_set_wdt_status(struct channel_gk20a *ch,
712	}	712	}
713		713
714	static int gk20a_init_error_notifier(struct channel_gk20a *ch,	714	static int gk20a_init_error_notifier(struct channel_gk20a *ch,
715	struct nvgpu_set_error_notifier *args) {	715	struct nvgpu_set_error_notifier *args)
716	void *va;	716	{
717		717	struct device *dev = dev_from_gk20a(ch->g);
718	struct dma_buf *dmabuf;	718	struct dma_buf *dmabuf;
		719	void *va;
		720	u64 end = args->offset + sizeof(struct nvgpu_notification);
719		721
720	if (!args->mem) {	722	if (!args->mem) {
721	pr_err("gk20a_init_error_notifier: invalid memory handle\n");	723	pr_err("gk20a_init_error_notifier: invalid memory handle\n");
@@ -731,6 +733,13 @@ static int gk20a_init_error_notifier(struct channel_gk20a *ch,
731	pr_err("Invalid handle: %d\n", args->mem);	733	pr_err("Invalid handle: %d\n", args->mem);
732	return -EINVAL;	734	return -EINVAL;
733	}	735	}
		736
		737	if (end > dmabuf->size \|\| end < sizeof(struct nvgpu_notification)) {
		738	dma_buf_put(dmabuf);
		739	gk20a_err(dev, "gk20a_init_error_notifier: invalid offset\n");
		740	return -EINVAL;
		741	}
		742
734	/* map handle */	743	/* map handle */
735	va = dma_buf_vmap(dmabuf);	744	va = dma_buf_vmap(dmabuf);
736	if (!va) {	745	if (!va) {