gpu: nvgpu: validate wait notification offset

Make sure that the notification object fits within the supplied buffer.

Bug 1739182

Change-Id: Ifb66f848e3758438f37645be6f534f5b60260214
Signed-off-by: Konsta Holtta <kholtta@nvidia.com>
Reviewed-on: http://git-master/r/1026431
(cherry picked from commit 2484c47f123c717030aa00253446e8756e1a0807)
Reviewed-on: http://git-master/r/1030875
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Terje Bergstrom <tbergstrom@nvidia.com>

1 files changed, 8 insertions, 0 deletions

diff --git a/drivers/gpu/nvgpu/gk20a/channel_gk20a.c b/drivers/gpu/nvgpu/gk20a/channel_gk20a.c
index 94d12a3d..2c2850c6 100644
--- a/drivers/gpu/nvgpu/gk20a/channel_gk20a.c
+++ b/drivers/gpu/nvgpu/gk20a/channel_gk20a.c
@@ -2408,6 +2408,7 @@ static int gk20a_channel_wait(struct channel_gk20a *ch,
         u32 offset;
         unsigned long timeout;
         int remain, ret = 0;
+        u64 end;
 
         gk20a_dbg_fn("");
 
@@ -2423,6 +2424,7 @@ static int gk20a_channel_wait(struct channel_gk20a *ch,
         case NVGPU_WAIT_TYPE_NOTIFIER:
                 id = args->condition.notifier.dmabuf_fd;
                 offset = args->condition.notifier.offset;
+                end = offset + sizeof(struct notification);
 
                 dmabuf = dma_buf_get(id);
                 if (IS_ERR(dmabuf)) {
@@ -2431,6 +2433,12 @@ static int gk20a_channel_wait(struct channel_gk20a *ch,
                         return -EINVAL;
                 }
 
+                if (end > dmabuf->size || end < sizeof(struct notification)) {
+                        dma_buf_put(dmabuf);
+                        gk20a_err(d, "invalid notifier offset\n");
+                        return -EINVAL;
+                }
+
                 notif = dma_buf_vmap(dmabuf);
                 if (!notif) {
                         gk20a_err(d, "failed to map notifier memory");