diff options
Diffstat (limited to 'drivers/gpu')
-rw-r--r-- | drivers/gpu/nvgpu/gk20a/channel_gk20a.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/drivers/gpu/nvgpu/gk20a/channel_gk20a.c b/drivers/gpu/nvgpu/gk20a/channel_gk20a.c index 94d12a3d..2c2850c6 100644 --- a/drivers/gpu/nvgpu/gk20a/channel_gk20a.c +++ b/drivers/gpu/nvgpu/gk20a/channel_gk20a.c | |||
@@ -2408,6 +2408,7 @@ static int gk20a_channel_wait(struct channel_gk20a *ch, | |||
2408 | u32 offset; | 2408 | u32 offset; |
2409 | unsigned long timeout; | 2409 | unsigned long timeout; |
2410 | int remain, ret = 0; | 2410 | int remain, ret = 0; |
2411 | u64 end; | ||
2411 | 2412 | ||
2412 | gk20a_dbg_fn(""); | 2413 | gk20a_dbg_fn(""); |
2413 | 2414 | ||
@@ -2423,6 +2424,7 @@ static int gk20a_channel_wait(struct channel_gk20a *ch, | |||
2423 | case NVGPU_WAIT_TYPE_NOTIFIER: | 2424 | case NVGPU_WAIT_TYPE_NOTIFIER: |
2424 | id = args->condition.notifier.dmabuf_fd; | 2425 | id = args->condition.notifier.dmabuf_fd; |
2425 | offset = args->condition.notifier.offset; | 2426 | offset = args->condition.notifier.offset; |
2427 | end = offset + sizeof(struct notification); | ||
2426 | 2428 | ||
2427 | dmabuf = dma_buf_get(id); | 2429 | dmabuf = dma_buf_get(id); |
2428 | if (IS_ERR(dmabuf)) { | 2430 | if (IS_ERR(dmabuf)) { |
@@ -2431,6 +2433,12 @@ static int gk20a_channel_wait(struct channel_gk20a *ch, | |||
2431 | return -EINVAL; | 2433 | return -EINVAL; |
2432 | } | 2434 | } |
2433 | 2435 | ||
2436 | if (end > dmabuf->size || end < sizeof(struct notification)) { | ||
2437 | dma_buf_put(dmabuf); | ||
2438 | gk20a_err(d, "invalid notifier offset\n"); | ||
2439 | return -EINVAL; | ||
2440 | } | ||
2441 | |||
2434 | notif = dma_buf_vmap(dmabuf); | 2442 | notif = dma_buf_vmap(dmabuf); |
2435 | if (!notif) { | 2443 | if (!notif) { |
2436 | gk20a_err(d, "failed to map notifier memory"); | 2444 | gk20a_err(d, "failed to map notifier memory"); |