From b018428c166959c99f045a70db87a42a4e061fed Mon Sep 17 00:00:00 2001
From: Konsta Holtta <kholtta@nvidia.com>
Date: Wed, 7 Dec 2016 13:48:59 +0200
Subject: gpu: nvgpu: Remove BUG_ON from _IOC_SIZE checks

When the user-supplied ioctl argument size is too large, just return
-EINVAL from the ioctl instead of crashing on a BUG_ON (for as, ctrl,
ctxsw, dbg and tsg nodes - channel and sched nodes are already okay).

Bug 1849661

Change-Id: I5b0d1d0c4ee47ce0136c424dda5975353f110c7e
Signed-off-by: Konsta Holtta <kholtta@nvidia.com>
Reviewed-on: http://git-master/r/1266606
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>
---
 drivers/gpu/nvgpu/gk20a/tsg_gk20a.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

(limited to 'drivers/gpu/nvgpu/gk20a/tsg_gk20a.c')

diff --git a/drivers/gpu/nvgpu/gk20a/tsg_gk20a.c b/drivers/gpu/nvgpu/gk20a/tsg_gk20a.c
index d98b78ea..181140d2 100644
--- a/drivers/gpu/nvgpu/gk20a/tsg_gk20a.c
+++ b/drivers/gpu/nvgpu/gk20a/tsg_gk20a.c
@@ -608,11 +608,10 @@ long gk20a_tsg_dev_ioctl(struct file *filp, unsigned int cmd,
 
 	if ((_IOC_TYPE(cmd) != NVGPU_TSG_IOCTL_MAGIC) ||
 	    (_IOC_NR(cmd) == 0) ||
-	    (_IOC_NR(cmd) > NVGPU_TSG_IOCTL_LAST))
+	    (_IOC_NR(cmd) > NVGPU_TSG_IOCTL_LAST) ||
+	    (_IOC_SIZE(cmd) > NVGPU_TSG_IOCTL_MAX_ARG_SIZE))
 		return -EINVAL;
 
-	BUG_ON(_IOC_SIZE(cmd) > NVGPU_TSG_IOCTL_MAX_ARG_SIZE);
-
 	memset(buf, 0, sizeof(buf));
 	if (_IOC_DIR(cmd) & _IOC_WRITE) {
 		if (copy_from_user(buf, (void __user *)arg, _IOC_SIZE(cmd)))
-- 
cgit v1.2.2