From f07a046a52e7a8074bd1572a12ac65747d3f827d Mon Sep 17 00:00:00 2001 From: Konsta Holtta Date: Tue, 8 Mar 2016 14:35:21 +0200 Subject: gpu: nvgpu: validate wait notification offset Make sure that the notification object fits within the supplied buffer. Bug 1739182 Change-Id: Ifb66f848e3758438f37645be6f534f5b60260214 Signed-off-by: Konsta Holtta Reviewed-on: http://git-master/r/1026431 (cherry picked from commit 2484c47f123c717030aa00253446e8756e1a0807) Reviewed-on: http://git-master/r/1030875 Reviewed-by: Automatic_Commit_Validation_User GVS: Gerrit_Virtual_Submit Reviewed-by: Terje Bergstrom --- drivers/gpu/nvgpu/gk20a/channel_gk20a.c | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'drivers') diff --git a/drivers/gpu/nvgpu/gk20a/channel_gk20a.c b/drivers/gpu/nvgpu/gk20a/channel_gk20a.c index 94d12a3d..2c2850c6 100644 --- a/drivers/gpu/nvgpu/gk20a/channel_gk20a.c +++ b/drivers/gpu/nvgpu/gk20a/channel_gk20a.c @@ -2408,6 +2408,7 @@ static int gk20a_channel_wait(struct channel_gk20a *ch, u32 offset; unsigned long timeout; int remain, ret = 0; + u64 end; gk20a_dbg_fn(""); @@ -2423,6 +2424,7 @@ static int gk20a_channel_wait(struct channel_gk20a *ch, case NVGPU_WAIT_TYPE_NOTIFIER: id = args->condition.notifier.dmabuf_fd; offset = args->condition.notifier.offset; + end = offset + sizeof(struct notification); dmabuf = dma_buf_get(id); if (IS_ERR(dmabuf)) { @@ -2431,6 +2433,12 @@ static int gk20a_channel_wait(struct channel_gk20a *ch, return -EINVAL; } + if (end > dmabuf->size || end < sizeof(struct notification)) { + dma_buf_put(dmabuf); + gk20a_err(d, "invalid notifier offset\n"); + return -EINVAL; + } + notif = dma_buf_vmap(dmabuf); if (!notif) { gk20a_err(d, "failed to map notifier memory"); -- cgit v1.2.2