summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKonsta Holtta <kholtta@nvidia.com>2016-03-08 14:35:21 +0200
committerMatthew Pedro <mapedro@nvidia.com>2016-03-14 22:15:34 -0700
commit5c8ffda63151d70390f10e8c9d111baafc786fda (patch)
tree0e150e85fad3178d853d619929dfc1976f774ad5
parentee62433c7b903f226220e485a90cc5860da49f94 (diff)
gpu: nvgpu: validate wait notification offset
Make sure that the notification object fits within the supplied buffer. Bug 1739182 Change-Id: Ifb66f848e3758438f37645be6f534f5b60260214 Signed-off-by: Konsta Holtta <kholtta@nvidia.com> Reviewed-on: http://git-master/r/1026431 (cherry picked from commit 2484c47f123c717030aa00253446e8756e1a0807) Reviewed-on: http://git-master/r/1030663 Reviewed-by: Matthew Pedro <mapedro@nvidia.com> Tested-by: Matthew Pedro <mapedro@nvidia.com>
-rw-r--r--drivers/gpu/nvgpu/gk20a/channel_gk20a.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/drivers/gpu/nvgpu/gk20a/channel_gk20a.c b/drivers/gpu/nvgpu/gk20a/channel_gk20a.c
index e00a1af5b77d..f64bda9b6dc5 100644
--- a/drivers/gpu/nvgpu/gk20a/channel_gk20a.c
+++ b/drivers/gpu/nvgpu/gk20a/channel_gk20a.c
@@ -1732,6 +1732,7 @@ static int gk20a_channel_wait(struct channel_gk20a *ch,
u32 offset;
unsigned long timeout;
int remain, ret = 0;
+ u64 end;
gk20a_dbg_fn("");
@@ -1747,6 +1748,7 @@ static int gk20a_channel_wait(struct channel_gk20a *ch,
case NVHOST_WAIT_TYPE_NOTIFIER:
id = args->condition.notifier.nvmap_handle;
offset = args->condition.notifier.offset;
+ end = offset + sizeof(struct notification);
dmabuf = dma_buf_get(id);
if (IS_ERR(dmabuf)) {
@@ -1755,6 +1757,12 @@ static int gk20a_channel_wait(struct channel_gk20a *ch,
return -EINVAL;
}
+ if (end > dmabuf->size || end < sizeof(struct notification)) {
+ dma_buf_put(dmabuf);
+ gk20a_err(d, "invalid notifier offset\n");
+ return -EINVAL;
+ }
+
notif = dma_buf_vmap(dmabuf);
if (!notif) {
gk20a_err(d, "failed to map notifier memory");