video: tegra: host: protect against offset overflow
(cherry pick from commit 4cef1ae735a4e438a5de246f61da112fab299feb)
Check nvhost error notifier offset value to protect against
potential unsigned integer overflow.
Signed-off-by: Xia Yang <xiay@nvidia.com>
Bug: 27251090
Change-Id: I4c214680770937d1257542f76a5acee9053a6f7d
diff --git a/drivers/video/tegra/host/bus_client.c b/drivers/video/tegra/host/bus_client.c
index 576800d..b6d59ab 100644
--- a/drivers/video/tegra/host/bus_client.c
+++ b/drivers/video/tegra/host/bus_client.c
@@ -1,7 +1,7 @@
/*
* Tegra Graphics Host Client Module
*
- * Copyright (c) 2010-2014, NVIDIA Corporation. All rights reserved.
+ * Copyright (c) 2010-2016, NVIDIA Corporation. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify it
* under the terms and conditions of the GNU General Public License,
@@ -328,9 +328,15 @@
static int nvhost_init_error_notifier(struct nvhost_channel *ch,
struct nvhost_set_error_notifier *args) {
void *va;
- u64 end = args->offset + sizeof(struct nvhost_notification);
-
+ u64 end;
struct dma_buf *dmabuf;
+
+ if (unlikely(args->offset >
+ U64_MAX - sizeof(struct nvhost_notification)))
+ return -EINVAL;
+
+ end = args->offset + sizeof(struct nvhost_notification);
+
if (!args->mem) {
dev_err(&ch->dev->dev, "invalid memory handle\n");
return -EINVAL;