commit 83d77c319024cb91f9dd27f3c38455ead198b65f
author Konsta Holtta <kholtta@nvidia.com> Tue Mar 08 13:58:11 2016 +0200
committer Mark Salyzyn <salyzyn@google.com> Tue Mar 22 22:33:02 2016 +0000
tree 772ce56ff13dff8299738105b7db089f47f42a86
parent 1ff2efce08789430bade840962543406922e1347

gpu: nvgpu: validate error notifier offset

Make sure that the notifier object fits within the supplied buffer.

Bug:27299111

Change-Id: I713574ce797ffc23cec10b5114f469dbadc68f1e
Signed-off-by: Konsta Holtta <kholtta@nvidia.com>
(cherry picked from commit 4010a428995b209f9442f9e2731baa4d1ba5eb42)

drivers/gpu/nvgpu/gk20a/channel_gk20a.c

diff --git a/drivers/gpu/nvgpu/gk20a/channel_gk20a.c b/drivers/gpu/nvgpu/gk20a/channel_gk20a.c
index f145b66..fb3013d 100644
--- a/drivers/gpu/nvgpu/gk20a/channel_gk20a.c
+++ b/drivers/gpu/nvgpu/gk20a/channel_gk20a.c
@@ -521,10 +521,11 @@
 #endif
 
 static int gk20a_init_error_notifier(struct channel_gk20a *ch,
-		struct nvhost_set_error_notifier *args) {
-	void *va;
-
+		struct nvhost_set_error_notifier *args)
+{
 	struct dma_buf *dmabuf;
+	void *va;
+	u64 end = args->offset + sizeof(struct nvhost_notification);
 
 	if (!args->mem) {
 		pr_err("gk20a_init_error_notifier: invalid memory handle\n");
@@ -540,6 +541,13 @@
 		pr_err("Invalid handle: %d\n", args->mem);
 		return -EINVAL;
 	}
+
+	if (end > dmabuf->size || end < sizeof(struct nvhost_notification)) {
+		dma_buf_put(dmabuf);
+		pr_err("gk20a_init_error_notifier: invalid offset\n");
+		return -EINVAL;
+	}
+
 	/* map handle */
 	va = dma_buf_vmap(dmabuf);
 	if (!va) {