gpu: nvgpu: validate wait notification offset
(cherry pick from commit 1f9ba996a484f50bbe60762be021479e34c35eaa)
Make sure that the notification object fits within the supplied buffer.
Bug:27299111
Change-Id: Ifb66f848e3758438f37645be6f534f5b60260214
Signed-off-by: Konsta Holtta <kholtta@nvidia.com>
diff --git a/drivers/gpu/nvgpu/gk20a/channel_gk20a.c b/drivers/gpu/nvgpu/gk20a/channel_gk20a.c
index fb3013d..a1aa629 100644
--- a/drivers/gpu/nvgpu/gk20a/channel_gk20a.c
+++ b/drivers/gpu/nvgpu/gk20a/channel_gk20a.c
@@ -1709,6 +1709,7 @@
u32 offset;
unsigned long timeout;
int remain, ret = 0;
+ u64 end;
gk20a_dbg_fn("");
@@ -1724,6 +1725,7 @@
case NVHOST_WAIT_TYPE_NOTIFIER:
id = args->condition.notifier.nvmap_handle;
offset = args->condition.notifier.offset;
+ end = offset + sizeof(struct notification);
dmabuf = dma_buf_get(id);
if (IS_ERR(dmabuf)) {
@@ -1732,6 +1734,12 @@
return -EINVAL;
}
+ if (end > dmabuf->size || end < sizeof(struct notification)) {
+ dma_buf_put(dmabuf);
+ gk20a_err(d, "invalid notifier offset\n");
+ return -EINVAL;
+ }
+
notif = dma_buf_vmap(dmabuf);
if (!notif) {
gk20a_err(d, "failed to map notifier memory");
