gpu: nvgpu: validate wait notification offset

Make sure that the notification object fits within the supplied buffer.

Bug 1739182

Change-Id: Ifb66f848e3758438f37645be6f534f5b60260214
Signed-off-by: Konsta Holtta <kholtta@nvidia.com>
Reviewed-on: http://git-master/r/1026431
(cherry picked from commit 2484c47f123c717030aa00253446e8756e1a0807)
Reviewed-on: http://git-master/r/1030663
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>
Tested-by: Matthew Pedro <mapedro@nvidia.com>

diff --git a/drivers/gpu/nvgpu/gk20a/channel_gk20a.c b/drivers/gpu/nvgpu/gk20a/channel_gk20a.c
index e00a1af5b77d3b45b9956e874445e6c8032850bc..f64bda9b6dc516a10bf15a3ca8d0d5c9f702ec63 100644 (file)
--- a/drivers/gpu/nvgpu/gk20a/channel_gk20a.c
+++ b/drivers/gpu/nvgpu/gk20a/channel_gk20a.c
@@ -1732,6 +1732,7 @@ static int gk20a_channel_wait(struct channel_gk20a *ch,
        u32 offset;
        unsigned long timeout;
        int remain, ret = 0;
+       u64 end;
 
        gk20a_dbg_fn("");
 
@@ -1747,6 +1748,7 @@ static int gk20a_channel_wait(struct channel_gk20a *ch,
        case NVHOST_WAIT_TYPE_NOTIFIER:
                id = args->condition.notifier.nvmap_handle;
                offset = args->condition.notifier.offset;
+               end = offset + sizeof(struct notification);
 
                dmabuf = dma_buf_get(id);
                if (IS_ERR(dmabuf)) {
@@ -1755,6 +1757,12 @@ static int gk20a_channel_wait(struct channel_gk20a *ch,
                        return -EINVAL;
                }
 
+               if (end > dmabuf->size || end < sizeof(struct notification)) {
+                       dma_buf_put(dmabuf);
+                       gk20a_err(d, "invalid notifier offset\n");
+                       return -EINVAL;
+               }
+
                notif = dma_buf_vmap(dmabuf);
                if (!notif) {
                        gk20a_err(d, "failed to map notifier memory");