gpu: nvgpu: validate error notifier offset

Make sure that the notifier object fits within the supplied buffer.

Bug 1739183
Bug 1739932

Change-Id: I713574ce797ffc23cec10b5114f469dbadc68f1e
Signed-off-by: Konsta Holtta <kholtta@nvidia.com>
Reviewed-on: http://git-master/r/1026410
(cherry picked from commit f476b93eb19b962b8760457102448bd533efc54d)
Reviewed-on: http://git-master/r/1029379
GVS: Gerrit_Virtual_Submit
Reviewed-by: Terje Bergstrom <tbergstrom@nvidia.com>

diff --git a/drivers/gpu/nvgpu/gk20a/channel_gk20a.c b/drivers/gpu/nvgpu/gk20a/channel_gk20a.c
index 755fcdda574285b4285cef4a87fb91d937add78c..e00a1af5b77d3b45b9956e874445e6c8032850bc 100644 (file)
--- a/drivers/gpu/nvgpu/gk20a/channel_gk20a.c
+++ b/drivers/gpu/nvgpu/gk20a/channel_gk20a.c
@@ -538,10 +538,12 @@ static int gk20a_channel_cycle_stats(struct channel_gk20a *ch,
 #endif
 
 static int gk20a_init_error_notifier(struct channel_gk20a *ch,
-               struct nvhost_set_error_notifier *args) {
-       void *va;
-
+               struct nvhost_set_error_notifier *args)
+{
+       struct device *dev = dev_from_gk20a(ch->g);
        struct dma_buf *dmabuf;
+       void *va;
+       u64 end = args->offset + sizeof(struct nvhost_notification);
 
        if (!args->mem) {
                pr_err("gk20a_init_error_notifier: invalid memory handle\n");
@@ -557,6 +559,13 @@ static int gk20a_init_error_notifier(struct channel_gk20a *ch,
                pr_err("Invalid handle: %d\n", args->mem);
                return -EINVAL;
        }
+
+       if (end > dmabuf->size || end < sizeof(struct nvhost_notification)) {
+               dma_buf_put(dmabuf);
+               gk20a_err(dev, "gk20a_init_error_notifier: invalid offset\n");
+               return -EINVAL;
+       }
+
        /* map handle */
        va = dma_buf_vmap(dmabuf);
        if (!va) {