From ee62433c7b903f226220e485a90cc5860da49f94 Mon Sep 17 00:00:00 2001
From: Konsta Holtta <kholtta@nvidia.com>
Date: Tue, 8 Mar 2016 13:58:11 +0200
Subject: [PATCH] gpu: nvgpu: validate error notifier offset

Make sure that the notifier object fits within the supplied buffer.

Bug 1739183
Bug 1739932

Change-Id: I713574ce797ffc23cec10b5114f469dbadc68f1e
Signed-off-by: Konsta Holtta <kholtta@nvidia.com>
Reviewed-on: http://git-master/r/1026410
(cherry picked from commit f476b93eb19b962b8760457102448bd533efc54d)
Reviewed-on: http://git-master/r/1029379
GVS: Gerrit_Virtual_Submit
Reviewed-by: Terje Bergstrom <tbergstrom@nvidia.com>
---
 drivers/gpu/nvgpu/gk20a/channel_gk20a.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/drivers/gpu/nvgpu/gk20a/channel_gk20a.c b/drivers/gpu/nvgpu/gk20a/channel_gk20a.c
index 755fcdda574..e00a1af5b77 100644
--- a/drivers/gpu/nvgpu/gk20a/channel_gk20a.c
+++ b/drivers/gpu/nvgpu/gk20a/channel_gk20a.c
@@ -538,10 +538,12 @@ static int gk20a_channel_cycle_stats(struct channel_gk20a *ch,
 #endif
 
 static int gk20a_init_error_notifier(struct channel_gk20a *ch,
-		struct nvhost_set_error_notifier *args) {
-	void *va;
-
+		struct nvhost_set_error_notifier *args)
+{
+	struct device *dev = dev_from_gk20a(ch->g);
 	struct dma_buf *dmabuf;
+	void *va;
+	u64 end = args->offset + sizeof(struct nvhost_notification);
 
 	if (!args->mem) {
 		pr_err("gk20a_init_error_notifier: invalid memory handle\n");
@@ -557,6 +559,13 @@ static int gk20a_init_error_notifier(struct channel_gk20a *ch,
 		pr_err("Invalid handle: %d\n", args->mem);
 		return -EINVAL;
 	}
+
+	if (end > dmabuf->size || end < sizeof(struct nvhost_notification)) {
+		dma_buf_put(dmabuf);
+		gk20a_err(dev, "gk20a_init_error_notifier: invalid offset\n");
+		return -EINVAL;
+	}
+
 	/* map handle */
 	va = dma_buf_vmap(dmabuf);
 	if (!va) {
-- 
2.39.2