From 18239c3a250adb2d6c4e59dfee3bc7567924e63b Mon Sep 17 00:00:00 2001
From: Sagar Kamble <skamble@nvidia.com>
Date: Fri, 1 Oct 2021 20:07:16 +0530
Subject: [PATCH] gpu: nvgpu: fix user input string preparation in
 gk20a_power_write

String parameter to kstrtouint has to be null terminated.
If the input string to gk20a_power_write doesn't have the
terminating null character then gk20a_power_write passed
string without appending null character to kstrtouint.

Fix this by preparing string to occupy null character in
the end after user supplied string characters.

Bug 3388725

Change-Id: I521f879326908e296dd9a32b5781db490d40bdd2
Signed-off-by: Sagar Kamble <skamble@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/c/linux-nvgpu/+/2603985
Reviewed-by: Debarshi Dutta <ddutta@nvidia.com>
Reviewed-by: Konsta Holtta <kholtta@nvidia.com>
Reviewed-by: Martin Radev <mradev@nvidia.com>
Reviewed-by: Vijayakumar Subbu <vsubbu@nvidia.com>
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>
GVS: Gerrit_Virtual_Submit
---
 drivers/gpu/nvgpu/os/linux/power_ops.c | 18 ++++++------------
 1 file changed, 6 insertions(+), 12 deletions(-)

diff --git a/drivers/gpu/nvgpu/os/linux/power_ops.c b/drivers/gpu/nvgpu/os/linux/power_ops.c
index 7b11a8fe4..cb8474ba9 100644
--- a/drivers/gpu/nvgpu/os/linux/power_ops.c
+++ b/drivers/gpu/nvgpu/os/linux/power_ops.c
@@ -95,38 +95,35 @@ int gk20a_power_write(struct file *filp, const char __user *buf,
 		size_t size, loff_t *off)
 {
 	struct gk20a *g = filp->private_data;
+	unsigned char userinput[3] = {0};
 	u32 power_status = 0U;
 	int err = 0;
-	unsigned char *userinput = NULL;
 
 	if (!g) {
 		return -ENODEV;
 	}
 
-	userinput = (unsigned char *)kzalloc(size, GFP_KERNEL);
-	if (!userinput) {
-		return -ENOMEM;
+	/* Valid inputs are "0", "1", "0\n", "1\n". */
+	if (size >= sizeof(userinput)) {
+		return -EINVAL;
 	}
 
 	if (copy_from_user(userinput, buf, size)) {
-		kfree(userinput);
 		return -EFAULT;
 	}
 
 	if (kstrtouint(userinput, 10, &power_status)) {
-		kfree(userinput);
 		return -EINVAL;
 	}
 
 	if (power_status == NVGPU_DRIVER_POWER_ON_NEEDED) {
 		if (nvgpu_poweron_started(g)) {
-			goto free_input;
+			goto out;
 		}
 
 		err = gk20a_busy(g);
 		if (err) {
 			nvgpu_err(g, "power_node_write failed at busy");
-			kfree(userinput);
 			return err;
 		}
 
@@ -135,18 +132,15 @@ int gk20a_power_write(struct file *filp, const char __user *buf,
 		err = gk20a_driver_force_power_off(g);
 		if (err) {
 			nvgpu_err(g, "power_node_write failed at busy");
-			kfree(userinput);
 			return err;
 		}
 	} else {
 		nvgpu_err(g, "1/0 are the valid values to power-on the GPU");
-		kfree(userinput);
 		return -EINVAL;
 	}
 
-free_input:
+out:
 	*off += size;
-	kfree(userinput);
 	return size;
 }