gpu: nvgpu: validate error notifier offset

Make sure that the notifier object fits within the supplied buffer. Bug 1739183 Bug 1739932 Change-Id: I713574ce797ffc23cec10b5114f469dbadc68f1e Signed-off-by: Konsta Holtta <kholtta@nvidia.com> Reviewed-on: http://git-master/r/1026410 (cherry picked from commit f476b93eb19b962b8760457102448bd533efc54d) Reviewed-on: http://git-master/r/1028737 Reviewed-by: Automatic_Commit_Validation_User GVS: Gerrit_Virtual_Submit Reviewed-by: Terje Bergstrom <tbergstrom@nvidia.com>
2025-12-23 18:16:01 +03:00 · 2016-03-08 13:58:11 +02:00
parent 471c14f76e
commit ec023c3ff7
1 changed files with 12 additions and 3 deletions
--- a/drivers/gpu/nvgpu/gk20a/channel_gk20a.c
+++ b/drivers/gpu/nvgpu/gk20a/channel_gk20a.c
@@ -712,10 +712,12 @@ static int gk20a_channel_set_wdt_status(struct channel_gk20a *ch,
 }
 static int gk20a_init_error_notifier(struct channel_gk20a *ch,
-		struct nvgpu_set_error_notifier *args) {
+		struct nvgpu_set_error_notifier *args)
-	void *va;
+{
-
+	struct device *dev = dev_from_gk20a(ch->g);
 	struct dma_buf *dmabuf;
 	void *va;
 	u64 end = args->offset + sizeof(struct nvgpu_notification);
 	if (!args->mem) {
 		pr_err("gk20a_init_error_notifier: invalid memory handle\n");
@@ -731,6 +733,13 @@ static int gk20a_init_error_notifier(struct channel_gk20a *ch,
 		pr_err("Invalid handle: %d\n", args->mem);
 		return -EINVAL;
 	}
 	if (end > dmabuf->size || end < sizeof(struct nvgpu_notification)) {
 		dma_buf_put(dmabuf);
 		gk20a_err(dev, "gk20a_init_error_notifier: invalid offset\n");
 		return -EINVAL;
 	}
 	/* map handle */
 	va = dma_buf_vmap(dmabuf);
 	if (!va) {