diff options
| author | Konsta Holtta <kholtta@nvidia.com> | 2016-03-08 13:56:19 +0200 |
|---|---|---|
| committer | Matthew Pedro <mapedro@nvidia.com> | 2016-03-14 08:56:21 -0700 |
| commit | 9fc101e766b4c0e7f2fb7b02e44e9cd64136ae0d (patch) | |
| tree | a4d93f91bbd64858e98ca2a11ca2c0087c97557c /drivers | |
| parent | 070b447b14c0ad37a1af94eedc980282abf3b8b0 (diff) | |
video: tegra: host: validate error notifier offset
Make sure that the notifier object fits within the supplied buffer.
Bug 1739183
Change-Id: Ifbf46eddea86bedf0236851ea1c3f73e5f820beb
Signed-off-by: Konsta Holtta <kholtta@nvidia.com>
Reviewed-on: http://git-master/r/1026409
(cherry picked from commit 4086d2137e9b51137aa335fa264d924c73dea5fc)
Reviewed-on: http://git-master/r/1029074
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>
Reviewed-by: Shridhar Rasal <srasal@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Deepak Nibade <dnibade@nvidia.com>
Reviewed-by: Arto Merilainen <amerilainen@nvidia.com>
Diffstat (limited to 'drivers')
| -rw-r--r-- | drivers/video/tegra/host/bus_client.c | 20 |
1 files changed, 14 insertions, 6 deletions
diff --git a/drivers/video/tegra/host/bus_client.c b/drivers/video/tegra/host/bus_client.c index 634384329992..973b8f3c66ff 100644 --- a/drivers/video/tegra/host/bus_client.c +++ b/drivers/video/tegra/host/bus_client.c @@ -1,7 +1,7 @@ /* * Tegra Graphics Host Client Module * - * Copyright (c) 2010-2014, NVIDIA Corporation. All rights reserved. + * Copyright (c) 2010-2016, NVIDIA Corporation. All rights reserved. * * This program is free software; you can redistribute it and/or modify it * under the terms and conditions of the GNU General Public License, @@ -322,10 +322,12 @@ void nvhost_free_error_notifiers(struct nvhost_channel *ch) } static int nvhost_init_error_notifier(struct nvhost_channel *ch, - struct nvhost_set_error_notifier *args) { + struct nvhost_set_error_notifier *args) +{ + u64 end = args->offset + sizeof(struct nvhost_notification); + struct dma_buf *dmabuf; void *va; - struct dma_buf *dmabuf; if (!args->mem) { dev_err(&ch->dev->dev, "invalid memory handle\n"); return -EINVAL; @@ -333,14 +335,20 @@ static int nvhost_init_error_notifier(struct nvhost_channel *ch, dmabuf = dma_buf_get(args->mem); - if (ch->error_notifier_ref) - nvhost_free_error_notifiers(ch); - if (IS_ERR(dmabuf)) { dev_err(&ch->dev->dev, "Invalid handle: %d\n", args->mem); return -EINVAL; } + if (end > dmabuf->size || end < sizeof(struct nvhost_notification)) { + dma_buf_put(dmabuf); + pr_err("%s: invalid offset\n", __func__); + return -EINVAL; + } + + if (ch->error_notifier_ref) + nvhost_free_error_notifiers(ch); + /* map handle */ va = dma_buf_vmap(dmabuf); if (!va) { |