diff options
Diffstat (limited to 'drivers/gpu')
| -rw-r--r-- | drivers/gpu/nvgpu/gk20a/channel_gk20a.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/drivers/gpu/nvgpu/gk20a/channel_gk20a.c b/drivers/gpu/nvgpu/gk20a/channel_gk20a.c index e00a1af5b77d..f64bda9b6dc5 100644 --- a/drivers/gpu/nvgpu/gk20a/channel_gk20a.c +++ b/drivers/gpu/nvgpu/gk20a/channel_gk20a.c @@ -1732,6 +1732,7 @@ static int gk20a_channel_wait(struct channel_gk20a *ch, u32 offset; unsigned long timeout; int remain, ret = 0; + u64 end; gk20a_dbg_fn(""); @@ -1747,6 +1748,7 @@ static int gk20a_channel_wait(struct channel_gk20a *ch, case NVHOST_WAIT_TYPE_NOTIFIER: id = args->condition.notifier.nvmap_handle; offset = args->condition.notifier.offset; + end = offset + sizeof(struct notification); dmabuf = dma_buf_get(id); if (IS_ERR(dmabuf)) { @@ -1755,6 +1757,12 @@ static int gk20a_channel_wait(struct channel_gk20a *ch, return -EINVAL; } + if (end > dmabuf->size || end < sizeof(struct notification)) { + dma_buf_put(dmabuf); + gk20a_err(d, "invalid notifier offset\n"); + return -EINVAL; + } + notif = dma_buf_vmap(dmabuf); if (!notif) { gk20a_err(d, "failed to map notifier memory"); |