gpu: nvgpu: require mapped buffer be inside va

When validating buffers to be mapped, check that the buffer end does not
overflow over the virtual address node space.

Bug 1562361

Change-Id: I3c78ec7380584ae55f1e6bf576f524abee846ddd
Signed-off-by: Konsta Holtta <kholtta@nvidia.com>

1 files changed, 13 insertions, 0 deletions

diff --git a/drivers/gpu/nvgpu/gk20a/mm_gk20a.c b/drivers/gpu/nvgpu/gk20a/mm_gk20a.c
index e8e80a99..dd23023b 100644
--- a/drivers/gpu/nvgpu/gk20a/mm_gk20a.c
+++ b/drivers/gpu/nvgpu/gk20a/mm_gk20a.c
@@ -1080,6 +1080,13 @@ static int validate_fixed_buffer(struct vm_gk20a *vm,
         struct device *dev = dev_from_vm(vm);
         struct vm_reserved_va_node *va_node;
         struct mapped_buffer_node *buffer;
+        u64 map_end = map_offset + map_size;
+
+        /* can wrap around with insane map_size; zero is disallowed too */
+        if (map_end <= map_offset) {
+                gk20a_warn(dev, "fixed offset mapping with invalid map_size");
+                return -EINVAL;
+        }
 
         if (map_offset & gmmu_page_offset_masks[bfr->pgsz_idx]) {
                 gk20a_err(dev, "map offset must be buffer page size aligned 0x%llx",
@@ -1094,6 +1101,12 @@ static int validate_fixed_buffer(struct vm_gk20a *vm,
                 return -EINVAL;
         }
 
+        /* mapped area should fit inside va */
+        if (map_end > va_node->vaddr_start + va_node->size) {
+                gk20a_warn(dev, "fixed offset mapping size overflows va node");
+                return -EINVAL;
+        }
+
         /* check that this mappings does not collide with existing
          * mappings by checking the overlapping area between the current
          * buffer and all other mapped buffers */