gpu: nvgpu: avoid possible ovrflw in dmabuf check

In gk20a_vm_map_buffer, when checking dmabuf size, avoid possible overflow of buffer offset + buffer size Bug 1793926 Change-Id: Iaa85bbd2942546015a233f34388309c6ba01412c Signed-off-by: Peter Daifuku <pdaifuku@nvidia.com> Reviewed-on: http://git-master/r/1488051 (cherry picked from commit 62346ede6c0863d36dc5d91527647130a13eff53) Reviewed-on: http://git-master/r/1501696 (cherry picked from commit 745c273ac80fad14f019b7c59bb797c4e22f4781) Reviewed-on: https://git-master.nvidia.com/r/1528182 Reviewed-by: Automatic_Commit_Validation_User GVS: Gerrit_Virtual_Submit Reviewed-by: Alex Waterman <alexw@nvidia.com> Reviewed-by: Vladislav Buzov <vbuzov@nvidia.com> Reviewed-by: Terje Bergstrom <tbergstrom@nvidia.com>
author: Peter Daifuku <pdaifuku@nvidia.com> 2017-05-23 13:32:33 -0400
committer: mobile promotions <svcmobile_promotions@nvidia.com> 2017-07-28 00:41:21 -0400
commit: 02acac71b3def0f9a9c63eb7ca2e49e57c46e64d (patch)
tree: a236f428770d2a1cf62d33cc56be78b8568b92b7 /drivers/gpu/nvgpu/gk20a/mm_gk20a.c
parent: f391f53c089ec12fcc501c491430380b668e3cbf (diff)
1 files changed, 9 insertions, 1 deletions
diff --git a/drivers/gpu/nvgpu/gk20a/mm_gk20a.c b/drivers/gpu/nvgpu/gk20a/mm_gk20a.c
index c4dfb1b3..f4395116 100644
--- a/drivers/gpu/nvgpu/gk20a/mm_gk20a.c
+++ b/drivers/gpu/nvgpu/gk20a/mm_gk20a.c
@@ -1997,7 +1997,15 @@ int nvgpu_vm_map_buffer(struct vm_gk20a *vm,
                return PTR_ERR(dmabuf);
        }
-        if (dmabuf->size < (buffer_offset + mapping_size)) {
+        /* verify that we're not overflowing the buffer, i.e.
+         * (buffer_offset + mapping_size)> dmabuf->size.
+         *
+         * Since buffer_offset + mapping_size could overflow, first check
+         * that mapping size < dmabuf_size, at which point we can subtract
+         * mapping_size from both sides for the final comparison.
+         */
+        if ((mapping_size > dmabuf->size) ||
+                        (buffer_offset > (dmabuf->size - mapping_size))) {
                nvgpu_err(gk20a_from_vm(vm),
                        "buf size %llx < (offset(%llx) + map_size(%llx))\n",
                        (u64)dmabuf->size, buffer_offset, mapping_size);
author	Peter Daifuku <pdaifuku@nvidia.com>	2017-05-23 13:32:33 -0400
committer	mobile promotions <svcmobile_promotions@nvidia.com>	2017-07-28 00:41:21 -0400
commit	02acac71b3def0f9a9c63eb7ca2e49e57c46e64d (patch)
tree	a236f428770d2a1cf62d33cc56be78b8568b92b7 /drivers/gpu/nvgpu/gk20a/mm_gk20a.c
parent	f391f53c089ec12fcc501c491430380b668e3cbf (diff)

diff --git a/drivers/gpu/nvgpu/gk20a/mm_gk20a.c b/drivers/gpu/nvgpu/gk20a/mm_gk20a.c index c4dfb1b3..f4395116 100644 --- a/drivers/gpu/nvgpu/gk20a/mm_gk20a.c +++ b/drivers/gpu/nvgpu/gk20a/mm_gk20a.c
@@ -1997,7 +1997,15 @@ int nvgpu_vm_map_buffer(struct vm_gk20a *vm,
1997	return PTR_ERR(dmabuf);	1997	return PTR_ERR(dmabuf);
1998	}	1998	}
1999		1999
2000	if (dmabuf->size < (buffer_offset + mapping_size)) {	2000	/* verify that we're not overflowing the buffer, i.e.
		2001	* (buffer_offset + mapping_size)> dmabuf->size.
		2002	*
		2003	* Since buffer_offset + mapping_size could overflow, first check
		2004	* that mapping size < dmabuf_size, at which point we can subtract
		2005	* mapping_size from both sides for the final comparison.
		2006	*/
		2007	if ((mapping_size > dmabuf->size) \|\|
		2008	(buffer_offset > (dmabuf->size - mapping_size))) {
2001	nvgpu_err(gk20a_from_vm(vm),	2009	nvgpu_err(gk20a_from_vm(vm),
2002	"buf size %llx < (offset(%llx) + map_size(%llx))\n",	2010	"buf size %llx < (offset(%llx) + map_size(%llx))\n",
2003	(u64)dmabuf->size, buffer_offset, mapping_size);	2011	(u64)dmabuf->size, buffer_offset, mapping_size);