1 files changed, 9 insertions, 1 deletions
diff --git a/drivers/gpu/nvgpu/gk20a/mm_gk20a.c b/drivers/gpu/nvgpu/gk20a/mm_gk20a.c
index c4dfb1b3..f4395116 100644
--- a/drivers/gpu/nvgpu/gk20a/mm_gk20a.c
+++ b/drivers/gpu/nvgpu/gk20a/mm_gk20a.c
@@ -1997,7 +1997,15 @@ int nvgpu_vm_map_buffer(struct vm_gk20a *vm,
                return PTR_ERR(dmabuf);
        }
-        if (dmabuf->size < (buffer_offset + mapping_size)) {
+        /* verify that we're not overflowing the buffer, i.e.
+         * (buffer_offset + mapping_size)> dmabuf->size.
+         *
+         * Since buffer_offset + mapping_size could overflow, first check
+         * that mapping size < dmabuf_size, at which point we can subtract
+         * mapping_size from both sides for the final comparison.
+         */
+        if ((mapping_size > dmabuf->size) ||
+                        (buffer_offset > (dmabuf->size - mapping_size))) {
                nvgpu_err(gk20a_from_vm(vm),
                        "buf size %llx < (offset(%llx) + map_size(%llx))\n",
                        (u64)dmabuf->size, buffer_offset, mapping_size);

diff --git a/drivers/gpu/nvgpu/gk20a/mm_gk20a.c b/drivers/gpu/nvgpu/gk20a/mm_gk20a.c index c4dfb1b3..f4395116 100644 --- a/drivers/gpu/nvgpu/gk20a/mm_gk20a.c +++ b/drivers/gpu/nvgpu/gk20a/mm_gk20a.c
@@ -1997,7 +1997,15 @@ int nvgpu_vm_map_buffer(struct vm_gk20a *vm,
1997	return PTR_ERR(dmabuf);	1997	return PTR_ERR(dmabuf);
1998	}	1998	}
1999		1999
2000	if (dmabuf->size < (buffer_offset + mapping_size)) {	2000	/* verify that we're not overflowing the buffer, i.e.
		2001	* (buffer_offset + mapping_size)> dmabuf->size.
		2002	*
		2003	* Since buffer_offset + mapping_size could overflow, first check
		2004	* that mapping size < dmabuf_size, at which point we can subtract
		2005	* mapping_size from both sides for the final comparison.
		2006	*/
		2007	if ((mapping_size > dmabuf->size) \|\|
		2008	(buffer_offset > (dmabuf->size - mapping_size))) {
2001	nvgpu_err(gk20a_from_vm(vm),	2009	nvgpu_err(gk20a_from_vm(vm),
2002	"buf size %llx < (offset(%llx) + map_size(%llx))\n",	2010	"buf size %llx < (offset(%llx) + map_size(%llx))\n",
2003	(u64)dmabuf->size, buffer_offset, mapping_size);	2011	(u64)dmabuf->size, buffer_offset, mapping_size);