From 1552e3fb09741309ea2d5cc4433e247bae7265e1 Mon Sep 17 00:00:00 2001
From: Peter Daifuku <pdaifuku@nvidia.com>
Date: Wed, 17 May 2017 17:40:47 -0700
Subject: gpu: nvgpu: check for buffer overflow when mapping

In gk20a_vm_map_buffer, return an error if the buffer size is
less than offset + mapping size.

Bug 1793926

Change-Id: I2209de6a6f2e2b3bd8830659208d6f88bbedc00d
Signed-off-by: Peter Daifuku <pdaifuku@nvidia.com>
Reviewed-on: http://git-master/r/1484442
(cherry picked from commit 7e6a80cb4684a3e2534bc68cba4c1612a845a8f3)
Reviewed-on: http://git-master/r/1488138
(cherry picked from commit 3331f6e47f1d214ad6aaf08ae3e7d241e31d6638)
Reviewed-on: https://git-master.nvidia.com/r/1501677
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>
---
 drivers/gpu/nvgpu/gk20a/mm_gk20a.c | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'drivers/gpu/nvgpu/gk20a/mm_gk20a.c')

diff --git a/drivers/gpu/nvgpu/gk20a/mm_gk20a.c b/drivers/gpu/nvgpu/gk20a/mm_gk20a.c
index fab80e69..c4dfb1b3 100644
--- a/drivers/gpu/nvgpu/gk20a/mm_gk20a.c
+++ b/drivers/gpu/nvgpu/gk20a/mm_gk20a.c
@@ -1997,6 +1997,13 @@ int nvgpu_vm_map_buffer(struct vm_gk20a *vm,
 		return PTR_ERR(dmabuf);
 	}
 
+	if (dmabuf->size < (buffer_offset + mapping_size)) {
+		nvgpu_err(gk20a_from_vm(vm),
+			"buf size %llx < (offset(%llx) + map_size(%llx))\n",
+			(u64)dmabuf->size, buffer_offset, mapping_size);
+		return -EINVAL;
+	}
+
 	err = gk20a_dmabuf_alloc_drvdata(dmabuf, dev_from_vm(vm));
 	if (err) {
 		dma_buf_put(dmabuf);
-- 
cgit v1.2.2