From e68391690cfcc23b77c68aec3f9605badea226ed Mon Sep 17 00:00:00 2001
From: Alex Waterman <alexw@nvidia.com>
Date: Mon, 28 Aug 2017 10:55:26 -0700
Subject: gpu: nvgpu: Validate buffer_offset argument

Validate the mapping_size argument in the VM mapping IOCTL before
attempting to use the argument for anything.

Bug 1954931

Change-Id: I81b22dc566c6c6f89e5e62604ce996376b33a343
Signed-off-by: Alex Waterman <alexw@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1547046
Reviewed-by: svc-mobile-coverity <svc-mobile-coverity@nvidia.com>
Reviewed-by: svccoveritychecker <svccoveritychecker@nvidia.com>
Reviewed-by: Konsta Holtta <kholtta@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Terje Bergstrom <tbergstrom@nvidia.com>
---
 drivers/gpu/nvgpu/common/linux/vm.c | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'drivers/gpu')

diff --git a/drivers/gpu/nvgpu/common/linux/vm.c b/drivers/gpu/nvgpu/common/linux/vm.c
index f2a38f7c..58e2da13 100644
--- a/drivers/gpu/nvgpu/common/linux/vm.c
+++ b/drivers/gpu/nvgpu/common/linux/vm.c
@@ -266,6 +266,12 @@ u64 nvgpu_vm_map(struct vm_gk20a *vm,
 	mapping_size = mapping_size ? mapping_size : bfr.size;
 	mapping_size = ALIGN(mapping_size, SZ_4K);
 
+	if ((mapping_size > bfr.size) ||
+	    (buffer_offset > (bfr.size - mapping_size))) {
+		err = -EINVAL;
+		goto clean_up;
+	}
+
 	/* Check if we should use a fixed offset for mapping this buffer */
 	if (flags & NVGPU_AS_MAP_BUFFER_FLAGS_FIXED_OFFSET)  {
 		err = nvgpu_vm_area_validate_buffer(vm, offset_align, mapping_size,
-- 
cgit v1.2.2