From 026781c82ca42371c9263f449c2fd1d45d60dc20 Mon Sep 17 00:00:00 2001 From: Konsta Holtta Date: Thu, 9 Oct 2014 16:37:36 +0300 Subject: gpu: nvgpu: require mapped buffer be inside va When validating buffers to be mapped, check that the buffer end does not overflow over the virtual address node space. Bug 1562361 Change-Id: I3c78ec7380584ae55f1e6bf576f524abee846ddd Signed-off-by: Konsta Holtta --- drivers/gpu/nvgpu/gk20a/mm_gk20a.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'drivers') diff --git a/drivers/gpu/nvgpu/gk20a/mm_gk20a.c b/drivers/gpu/nvgpu/gk20a/mm_gk20a.c index e8e80a99..dd23023b 100644 --- a/drivers/gpu/nvgpu/gk20a/mm_gk20a.c +++ b/drivers/gpu/nvgpu/gk20a/mm_gk20a.c @@ -1080,6 +1080,13 @@ static int validate_fixed_buffer(struct vm_gk20a *vm, struct device *dev = dev_from_vm(vm); struct vm_reserved_va_node *va_node; struct mapped_buffer_node *buffer; + u64 map_end = map_offset + map_size; + + /* can wrap around with insane map_size; zero is disallowed too */ + if (map_end <= map_offset) { + gk20a_warn(dev, "fixed offset mapping with invalid map_size"); + return -EINVAL; + } if (map_offset & gmmu_page_offset_masks[bfr->pgsz_idx]) { gk20a_err(dev, "map offset must be buffer page size aligned 0x%llx", @@ -1094,6 +1101,12 @@ static int validate_fixed_buffer(struct vm_gk20a *vm, return -EINVAL; } + /* mapped area should fit inside va */ + if (map_end > va_node->vaddr_start + va_node->size) { + gk20a_warn(dev, "fixed offset mapping size overflows va node"); + return -EINVAL; + } + /* check that this mappings does not collide with existing * mappings by checking the overlapping area between the current * buffer and all other mapped buffers */ -- cgit v1.2.2