From 02acac71b3def0f9a9c63eb7ca2e49e57c46e64d Mon Sep 17 00:00:00 2001 From: Peter Daifuku Date: Tue, 23 May 2017 10:32:33 -0700 Subject: gpu: nvgpu: avoid possible ovrflw in dmabuf check In gk20a_vm_map_buffer, when checking dmabuf size, avoid possible overflow of buffer offset + buffer size Bug 1793926 Change-Id: Iaa85bbd2942546015a233f34388309c6ba01412c Signed-off-by: Peter Daifuku Reviewed-on: http://git-master/r/1488051 (cherry picked from commit 62346ede6c0863d36dc5d91527647130a13eff53) Reviewed-on: http://git-master/r/1501696 (cherry picked from commit 745c273ac80fad14f019b7c59bb797c4e22f4781) Reviewed-on: https://git-master.nvidia.com/r/1528182 Reviewed-by: Automatic_Commit_Validation_User GVS: Gerrit_Virtual_Submit Reviewed-by: Alex Waterman Reviewed-by: Vladislav Buzov Reviewed-by: Terje Bergstrom --- drivers/gpu/nvgpu/gk20a/mm_gk20a.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'drivers') diff --git a/drivers/gpu/nvgpu/gk20a/mm_gk20a.c b/drivers/gpu/nvgpu/gk20a/mm_gk20a.c index c4dfb1b3..f4395116 100644 --- a/drivers/gpu/nvgpu/gk20a/mm_gk20a.c +++ b/drivers/gpu/nvgpu/gk20a/mm_gk20a.c @@ -1997,7 +1997,15 @@ int nvgpu_vm_map_buffer(struct vm_gk20a *vm, return PTR_ERR(dmabuf); } - if (dmabuf->size < (buffer_offset + mapping_size)) { + /* verify that we're not overflowing the buffer, i.e. + * (buffer_offset + mapping_size)> dmabuf->size. + * + * Since buffer_offset + mapping_size could overflow, first check + * that mapping size < dmabuf_size, at which point we can subtract + * mapping_size from both sides for the final comparison. + */ + if ((mapping_size > dmabuf->size) || + (buffer_offset > (dmabuf->size - mapping_size))) { nvgpu_err(gk20a_from_vm(vm), "buf size %llx < (offset(%llx) + map_size(%llx))\n", (u64)dmabuf->size, buffer_offset, mapping_size); -- cgit v1.2.2