From 1ab9257209eba2b98a2b52f294c2de15e4b646f3 Mon Sep 17 00:00:00 2001
From: Surbhi Singh <surbhis@nvidia.com>
Date: Wed, 27 Nov 2024 08:41:37 +0000
Subject: [PATCH] video: tegra: nvmap:  Fix INT30-C overflow defects

Adding check for multiplication overflow and return error in case of
overflow condition.

No. of defects fixed - 4 INT30-C and INT 08-C.

JIRA: TMM-5724
Bug 4479044

Change-Id: I00d4a65787a2c516f5c2c410729dfc2a89f65e25
Signed-off-by: Surbhi Singh <surbhis@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/c/linux-nv-oot/+/3258030
GVS: buildbot_gerritrpt <buildbot_gerritrpt@nvidia.com>
Reviewed-by: Sachin Nikam <snikam@nvidia.com>
Reviewed-by: Ketan Patil <ketanp@nvidia.com>
Reviewed-by: N V S Abhishek <nabhishek@nvidia.com>
---
 drivers/video/tegra/nvmap/nvmap_pp.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/drivers/video/tegra/nvmap/nvmap_pp.c b/drivers/video/tegra/nvmap/nvmap_pp.c
index 67b933e7..7e65c1d5 100644
--- a/drivers/video/tegra/nvmap/nvmap_pp.c
+++ b/drivers/video/tegra/nvmap/nvmap_pp.c
@@ -477,6 +477,10 @@ u32 nvmap_page_pool_fill_lots(struct nvmap_page_pool *pool,
 
 	save_to_zero = pool->to_zero;
 
+	BUG_ON(pool->max < pool->count);
+	BUG_ON(pool->max - pool->count < pool->to_zero);
+	BUG_ON(pool->max - pool->count - pool->to_zero < pool->under_zero);
+
 	ret = min(nr, pool->max - pool->count - pool->to_zero - pool->under_zero);
 
 	for (i = 0; i < ret; i++) {
@@ -744,6 +748,7 @@ int nvmap_page_pool_init(struct nvmap_device *dev)
 {
 	struct sysinfo info;
 	struct nvmap_page_pool *pool;
+	unsigned long result;
 
 	dev->pool = kzalloc(sizeof(*dev->pool), GFP_KERNEL);
 	if (dev->pool == NULL)
@@ -764,10 +769,15 @@ int nvmap_page_pool_init(struct nvmap_device *dev)
 	si_meminfo(&info);
 	pr_info("Total RAM pages: %lu\n", info.totalram);
 
-	if (!NVMAP_CONFIG_PAGE_POOL_SIZE)
+	if (!NVMAP_CONFIG_PAGE_POOL_SIZE) {
 		/* The ratio is pool pages per 1K ram pages.
 		 * So, the >> 10 */
-		pool->max = (info.totalram * NVMAP_PP_POOL_SIZE) >> 10;
+
+		if (check_mul_overflow(info.totalram, (unsigned long)NVMAP_PP_POOL_SIZE, &result))
+			goto fail;
+
+		pool->max = (result) >> 10;
+	}
 	else
 		pool->max = NVMAP_CONFIG_PAGE_POOL_SIZE;