From 73f74915eefa6f438e488f4a8cb69a6942d97592 Mon Sep 17 00:00:00 2001
From: Ketan Patil <ketanp@nvidia.com>
Date: Mon, 3 Feb 2025 10:18:38 +0000
Subject: [PATCH] video: tegra: nvmap: Add checks for input flags

In order to serve MEMSERV70-REQ-670 requirement, which makes validation
checks mandatory for input flowing across execution boundary. Hence add
checks for input flags in nvmap and make sure the execution does not
proceed if flag other than read or write is provided in handle
duplication, creating sciipc id or during handle creation from sciipc id
even though the checks are present at libnvrm_mem layer.

JIRA TMM-5962

Change-Id: I1fc6ce6ec4435c50220d4e49a08de50320a8f574
Signed-off-by: Ketan Patil <ketanp@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/c/linux-nv-oot/+/3295201
GVS: buildbot_gerritrpt <buildbot_gerritrpt@nvidia.com>
Reviewed-by: Pritesh Raithatha <praithatha@nvidia.com>
Reviewed-by: svcacv <svcacv@nvidia.com>
---
 drivers/video/tegra/nvmap/nvmap_ioctl.c | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/drivers/video/tegra/nvmap/nvmap_ioctl.c b/drivers/video/tegra/nvmap/nvmap_ioctl.c
index fa69818c..a750ec6e 100644
--- a/drivers/video/tegra/nvmap/nvmap_ioctl.c
+++ b/drivers/video/tegra/nvmap/nvmap_ioctl.c
@@ -999,6 +999,11 @@ int nvmap_ioctl_get_sci_ipc_id(struct file *filp, void __user *arg)
 	if (copy_from_user(&op, arg, sizeof(op)))
 		return -EFAULT;
 
+	if ((op.flags & (PROT_READ | PROT_WRITE)) == 0) {
+		pr_err("Invalid input flags\n");
+		return -EINVAL;
+	}
+
 	handle = nvmap_handle_get_from_id(client, op.handle);
 	if (IS_ERR_OR_NULL(handle))
 		return -ENODEV;
@@ -1062,6 +1067,11 @@ int nvmap_ioctl_handle_from_sci_ipc_id(struct file *filp, void __user *arg)
 		goto exit;
 	}
 
+	if ((op.flags & (PROT_READ | PROT_WRITE)) == 0) {
+		pr_err("Invalid input flags\n");
+		return -EINVAL;
+	}
+
 	ret = nvmap_validate_sci_ipc_params(client, op.auth_token,
 		&pr_vuid, &lclu_vuid);
 	if (ret)
@@ -1151,18 +1161,23 @@ int nvmap_ioctl_dup_handle(struct file *filp, void __user *arg)
 	}
 #endif /* NVMAP_CONFIG_ENABLE_FOREIGN_BUFFER && NVMAP_CONFIG_HANDLE_AS_ID */
 
+	if ((op.access_flags & (PROT_READ | PROT_WRITE)) == 0) {
+		pr_err("Invalid input flags\n");
+		return -EINVAL;
+	}
+
 	if (is_nvmap_id_ro(client, op.handle, &is_ro) != 0) {
 		pr_err("Handle ID RO check failed\n");
 		return -EINVAL;
 	}
 
 	/* Don't allow duplicating RW handle from RO handle */
-	if (is_ro && op.access_flags != NVMAP_HANDLE_RO) {
+	if (is_ro && op.access_flags != PROT_READ) {
 		pr_err("Duplicating RW handle from RO handle is not allowed\n");
 		return -EPERM;
 	}
 
-	is_ro = (op.access_flags == NVMAP_HANDLE_RO);
+	is_ro = (op.access_flags == PROT_READ);
 	if (!is_ro)
 		ref = nvmap_create_handle_from_id(client, op.handle);
 	else