From 915ce6717f2c28dff183f71b9e2ec127cf2bb4e0 Mon Sep 17 00:00:00 2001
From: Joshua Cha <joshuac@nvidia.com>
Date: Wed, 19 Mar 2025 10:23:55 +0900
Subject: [PATCH] nvsciipc: set nvsciipc max endpoint count

validate nvsciipc max endpoint count.
validate set_db entry pointer.

JIRA NVIPC-3506

Change-Id: Id29531af24367de952b2dccebe23515ad52bfd33
Signed-off-by: Joshua Cha <joshuac@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/c/linux-nv-oot/+/3322061
Reviewed-by: Suneel Kumar Pemmineti <spemmineti@nvidia.com>
Reviewed-by: Simon Je <sje@nvidia.com>
GVS: buildbot_gerritrpt <buildbot_gerritrpt@nvidia.com>
---
 drivers/misc/nvsciipc/nvsciipc.c    | 11 +++++++++--
 include/uapi/linux/nvsciipc_ioctl.h |  8 ++++++++
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/drivers/misc/nvsciipc/nvsciipc.c b/drivers/misc/nvsciipc/nvsciipc.c
index 862b03a2..9232dad2 100644
--- a/drivers/misc/nvsciipc/nvsciipc.c
+++ b/drivers/misc/nvsciipc/nvsciipc.c
@@ -613,8 +613,8 @@ static int nvsciipc_ioctl_set_db(struct nvsciipc *ctx, unsigned int cmd,
 		return -EFAULT;
 	}
 
-	if (user_db.num_eps <= 0) {
-		ERR("invalid value passed for num_eps\n");
+	if ((user_db.num_eps <= 0) || (user_db.num_eps > NVSCIIPC_MAX_EP_COUNT)) {
+		ERR("invalid value passed for num_eps: %d\n", user_db.num_eps);
 		return -EINVAL;
 	}
 
@@ -630,6 +630,13 @@ static int nvsciipc_ioctl_set_db(struct nvsciipc *ctx, unsigned int cmd,
 		goto ptr_error;
 	}
 
+	if (!access_ok(user_db.entry, ctx->num_eps *
+		sizeof(struct nvsciipc_config_entry *))) {
+		ERR("invalid user-space pointer: %p\n", user_db.entry);
+		ret = -EFAULT;
+		goto ptr_error;
+	}
+
 	ret = copy_from_user(entry_ptr, (void __user *)user_db.entry,
 			ctx->num_eps * sizeof(struct nvsciipc_config_entry *));
 	if (ret < 0) {
diff --git a/include/uapi/linux/nvsciipc_ioctl.h b/include/uapi/linux/nvsciipc_ioctl.h
index 942485d4..e46c0a3d 100644
--- a/include/uapi/linux/nvsciipc_ioctl.h
+++ b/include/uapi/linux/nvsciipc_ioctl.h
@@ -6,6 +6,14 @@
 
 #include <linux/ioctl.h>
 
+/*
+ * inter-thread: 2000
+ * inter-process: 16384
+ * inter-vm: 512
+ * inter-chip-pcie: 32
+ */
+#define NVSCIIPC_MAX_EP_COUNT 18928
+
 #define NVSCIIPC_MAX_EP_NAME	64U
 #define NVSCIIPC_MAX_RDMA_NAME	64U
 #define NVSCIIPC_MAX_IP_NAME	16U