diff --git a/drivers/gpu/nvgpu/gk20a/mm_gk20a.c b/drivers/gpu/nvgpu/gk20a/mm_gk20a.c
index e8e80a99a..dd23023b1 100644
--- a/drivers/gpu/nvgpu/gk20a/mm_gk20a.c
+++ b/drivers/gpu/nvgpu/gk20a/mm_gk20a.c
@@ -1080,6 +1080,13 @@ static int validate_fixed_buffer(struct vm_gk20a *vm,
 	struct device *dev = dev_from_vm(vm);
 	struct vm_reserved_va_node *va_node;
 	struct mapped_buffer_node *buffer;
+	u64 map_end = map_offset + map_size;
+
+	/* can wrap around with insane map_size; zero is disallowed too */
+	if (map_end <= map_offset) {
+		gk20a_warn(dev, "fixed offset mapping with invalid map_size");
+		return -EINVAL;
+	}
 
 	if (map_offset & gmmu_page_offset_masks[bfr->pgsz_idx]) {
 		gk20a_err(dev, "map offset must be buffer page size aligned 0x%llx",
@@ -1094,6 +1101,12 @@ static int validate_fixed_buffer(struct vm_gk20a *vm,
 		return -EINVAL;
 	}
 
+	/* mapped area should fit inside va */
+	if (map_end > va_node->vaddr_start + va_node->size) {
+		gk20a_warn(dev, "fixed offset mapping size overflows va node");
+		return -EINVAL;
+	}
+
 	/* check that this mappings does not collide with existing
 	 * mappings by checking the overlapping area between the current
 	 * buffer and all other mapped buffers */