gpu: nvgpu: avoid possible ovrflw in dmabuf check

In gk20a_vm_map_buffer, when checking dmabuf size, avoid possible overflow of buffer offset + buffer size Bug 1793926 Change-Id: Iaa85bbd2942546015a233f34388309c6ba01412c Signed-off-by: Peter Daifuku <pdaifuku@nvidia.com> Reviewed-on: http://git-master/r/1488051 (cherry picked from commit 62346ede6c0863d36dc5d91527647130a13eff53) Reviewed-on: http://git-master/r/1501696 (cherry picked from commit 745c273ac80fad14f019b7c59bb797c4e22f4781) Reviewed-on: https://git-master.nvidia.com/r/1528182 Reviewed-by: Automatic_Commit_Validation_User GVS: Gerrit_Virtual_Submit Reviewed-by: Alex Waterman <alexw@nvidia.com> Reviewed-by: Vladislav Buzov <vbuzov@nvidia.com> Reviewed-by: Terje Bergstrom <tbergstrom@nvidia.com>
2025-12-23 01:50:07 +03:00 · 2017-05-23 10:32:33 -07:00
parent f391f53c08
commit 02acac71b3
1 changed files with 9 additions and 1 deletions
--- a/drivers/gpu/nvgpu/gk20a/mm_gk20a.c
+++ b/drivers/gpu/nvgpu/gk20a/mm_gk20a.c
@@ -1997,7 +1997,15 @@ int nvgpu_vm_map_buffer(struct vm_gk20a *vm,
 		return PTR_ERR(dmabuf);
 	}

-	if (dmabuf->size < (buffer_offset + mapping_size)) {
+	/* verify that we're not overflowing the buffer, i.e.
+	 * (buffer_offset + mapping_size)> dmabuf->size.
+	 *
+	 * Since buffer_offset + mapping_size could overflow, first check
+	 * that mapping size < dmabuf_size, at which point we can subtract
+	 * mapping_size from both sides for the final comparison.
+	 */
+	if ((mapping_size > dmabuf->size) ||
+			(buffer_offset > (dmabuf->size - mapping_size))) {
 		nvgpu_err(gk20a_from_vm(vm),
 			"buf size %llx < (offset(%llx) + map_size(%llx))\n",
 			(u64)dmabuf->size, buffer_offset, mapping_size);