gpu: nvgpu: fix use of untrusted scalar value

Kind value can be passed to API nvgpu_vm_map() from User
space (through IOCTL NVGPU_AS_IOCTL_MAP_BUFFER_EX)

But kind value is not checked for sane values
before storing it in bfr.kind_v
And then we use this kind value as array index
in gk20a_kind_is_supported() which is incorrect

Fix this by ensuring in nvgpu_vm_map() that the
kind value is well within range

Bug 200291879
Coverity id : 2567923
Coverity id : 2567924

Change-Id: Ic57395018727cbd2260c929581db256e427316c6
Signed-off-by: Deepak Nibade <dnibade@nvidia.com>
Reviewed-on: http://git-master/r/1496597
GVS: Gerrit_Virtual_Submit
Reviewed-by: svccoveritychecker <svccoveritychecker@nvidia.com>
Reviewed-by: Terje Bergstrom <tbergstrom@nvidia.com>

drivers/gpu/nvgpu/common/linux/vm.c

@@ -25,6 +25,7 @@
 
 #include "gk20a/gk20a.h"
 #include "gk20a/mm_gk20a.h"
+#include "gk20a/kind_gk20a.h"
 
 #include "vm_priv.h"
 
@@ -237,7 +238,12 @@ u64 nvgpu_vm_map(struct vm_gk20a *vm,
 		goto clean_up;
 	}
 
-	bfr.kind_v = kind;
+	if (kind >= NV_KIND_ATTR_SIZE) {
+		err = -EINVAL;
+		goto clean_up;
+	} else {
+		bfr.kind_v = kind;
+	}
 	bfr.size = dmabuf->size;
 	sgl = bfr.sgt->sgl;
 

drivers/gpu/nvgpu/gk20a/kind_gk20a.c

@@ -408,11 +408,11 @@ void gk20a_init_uncompressed_kind_map(void)
 		gmmu_pte_kind_x8c24_v();
 }
 
-u16 gk20a_kind_attr[256];
+u16 gk20a_kind_attr[NV_KIND_ATTR_SIZE];
 void gk20a_init_kind_attr(void)
 {
 	u16 k;
-	for (k = 0; k < 256; k++) {
+	for (k = 0; k < NV_KIND_ATTR_SIZE; k++) {
 		gk20a_kind_attr[k] = 0;
 		if (gk20a_kind_supported((u8)k))
 			gk20a_kind_attr[k] |= GK20A_KIND_ATTR_SUPPORTED;

drivers/gpu/nvgpu/gk20a/kind_gk20a.h

@@ -27,6 +27,7 @@ void gk20a_init_uncompressed_kind_map(void);
 void gk20a_init_kind_attr(void);
 
 extern u16 gk20a_kind_attr[];
+#define NV_KIND_ATTR_SIZE		256
 #define NV_KIND_DEFAULT		     -1
 
 #define GK20A_KIND_ATTR_SUPPORTED    BIT(0)