From f006e2daebfced8afa5f9567bcaff8dd3d798265 Mon Sep 17 00:00:00 2001
From: Alex Waterman <alexw@nvidia.com>
Date: Mon, 28 Aug 2017 10:55:26 -0700
Subject: [PATCH] gpu: nvgpu: Validate buffer_offset argument

Validate the mapping_size argument in the VM mapping IOCTL before
attempting to use the argument for anything.

Bug 1954931
Bug 1965443

Change-Id: I81b22dc566c6c6f89e5e62604ce996376b33a343
Signed-off-by: Alex Waterman <alexw@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1547046
Signed-off-by: Debarshi Dutta <ddutta@nvidia.com>
(cherry picked from commit e68391690cfcc23b77c68aec3f9605badea226ed in
dev-kernel)
Reviewed-on: https://git-master.nvidia.com/r/1601466
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>
---
 drivers/gpu/nvgpu/gk20a/mm_gk20a.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/gpu/nvgpu/gk20a/mm_gk20a.c b/drivers/gpu/nvgpu/gk20a/mm_gk20a.c
index 98f19165a..90ff7acc9 100644
--- a/drivers/gpu/nvgpu/gk20a/mm_gk20a.c
+++ b/drivers/gpu/nvgpu/gk20a/mm_gk20a.c
@@ -2472,6 +2472,12 @@ u64 gk20a_vm_map(struct vm_gk20a *vm,
 				      min_t(u64, bfr.size, bfr.align));
 	mapping_size = mapping_size ? mapping_size : bfr.size;
 
+	if ((mapping_size > bfr.size) ||
+	    (buffer_offset > (bfr.size - mapping_size))) {
+		err = -EINVAL;
+		goto clean_up;
+	}
+
 	/* Check if we should use a fixed offset for mapping this buffer */
 	if (flags & NVGPU_AS_MAP_BUFFER_FLAGS_FIXED_OFFSET)  {
 		err = validate_fixed_buffer(vm, &bfr,