ion: check invalid values in ion_system_heap

ion_system_heap can only satisfy page alignment, and
ion_system_contig_heap can only satisify alignment to the
allocation size.  Neither can support faulting user mappings
because they use slab pages.

Signed-off-by: Colin Cross <ccross@android.com>
Signed-off-by: John Stultz <john.stultz@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

drivers/staging/android/ion/ion_system_heap.c

@@ -150,6 +150,12 @@ static int ion_system_heap_allocate(struct ion_heap *heap,
 	long size_remaining = PAGE_ALIGN(size);
 	unsigned int max_order = orders[0];
 
+	if (align > PAGE_SIZE)
+		return -EINVAL;
+
+	if (ion_buffer_fault_user_mappings(buffer))
+		return -EINVAL;
+
 	INIT_LIST_HEAD(&pages);
 	while (size_remaining > 0) {
 		info = alloc_largest_available(sys_heap, buffer, size_remaining, max_order);
@@ -362,6 +368,14 @@ static int ion_system_contig_heap_allocate(struct ion_heap *heap,
 					   unsigned long align,
 					   unsigned long flags)
 {
+	int order = get_order(len);
+
+	if (align > (PAGE_SIZE << order))
+		return -EINVAL;
+
+	if (ion_buffer_fault_user_mappings(buffer))
+		return -EINVAL;
+
 	buffer->priv_virt = kzalloc(len, GFP_KERNEL);
 	if (!buffer->priv_virt)
 		return -ENOMEM;