Merge "drm/msm: Fix possible overflow issue in submit_cmd"

author: Linux Build Service Account <lnxbuild@quicinc.com> 2017-06-13 16:28:58 -0700
committer: Gerrit - the friendly Code Review server <code-review@localhost> 2017-06-13 16:28:58 -0700
commit: 0bb8d348daec6d3877020457bc71cffd585c2c4a (patch)
tree: 6b01c762c844f3ea63b494575d2e3e8ef06c5ef4
parent: f32e95c6374b76de8f94a3839a25a6357ddfa19e (diff)
parent: 79492490423bc369da4ded113dca7f5a5b38e656 (diff)
1 files changed, 7 insertions, 4 deletions
diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c
index f8e87f1acba4..d9ca92ba26e0 100644
--- a/drivers/gpu/drm/msm/msm_gem_submit.c
+++ b/drivers/gpu/drm/msm/msm_gem_submit.c
@@ -434,6 +434,7 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data,
 			to_user_ptr(args->cmds + (i * sizeof(submit_cmd)));
 		struct msm_gem_object *msm_obj;
 		uint64_t iova;
+		size_t size;
 
 		ret = copy_from_user(&submit_cmd, userptr, sizeof(submit_cmd));
 		if (ret) {
@@ -466,10 +467,12 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data,
 			goto out;
 		}
 
-		if (!(submit_cmd.size) ||
-			((submit_cmd.size + submit_cmd.submit_offset) >
-				msm_obj->base.size)) {
-			DRM_ERROR("invalid cmdstream size: %u\n", submit_cmd.size);
+		size = submit_cmd.size + submit_cmd.submit_offset;
+
+		if (!submit_cmd.size || (size < submit_cmd.size) ||
+			(size > msm_obj->base.size)) {
+			DRM_ERROR("invalid cmdstream offset/size: %u/%u\n",
+				submit_cmd.submit_offset, submit_cmd.size);
 			ret = -EINVAL;
 			goto out;
 		}
author	Linux Build Service Account <lnxbuild@quicinc.com>	2017-06-13 16:28:58 -0700
committer	Gerrit - the friendly Code Review server <code-review@localhost>	2017-06-13 16:28:58 -0700
commit	0bb8d348daec6d3877020457bc71cffd585c2c4a (patch)
tree	6b01c762c844f3ea63b494575d2e3e8ef06c5ef4
parent	f32e95c6374b76de8f94a3839a25a6357ddfa19e (diff)
parent	79492490423bc369da4ded113dca7f5a5b38e656 (diff)