diff options
author | Linux Build Service Account <lnxbuild@localhost> | 2017-02-10 15:47:10 -0800 |
---|---|---|
committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2017-02-10 15:47:09 -0800 |
commit | aa5e93343ffb134b348624b74150b7c885c4e25a (patch) | |
tree | 97f6cd29c5b360a4e3e216de4d493d43bd66e965 | |
parent | 45ad5727c99fa3e06acd6977de2bddb47ce758d1 (diff) | |
parent | f348e5caf22f88bec534c2761e850e5279d78ed5 (diff) |
Merge "msm: kgsl: Fix Integer overflow in sparse_bind related functions"
-rw-r--r-- | drivers/gpu/msm/kgsl.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/drivers/gpu/msm/kgsl.c b/drivers/gpu/msm/kgsl.c index bae3884aa277..2b227f2c3a6c 100644 --- a/drivers/gpu/msm/kgsl.c +++ b/drivers/gpu/msm/kgsl.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2008-2016, The Linux Foundation. All rights reserved. +/* Copyright (c) 2008-2017, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -3617,6 +3617,9 @@ static inline bool _is_phys_bindable(struct kgsl_mem_entry *phys_entry, if (!IS_ALIGNED(offset | size, kgsl_memdesc_get_pagesize(memdesc))) return false; + if (offset + size < offset) + return false; + if (!(flags & KGSL_SPARSE_BIND_MULTIPLE_TO_PHYS) && offset + size > memdesc->size) return false; @@ -3744,7 +3747,7 @@ long kgsl_ioctl_sparse_bind(struct kgsl_device_private *dev_priv, break; /* Sanity check initial range */ - if (obj.size == 0 || + if (obj.size == 0 || obj.virtoffset + obj.size < obj.size || obj.virtoffset + obj.size > virt_entry->memdesc.size || !(IS_ALIGNED(obj.virtoffset | obj.size, pg_sz))) { ret = -EINVAL; |