diff options
| author | Sunil Khatri <sunilkh@codeaurora.org> | 2016-04-29 09:22:49 -0600 |
|---|---|---|
| committer | Jeevan Shriram <jshriram@codeaurora.org> | 2016-05-05 15:05:57 -0700 |
| commit | c1f7d84b6a23e762fe0e10345d620f03aec92d25 (patch) | |
| tree | 1b4ad92d0d0fc05f6e54c12119e9462a8bab8890 /drivers/gpu/msm | |
| parent | c17a79f16df86873163fca79a4ae0e38dbf14167 (diff) | |
msm: kgsl: Fix overflow in sharedmem read/write functions
There could be possibility of integer overflow on adding
sizeof(uint32_t) with uint64_t maximum offset bytes and result
in a value smaller than uint64_t maximum memdesc size.
CRs-Fixed: 988861
Change-Id: Ifc3ec45297c2a29ad6f7d70dd0bd59238ac8cc3d
Signed-off-by: Sunil Khatri <sunilkh@codeaurora.org>
Diffstat (limited to 'drivers/gpu/msm')
| -rw-r--r-- | drivers/gpu/msm/kgsl_sharedmem.c | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/drivers/gpu/msm/kgsl_sharedmem.c b/drivers/gpu/msm/kgsl_sharedmem.c index cc5e921ce920..4cb9bc5d1651 100644 --- a/drivers/gpu/msm/kgsl_sharedmem.c +++ b/drivers/gpu/msm/kgsl_sharedmem.c @@ -901,8 +901,8 @@ kgsl_sharedmem_readl(const struct kgsl_memdesc *memdesc, if (offsetbytes % sizeof(uint32_t) != 0) return -EINVAL; - WARN_ON(offsetbytes + sizeof(uint32_t) > memdesc->size); - if (offsetbytes + sizeof(uint32_t) > memdesc->size) + WARN_ON(offsetbytes > (memdesc->size - sizeof(uint32_t))); + if (offsetbytes > (memdesc->size - sizeof(uint32_t))) return -ERANGE; rmb(); @@ -924,8 +924,8 @@ kgsl_sharedmem_writel(struct kgsl_device *device, if (offsetbytes % sizeof(uint32_t) != 0) return -EINVAL; - WARN_ON(offsetbytes + sizeof(uint32_t) > memdesc->size); - if (offsetbytes + sizeof(uint32_t) > memdesc->size) + WARN_ON(offsetbytes > (memdesc->size - sizeof(uint32_t))); + if (offsetbytes > (memdesc->size - sizeof(uint32_t))) return -ERANGE; kgsl_cffdump_write(device, memdesc->gpuaddr + offsetbytes, @@ -950,8 +950,8 @@ kgsl_sharedmem_readq(const struct kgsl_memdesc *memdesc, if (offsetbytes % sizeof(uint32_t) != 0) return -EINVAL; - WARN_ON(offsetbytes + sizeof(uint32_t) > memdesc->size); - if (offsetbytes + sizeof(uint32_t) > memdesc->size) + WARN_ON(offsetbytes > (memdesc->size - sizeof(uint32_t))); + if (offsetbytes > (memdesc->size - sizeof(uint32_t))) return -ERANGE; /* @@ -977,8 +977,8 @@ kgsl_sharedmem_writeq(struct kgsl_device *device, if (offsetbytes % sizeof(uint32_t) != 0) return -EINVAL; - WARN_ON(offsetbytes + sizeof(uint32_t) > memdesc->size); - if (offsetbytes + sizeof(uint32_t) > memdesc->size) + WARN_ON(offsetbytes > (memdesc->size - sizeof(uint32_t))); + if (offsetbytes > (memdesc->size - sizeof(uint32_t))) return -ERANGE; kgsl_cffdump_write(device, lower_32_bits(memdesc->gpuaddr + offsetbytes), src); |