drm/msm: Fix possible overflow issue in submit_cmd

When verifying that the submit_cmd offset and size do not exceed the
bounds of the GEM object make sure to cast the math operation
into a suitably large buffer to account for overflow.

Change-Id: Ic0dedbad97513ee538d539e771038b3cf0405e91
Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>

1 files changed, 7 insertions, 4 deletions

diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c
index c861bfd77537..c8d4dc6e40e0 100644
--- a/drivers/gpu/drm/msm/msm_gem_submit.c
+++ b/drivers/gpu/drm/msm/msm_gem_submit.c
@@ -434,6 +434,7 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data,
 			to_user_ptr(args->cmds + (i * sizeof(submit_cmd)));
 		struct msm_gem_object *msm_obj;
 		uint64_t iova;
+		size_t size;
 
 		ret = copy_from_user(&submit_cmd, userptr, sizeof(submit_cmd));
 		if (ret) {
@@ -466,10 +467,12 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data,
 			goto out;
 		}
 
-		if (!(submit_cmd.size) ||
-			((submit_cmd.size + submit_cmd.submit_offset) >
-				msm_obj->base.size)) {
-			DRM_ERROR("invalid cmdstream size: %u\n", submit_cmd.size);
+		size = submit_cmd.size + submit_cmd.submit_offset;
+
+		if (!submit_cmd.size || (size < submit_cmd.size) ||
+			(size > msm_obj->base.size)) {
+			DRM_ERROR("invalid cmdstream offset/size: %u/%u\n",
+				submit_cmd.submit_offset, submit_cmd.size);
 			ret = -EINVAL;
 			goto out;
 		}