msm: kgsl: Fix Integer overflow in sparse_bind related functions
There could be possibility of integer overflow on adding
offset with size and result into a value smaller than
memdesc size.
CRs-Fixed: 1109776
Change-Id: I3746f34c9fb8ada28a9b6ed438ca8c296b69e752
Signed-off-by: Sudeep Yedalapure <sudeepy@codeaurora.org>
Signed-off-by: Abhilash Kumar <krabhi@codeaurora.org>
diff --git a/drivers/gpu/msm/kgsl.c b/drivers/gpu/msm/kgsl.c
index 56eae50..280e660 100644
--- a/drivers/gpu/msm/kgsl.c
+++ b/drivers/gpu/msm/kgsl.c
@@ -3627,6 +3627,9 @@
if (!IS_ALIGNED(offset | size, kgsl_memdesc_get_pagesize(memdesc)))
return false;
+ if (offset + size < offset)
+ return false;
+
if (!(flags & KGSL_SPARSE_BIND_MULTIPLE_TO_PHYS) &&
offset + size > memdesc->size)
return false;
@@ -3754,7 +3757,7 @@
break;
/* Sanity check initial range */
- if (obj.size == 0 ||
+ if (obj.size == 0 || obj.virtoffset + obj.size < obj.size ||
obj.virtoffset + obj.size > virt_entry->memdesc.size ||
!(IS_ALIGNED(obj.virtoffset | obj.size, pg_sz))) {
ret = -EINVAL;