--- /dev/null
+From 65e93108891e571f177c202add9288eda9ac4100 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 30 Jun 2017 10:59:15 +0300
+Subject: drm/msm: fix an integer overflow test
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 65e93108891e571f177c202add9288eda9ac4100 upstream.
+
+We recently added an integer overflow check but it needs an additional
+tweak to work properly on 32 bit systems.
+
+The problem is that we're doing the right hand side of the assignment as
+type unsigned long so the max it will have an integer overflow instead
+of being larger than SIZE_MAX. That means the "sz > SIZE_MAX" condition
+is never true even on 32 bit systems. We need to first cast it to u64
+and then do the math.
+
+Fixes: 4a630fadbb29 ("drm/msm: Fix potential buffer overflow issue")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Jordan Crouse <jcrouse@codeaurora.org>
+Signed-off-by: Rob Clark <robdclark@gmail.com>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/msm/msm_gem_submit.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/msm/msm_gem_submit.c
++++ b/drivers/gpu/drm/msm/msm_gem_submit.c
+@@ -37,7 +37,7 @@ static struct msm_gem_submit *submit_cre
+ struct msm_gpu *gpu, uint32_t int nr)
+ {
+ struct msm_gem_submit *submit;
+- uint64_t sz = sizeof(*submit) + (nr * sizeof(submit->bos[0]));
++ uint64_t sz = sizeof(*submit) + ((u64)nr * sizeof(submit->bos[0]));
+
+ if (sz > SIZE_MAX)
+ return NULL;
--- /dev/null
+From 4a630fadbb29d9efaedb525f1a8f7449ad107641 Mon Sep 17 00:00:00 2001
+From: Kasin Li <donglil@codeaurora.org>
+Date: Mon, 19 Jun 2017 15:36:53 -0600
+Subject: drm/msm: Fix potential buffer overflow issue
+
+From: Kasin Li <donglil@codeaurora.org>
+
+commit 4a630fadbb29d9efaedb525f1a8f7449ad107641 upstream.
+
+In function submit_create, if nr_cmds or nr_bos is assigned with
+negative value, the allocated buffer may be small than intended.
+Using this buffer will lead to buffer overflow issue.
+
+Signed-off-by: Kasin Li <donglil@codeaurora.org>
+Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
+Signed-off-by: Rob Clark <robdclark@gmail.com>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/msm/msm_gem_submit.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/msm/msm_gem_submit.c
++++ b/drivers/gpu/drm/msm/msm_gem_submit.c
+@@ -34,10 +34,13 @@ static inline void __user *to_user_ptr(u
+ }
+
+ static struct msm_gem_submit *submit_create(struct drm_device *dev,
+- struct msm_gpu *gpu, int nr)
++ struct msm_gpu *gpu, uint32_t int nr)
+ {
+ struct msm_gem_submit *submit;
+- int sz = sizeof(*submit) + (nr * sizeof(submit->bos[0]));
++ uint64_t sz = sizeof(*submit) + (nr * sizeof(submit->bos[0]));
++
++ if (sz > SIZE_MAX)
++ return NULL;
+
+ submit = kmalloc(sz, GFP_TEMPORARY | __GFP_NOWARN | __GFP_NORETRY);
+ if (submit) {
arm64-ensure-__dump_instr-checks-addr_limit.patch
arm-8715-1-add-a-private-asm-unaligned.h.patch
ocfs2-fstrim-fix-start-offset-of-first-cluster-group-during-fstrim.patch
+drm-msm-fix-potential-buffer-overflow-issue.patch
+drm-msm-fix-an-integer-overflow-test.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
