From 09524ab841f0e8f8566fd04e75ea213e4dded56e Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 6 Nov 2017 08:56:43 +0100
Subject: [PATCH] 4.4-stable patches

added patches:
	drm-msm-fix-an-integer-overflow-test.patch
	drm-msm-fix-potential-buffer-overflow-issue.patch
---
 ...drm-msm-fix-an-integer-overflow-test.patch | 40 ++++++++++++++++++
 ...-fix-potential-buffer-overflow-issue.patch | 41 +++++++++++++++++++
 queue-4.4/series                              |  2 +
 3 files changed, 83 insertions(+)
 create mode 100644 queue-4.4/drm-msm-fix-an-integer-overflow-test.patch
 create mode 100644 queue-4.4/drm-msm-fix-potential-buffer-overflow-issue.patch

diff --git a/queue-4.4/drm-msm-fix-an-integer-overflow-test.patch b/queue-4.4/drm-msm-fix-an-integer-overflow-test.patch
new file mode 100644
index 00000000000..35f7800ece6
--- /dev/null
+++ b/queue-4.4/drm-msm-fix-an-integer-overflow-test.patch
@@ -0,0 +1,40 @@
+From 65e93108891e571f177c202add9288eda9ac4100 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 30 Jun 2017 10:59:15 +0300
+Subject: drm/msm: fix an integer overflow test
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 65e93108891e571f177c202add9288eda9ac4100 upstream.
+
+We recently added an integer overflow check but it needs an additional
+tweak to work properly on 32 bit systems.
+
+The problem is that we're doing the right hand side of the assignment as
+type unsigned long so the max it will have an integer overflow instead
+of being larger than SIZE_MAX.  That means the "sz > SIZE_MAX" condition
+is never true even on 32 bit systems.  We need to first cast it to u64
+and then do the math.
+
+Fixes: 4a630fadbb29 ("drm/msm: Fix potential buffer overflow issue")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Jordan Crouse <jcrouse@codeaurora.org>
+Signed-off-by: Rob Clark <robdclark@gmail.com>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/msm/msm_gem_submit.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/msm/msm_gem_submit.c
++++ b/drivers/gpu/drm/msm/msm_gem_submit.c
+@@ -37,7 +37,7 @@ static struct msm_gem_submit *submit_cre
+ 		struct msm_gpu *gpu, uint32_t int nr)
+ {
+ 	struct msm_gem_submit *submit;
+-	uint64_t sz = sizeof(*submit) + (nr * sizeof(submit->bos[0]));
++	uint64_t sz = sizeof(*submit) + ((u64)nr * sizeof(submit->bos[0]));
+ 
+ 	if (sz > SIZE_MAX)
+ 		return NULL;
diff --git a/queue-4.4/drm-msm-fix-potential-buffer-overflow-issue.patch b/queue-4.4/drm-msm-fix-potential-buffer-overflow-issue.patch
new file mode 100644
index 00000000000..1021d028af4
--- /dev/null
+++ b/queue-4.4/drm-msm-fix-potential-buffer-overflow-issue.patch
@@ -0,0 +1,41 @@
+From 4a630fadbb29d9efaedb525f1a8f7449ad107641 Mon Sep 17 00:00:00 2001
+From: Kasin Li <donglil@codeaurora.org>
+Date: Mon, 19 Jun 2017 15:36:53 -0600
+Subject: drm/msm: Fix potential buffer overflow issue
+
+From: Kasin Li <donglil@codeaurora.org>
+
+commit 4a630fadbb29d9efaedb525f1a8f7449ad107641 upstream.
+
+In function submit_create, if nr_cmds or nr_bos is assigned with
+negative value, the allocated buffer may be small than intended.
+Using this buffer will lead to buffer overflow issue.
+
+Signed-off-by: Kasin Li <donglil@codeaurora.org>
+Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
+Signed-off-by: Rob Clark <robdclark@gmail.com>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/msm/msm_gem_submit.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/msm/msm_gem_submit.c
++++ b/drivers/gpu/drm/msm/msm_gem_submit.c
+@@ -34,10 +34,13 @@ static inline void __user *to_user_ptr(u
+ }
+ 
+ static struct msm_gem_submit *submit_create(struct drm_device *dev,
+-		struct msm_gpu *gpu, int nr)
++		struct msm_gpu *gpu, uint32_t int nr)
+ {
+ 	struct msm_gem_submit *submit;
+-	int sz = sizeof(*submit) + (nr * sizeof(submit->bos[0]));
++	uint64_t sz = sizeof(*submit) + (nr * sizeof(submit->bos[0]));
++
++	if (sz > SIZE_MAX)
++		return NULL;
+ 
+ 	submit = kmalloc(sz, GFP_TEMPORARY | __GFP_NOWARN | __GFP_NORETRY);
+ 	if (submit) {
diff --git a/queue-4.4/series b/queue-4.4/series
index 6c7a35ed6d4..b9f0e4579af 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -9,3 +9,5 @@ arm-dts-mvebu-pl310-cache-disable-double-linefill.patch
 arm-8715-1-add-a-private-asm-unaligned.h.patch
 ocfs2-fstrim-fix-start-offset-of-first-cluster-group-during-fstrim.patch
 perf-tools-fix-build-failure-on-perl-script-context.patch
+drm-msm-fix-potential-buffer-overflow-issue.patch
+drm-msm-fix-an-integer-overflow-test.patch
-- 
2.47.2