git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Dan Carpenter <dan.carpenter@linaro.org>
	Fri, 15 Nov 2024 14:50:08 +0000 (17:50 +0300)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Fri, 21 Feb 2025 13:01:44 +0000 (14:01 +0100)
commit	2f1845e46c41ed500789d53dc45b383b7745c96c
tree	da9b8b4381fade4ff8615c017e616dd01022e718	tree
parent	6c4dcdbe513705585b0198349c097233c0a604a1	commit \| diff

drm/msm/gem: prevent integer overflow in msm_ioctl_gem_submit()

commit 3a47f4b439beb98e955d501c609dfd12b7836d61 upstream.

The "submit->cmd[i].size" and "submit->cmd[i].offset" variables are u32
values that come from the user via the submit_lookup_cmds() function.
This addition could lead to an integer wrapping bug so use size_add()
to prevent that.

Fixes: 198725337ef1 ("drm/msm: fix cmdstream size check")
Cc: stable@vger.kernel.org
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Patchwork: https://patchwork.freedesktop.org/patch/624696/
Signed-off-by: Rob Clark <robdclark@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>