git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Dan Carpenter <dan.carpenter@linaro.org>
	Fri, 15 Nov 2024 14:50:08 +0000 (17:50 +0300)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 27 Feb 2025 12:10:50 +0000 (04:10 -0800)
commit	2b99b2c4621d13bd4374ef384e8f1fc188d0a5df
tree	9b4335cb9a3a4931deeb4889131481dec2466007	tree \| snapshot
parent	c620a776d776d9da655e20a80a659d571636eac4	commit \| diff

drm/msm/gem: prevent integer overflow in msm_ioctl_gem_submit()

[ Upstream commit 3a47f4b439beb98e955d501c609dfd12b7836d61 ]

The "submit->cmd[i].size" and "submit->cmd[i].offset" variables are u32
values that come from the user via the submit_lookup_cmds() function.
This addition could lead to an integer wrapping bug so use size_add()
to prevent that.

Fixes: 198725337ef1 ("drm/msm: fix cmdstream size check")
Cc: stable@vger.kernel.org
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Patchwork: https://patchwork.freedesktop.org/patch/624696/
Signed-off-by: Rob Clark <robdclark@chromium.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>