Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit af84577f authored Apr 07, 2021 by Puranam V G Tejaswi

msm: kgsl: Fix overflow issue by checking user supplied count

User supplied count can cause signed integer overflow when passed to
dma_fence_array_create. So make sure that count is less than INT_MAX.

Change-Id: Ie6f57e06a8f23e9fdc10f8a368921b9ad3516eba
Signed-off-by: Puranam V G Tejaswi <pvgtejas@codeaurora.org>

parent 1c9badc6

drivers/gpu/msm/kgsl_timeline.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -23,14 +23,14 @@ struct kgsl_timeline_fence {
		};

		struct dma_fence kgsl_timelines_to_fence_array(struct kgsl_device device,
		u64 timelines, u64 count, u64 usize, bool any)
		u64 timelines, u32 count, u64 usize, bool any)
		{
		void __user *uptr = u64_to_user_ptr(timelines);
		struct dma_fence_array *array;
		struct dma_fence **fences;
		int i, ret = 0;

		if (!count)
		if (!count \|\| count > INT_MAX)
		return ERR_PTR(-EINVAL);

		fences = kcalloc(count, sizeof(*fences),

drivers/gpu/msm/kgsl_timeline.h

+1 −1

Original line number	Diff line number	Diff line
		@@ -108,6 +108,6 @@ static inline void kgsl_timeline_put(struct kgsl_timeline *timeline)
		* encapsulated timeline fences to expire.
		*/
		struct dma_fence kgsl_timelines_to_fence_array(struct kgsl_device device,
		u64 timelines, u64 count, u64 usize, bool any);
		u64 timelines, u32 count, u64 usize, bool any);

		#endif