Unverified Commit d6876813 authored Mar 09, 2021 by Kamal Agrawal

msm: kgsl: Fix integer overflow in kgsl_ioctl_gpu_aux_command ioctl

In kgsl_ioctl_gpu_aux_command, if the number of generic objects passed is
UINT_MAX - 1 along with a syncpoint object, the count variable will be
incremented twice: once for timestamp sync object and another for aux
command syncpoint object resulting in count value as 0. Fix this by
allowing maximum of UINT_MAX - 2 generic objects.

Change-Id: Ief8c8da9b147e4b45b1f53d42473b772cedf77a8
Signed-off-by: Kamal Agrawal <kamaagra@codeaurora.org>

parent c073c18f

drivers/gpu/msm/kgsl.c

+5 −2

Original line number	Diff line number	Diff line
		@@ -1933,8 +1933,11 @@ long kgsl_ioctl_gpu_aux_command(struct kgsl_device_private *dev_priv,
		(KGSL_GPU_AUX_COMMAND_TIMELINE)))
		return -EINVAL;

		/* Make sure we don't overflow count */
		if (param->numcmds == UINT_MAX)
		/*
		* Make sure we don't overflow count. Couple of drawobjs are reserved:
		* One drawobj for timestamp sync and another for aux command sync.
		*/
		if (param->numcmds > (UINT_MAX - 2))
		return -EINVAL;

		context = kgsl_context_get_owner(dev_priv, param->context_id);