From b63c4eb6c72c4715b4a83c76e040355f2ea2d371 Mon Sep 17 00:00:00 2001
From: Sudeep Yedalapure <sudeepy@codeaurora.org>
Date: Fri, 4 Nov 2016 21:47:41 +0530
Subject: [PATCH] msm: kgsl: Fix overflow in sharedmem cache range operation
 function

There could be possibility of integer overflow on adding
size with maximum offset bytes and result in a value smaller
than maximum memdesc size.

CRs-Fixed: 1082914
Change-Id: Ie66b3a8ca2ca418a4a52f65987266b8d580c121f
Signed-off-by: Sudeep Yedalapure <sudeepy@codeaurora.org>
---
 drivers/gpu/msm/kgsl_sharedmem.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/drivers/gpu/msm/kgsl_sharedmem.c b/drivers/gpu/msm/kgsl_sharedmem.c
index 72895c18119f..618e9e9a33a3 100644
--- a/drivers/gpu/msm/kgsl_sharedmem.c
+++ b/drivers/gpu/msm/kgsl_sharedmem.c
@@ -574,12 +574,11 @@ int kgsl_cache_range_op(struct kgsl_memdesc *memdesc, uint64_t offset,
 	void *addr = (memdesc->hostptr) ?
 		memdesc->hostptr : (void *) memdesc->useraddr;
 
-	/* Make sure that size is non-zero */
-	if (!size)
+	if (size == 0 || size > UINT_MAX)
 		return -EINVAL;
 
-	/* Make sure that the offset + size isn't bigger than we can handle */
-	if ((offset + size) > ULONG_MAX)
+	/* Make sure that the offset + size does not overflow */
+	if ((offset + size < offset) || (offset + size < size))
 		return -ERANGE;
 
 	/* Make sure the offset + size do not overflow the address */