From d567b416ed6de3402a47f4b474fa3970f12e1a2b Mon Sep 17 00:00:00 2001
From: Deepak Kumar <dkumar@codeaurora.org>
Date: Fri, 23 Feb 2018 16:31:46 +0530
Subject: [PATCH] msm: kgsl: Correct memory type update in
 IOCTL_KGSL_GPUOBJ_SET_INFO

A bad user can pass memory type parameter value greater than 255.
Limit the memory type value to valid range before updating memory
descriptor flags to avoid incorrect flag update.

Change-Id: I23ce69584d1e2c9969583461ee942c5046e7cdbc
Signed-off-by: Deepak Kumar <dkumar@codeaurora.org>
---
 drivers/gpu/msm/kgsl.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/drivers/gpu/msm/kgsl.c b/drivers/gpu/msm/kgsl.c
index cc3e79dc29bf..97a2d8fa5d5a 100644
--- a/drivers/gpu/msm/kgsl.c
+++ b/drivers/gpu/msm/kgsl.c
@@ -3977,6 +3977,7 @@ long kgsl_ioctl_gpuobj_set_info(struct kgsl_device_private *dev_priv,
 	struct kgsl_process_private *private = dev_priv->process_priv;
 	struct kgsl_gpuobj_set_info *param = data;
 	struct kgsl_mem_entry *entry;
+	int ret = 0;
 
 	if (param->id == 0)
 		return -EINVAL;
@@ -3989,12 +3990,16 @@ long kgsl_ioctl_gpuobj_set_info(struct kgsl_device_private *dev_priv,
 		copy_metadata(entry, param->metadata, param->metadata_len);
 
 	if (param->flags & KGSL_GPUOBJ_SET_INFO_TYPE) {
-		entry->memdesc.flags &= ~((uint64_t) KGSL_MEMTYPE_MASK);
-		entry->memdesc.flags |= param->type << KGSL_MEMTYPE_SHIFT;
+		if (param->type <= (KGSL_MEMTYPE_MASK >> KGSL_MEMTYPE_SHIFT)) {
+			entry->memdesc.flags &= ~((uint64_t) KGSL_MEMTYPE_MASK);
+			entry->memdesc.flags |= (uint64_t)((param->type <<
+				KGSL_MEMTYPE_SHIFT) & KGSL_MEMTYPE_MASK);
+		} else
+			ret = -EINVAL;
 	}
 
 	kgsl_mem_entry_put(entry);
-	return 0;
+	return ret;
 }
 
 long kgsl_ioctl_cff_syncmem(struct kgsl_device_private *dev_priv,