From fde778c14ade8e7666b30e7777f84a01ea43ea7b Mon Sep 17 00:00:00 2001
From: Abhilash Kumar <krabhi@codeaurora.org>
Date: Fri, 28 Jul 2017 16:29:53 +0530
Subject: [PATCH] msm: kgsl: Fix integer overflow in _load_gpmu_firmware

There is a possibility of integer overflow in the arithmetic
calculation for cmd_size. Fix this by adding checks for such
arithmetic.

Change-Id: I2298a32f8ba3411decb29f55bb7b55e2214de35a
Signed-off-by: Abhilash Kumar <krabhi@codeaurora.org>
---
 drivers/gpu/msm/adreno_a5xx.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/gpu/msm/adreno_a5xx.c b/drivers/gpu/msm/adreno_a5xx.c
index 466c42877b3f..f4dfae1a115f 100644
--- a/drivers/gpu/msm/adreno_a5xx.c
+++ b/drivers/gpu/msm/adreno_a5xx.c
@@ -715,6 +715,10 @@ static int _load_gpmu_firmware(struct adreno_device *adreno_dev)
 	if (ret)
 		goto err;
 
+	/* Integer overflow check for cmd_size */
+	if (data[2] > (data[0] - 2))
+		goto err;
+
 	cmds = data + data[2] + 3;
 	cmd_size = data[0] - data[2] - 2;