Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp819612ybl;
        Wed, 11 Dec 2019 08:01:06 -0800 (PST)
X-Google-Smtp-Source: APXvYqy/eQGLiaSbSiAlEuLvbg+zQbrgon5yitJ7mokRPw1v1w/urT5qZlhVSPNFNzu/y8cM8JfU
X-Received: by 2002:a05:6830:1248:: with SMTP id s8mr2802108otp.202.1576080066273;
        Wed, 11 Dec 2019 08:01:06 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1576080066; cv=none;
        d=google.com; s=arc-20160816;
        b=eKxVCDW6+hkYtKsTdHLOTZJqfLr5Fxp5+i9i+OHVUnAPMrF8/2scgWtEVlcTM+vwBC
         xbb6zSL3pnsNTZkwpAQtqVXCXljlJEgQl+qxPjsURSOzDrQeI91TBgwyM7UmerujpQsI
         GHfnUWhhUqx6LndIpYJcpZdVEafsyp2ulP1EHcIwEyPXi/3kyknd+wyXKtF0+XWACU2+
         gkS3A5WyJI82iFsMmIrIS0ivcGX75U87aUN4w+uFUun1a5mOA806F/x8MvOoGRz11CBV
         Lq9wVFPD1K5eJQ13q98yyzkR8xbyUllkoTQxz8giTBBLuy5UXf66tKIgyKzwnE/H1nky
         PcFQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=Qmmz4U+viBzTKFVmhDmCjOs75Ts5SU4OAPT93BgSGLw=;
        b=iNcGtR5KMR1q+0CO/hbL8c1HZyxdJxvAJFHaqGlYuLAG6AHI0+sKzIO4CvEN/aWrCk
         OpRsv8KwurnM0qi/cli6VmYErPKOy+BZVk4RF3506g+f71Fdqto431ZSoG//2Yh/AyvR
         iBSNjiTb4q9/02RFFal+d7x4No6hm85ziSGx2K/UsJ9AITN7MnZ5h6BMXWQai2tIn8cl
         aS7rott1vvQx92OP/8reT4pfTraKoQUS5GD1+L+je5frFufWH1mB846HdWOoIw34031R
         axb6RGN/Act+4Q9JHaUQyn7k93PeRompzpyZ+ENT5jQH7+ABUfRVzLfMrabIEet7tHbQ
         wg+A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=twbLLzCD;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id e23si1391002otr.145.2019.12.11.08.00.48;
        Wed, 11 Dec 2019 08:01:06 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=twbLLzCD;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730790AbfLKP6j (ORCPT <rfc822;epontan@gmail.com> + 99 others);
        Wed, 11 Dec 2019 10:58:39 -0500
Received: from mail.kernel.org ([198.145.29.99]:39366 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1730925AbfLKPOQ (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 11 Dec 2019 10:14:16 -0500
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 15E1D24691;
        Wed, 11 Dec 2019 15:14:14 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1576077255;
        bh=pVBuCuaPElvOO28i5x9YeOhkvZD/mwC1UK4HUXmlsAU=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=twbLLzCDWIMYbq4nrY+NHUX7w4TdRtnEF9gAje4rOPsxBlksv731xoZ0Xz4PZM6WH
         HsUvhBRC6Imp89YPvNP0k7wb6YEOiYnttEM2VtCjqLuznvEfGdKKvS/r2a25QzcJ6R
         9LfKofL14xmNsb3Q92I5AolkfHtONeqIjuNwOYIU=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Dan Carpenter <dan.carpenter@oracle.com>,
        Chris Wilson <chris@chris-wilson.co.uk>
Subject: [PATCH 5.3 074/105] drm/i810: Prevent underflow in ioctl
Date:   Wed, 11 Dec 2019 16:06:03 +0100
Message-Id: <20191211150253.249313601@linuxfoundation.org>
X-Mailer: git-send-email 2.24.1
In-Reply-To: <20191211150221.153659747@linuxfoundation.org>
References: <20191211150221.153659747@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 4f69851fbaa26b155330be35ce8ac393e93e7442 upstream.

The "used" variables here come from the user in the ioctl and it can be
negative.  It could result in an out of bounds write.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Link: https://patchwork.freedesktop.org/patch/msgid/20191004102251.GC823@mwanda
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/i810/i810_dma.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/gpu/drm/i810/i810_dma.c
+++ b/drivers/gpu/drm/i810/i810_dma.c
@@ -721,7 +721,7 @@ static void i810_dma_dispatch_vertex(str
 	if (nbox > I810_NR_SAREA_CLIPRECTS)
 		nbox = I810_NR_SAREA_CLIPRECTS;
 
-	if (used > 4 * 1024)
+	if (used < 0 || used > 4 * 1024)
 		used = 0;
 
 	if (sarea_priv->dirty)
@@ -1041,7 +1041,7 @@ static void i810_dma_dispatch_mc(struct
 	if (u != I810_BUF_CLIENT)
 		DRM_DEBUG("MC found buffer that isn't mine!\n");
 
-	if (used > 4 * 1024)
+	if (used < 0 || used > 4 * 1024)
 		used = 0;
 
 	sarea_priv->dirty = 0x7f;