| From 65e93108891e571f177c202add9288eda9ac4100 Mon Sep 17 00:00:00 2001 |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| Date: Fri, 30 Jun 2017 10:59:15 +0300 |
| Subject: drm/msm: fix an integer overflow test |
| |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| |
| commit 65e93108891e571f177c202add9288eda9ac4100 upstream. |
| |
| We recently added an integer overflow check but it needs an additional |
| tweak to work properly on 32 bit systems. |
| |
| The problem is that we're doing the right hand side of the assignment as |
| type unsigned long so the max it will have an integer overflow instead |
| of being larger than SIZE_MAX. That means the "sz > SIZE_MAX" condition |
| is never true even on 32 bit systems. We need to first cast it to u64 |
| and then do the math. |
| |
| Fixes: 4a630fadbb29 ("drm/msm: Fix potential buffer overflow issue") |
| Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> |
| Acked-by: Jordan Crouse <jcrouse@codeaurora.org> |
| Signed-off-by: Rob Clark <robdclark@gmail.com> |
| Cc: Ben Hutchings <ben@decadent.org.uk> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/gpu/drm/msm/msm_gem_submit.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/drivers/gpu/drm/msm/msm_gem_submit.c |
| +++ b/drivers/gpu/drm/msm/msm_gem_submit.c |
| @@ -37,7 +37,7 @@ static struct msm_gem_submit *submit_cre |
| struct msm_gpu *gpu, uint32_t nr) |
| { |
| struct msm_gem_submit *submit; |
| - uint64_t sz = sizeof(*submit) + (nr * sizeof(submit->bos[0])); |
| + uint64_t sz = sizeof(*submit) + ((u64)nr * sizeof(submit->bos[0])); |
| |
| if (sz > SIZE_MAX) |
| return NULL; |
