Commit f5fda676 authored by Dan Carpenter's avatar Dan Carpenter Committed by Thierry Reding

gpu: host1x: fix an integer overflow check

Tegra is a 32 bit arch.  On 32 bit systems then size_t is 32 bits so
"total" will never be higher than UINT_MAX because of integer overflows.
We need cast to u64 first before doing the math.

Also the addition earlier:

        unsigned int num_unpins = num_cmdbufs + num_relocs;

That can overflow as well, but I think it's still safe because we check
both "num_cmdbufs" and "num_relocs" again in this test.
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarThierry Reding <treding@nvidia.com>
parent ccaddfe1
...@@ -42,12 +42,12 @@ struct host1x_job *host1x_job_alloc(struct host1x_channel *ch, ...@@ -42,12 +42,12 @@ struct host1x_job *host1x_job_alloc(struct host1x_channel *ch,
/* Check that we're not going to overflow */ /* Check that we're not going to overflow */
total = sizeof(struct host1x_job) + total = sizeof(struct host1x_job) +
num_relocs * sizeof(struct host1x_reloc) + (u64)num_relocs * sizeof(struct host1x_reloc) +
num_unpins * sizeof(struct host1x_job_unpin_data) + (u64)num_unpins * sizeof(struct host1x_job_unpin_data) +
num_waitchks * sizeof(struct host1x_waitchk) + (u64)num_waitchks * sizeof(struct host1x_waitchk) +
num_cmdbufs * sizeof(struct host1x_job_gather) + (u64)num_cmdbufs * sizeof(struct host1x_job_gather) +
num_unpins * sizeof(dma_addr_t) + (u64)num_unpins * sizeof(dma_addr_t) +
num_unpins * sizeof(u32 *); (u64)num_unpins * sizeof(u32 *);
if (total > ULONG_MAX) if (total > ULONG_MAX)
return NULL; return NULL;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment