[PATCH 5/5] drm/amdgpu: Fix potential integer overflows
Alex Deucher
alexdeucher at gmail.com
Wed Jul 10 17:58:17 UTC 2019
On Tue, Jul 9, 2019 at 11:59 PM Kuehling, Felix <Felix.Kuehling at amd.com> wrote:
>
> With mm_nodes larger than 4GB, byte_count in amdgpu_fill_buffer would
> overflow.
>
> Signed-off-by: Felix Kuehling <Felix.Kuehling at amd.com>
Good catch.
Reviewed-by: Alex Deucher <alexander.deucher at amd.com>
> ---
> drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 9 +++++----
> 1 file changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
> index ae0eb64e734b..bbbf069efb77 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
> @@ -2071,9 +2071,9 @@ int amdgpu_fill_buffer(struct amdgpu_bo *bo,
> mm_node = bo->tbo.mem.mm_node;
> num_loops = 0;
> while (num_pages) {
> - uint32_t byte_count = mm_node->size << PAGE_SHIFT;
> + uint64_t byte_count = mm_node->size << PAGE_SHIFT;
>
> - num_loops += DIV_ROUND_UP(byte_count, max_bytes);
> + num_loops += DIV_ROUND_UP_ULL(byte_count, max_bytes);
> num_pages -= mm_node->size;
> ++mm_node;
> }
> @@ -2099,12 +2099,13 @@ int amdgpu_fill_buffer(struct amdgpu_bo *bo,
> mm_node = bo->tbo.mem.mm_node;
>
> while (num_pages) {
> - uint32_t byte_count = mm_node->size << PAGE_SHIFT;
> + uint64_t byte_count = mm_node->size << PAGE_SHIFT;
> uint64_t dst_addr;
>
> dst_addr = amdgpu_mm_node_addr(&bo->tbo, mm_node, &bo->tbo.mem);
> while (byte_count) {
> - uint32_t cur_size_in_bytes = min(byte_count, max_bytes);
> + uint32_t cur_size_in_bytes = min_t(uint64_t, byte_count,
> + max_bytes);
>
> amdgpu_emit_fill_buffer(adev, &job->ibs[0], src_data,
> dst_addr, cur_size_in_bytes);
> --
> 2.17.1
>
> _______________________________________________
> amd-gfx mailing list
> amd-gfx at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/amd-gfx
More information about the amd-gfx
mailing list