[PATCH] drm/msm/gem: Use size_add() against integer overflow
Li Qiong
liqiong at nfschina.com
Mon Sep 26 09:23:15 UTC 2022
"struct_size() + n" may cause a integer overflow,
use size_add() to handle it.
Signed-off-by: Li Qiong <liqiong at nfschina.com>
---
drivers/gpu/drm/msm/msm_gem_submit.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c
index c9e4aeb14f4a..3dec87e46e50 100644
--- a/drivers/gpu/drm/msm/msm_gem_submit.c
+++ b/drivers/gpu/drm/msm/msm_gem_submit.c
@@ -30,8 +30,8 @@ static struct msm_gem_submit *submit_create(struct drm_device *dev,
uint64_t sz;
int ret;
- sz = struct_size(submit, bos, nr_bos) +
- ((u64)nr_cmds * sizeof(submit->cmd[0]));
+ sz = size_add(struct_size(submit, bos, nr_bos),
+ ((u64)nr_cmds * sizeof(submit->cmd[0])));
if (sz > SIZE_MAX)
return ERR_PTR(-ENOMEM);
--
2.11.0
More information about the dri-devel
mailing list