[PATCH AUTOSEL 6.1 04/41] drm/amdgpu: Fix integer overflow in amdgpu_cs_pass1
Sasha Levin
sashal at kernel.org
Mon Jul 24 01:20:37 UTC 2023
From: hackyzh002 <hackyzh002 at gmail.com>
[ Upstream commit 87c2213e85bd81e4a9a4d0880c256568794ae388 ]
The type of size is unsigned int, if size is 0x40000000, there will
be an integer overflow, size will be zero after size *= sizeof(uint32_t),
will cause uninitialized memory to be referenced later.
Reviewed-by: Christian König <christian.koenig at amd.com>
Signed-off-by: hackyzh002 <hackyzh002 at gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher at amd.com>
Signed-off-by: Sasha Levin <sashal at kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
index 365e3fb6a9e5b..34a64493bfe2c 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
@@ -188,7 +188,7 @@ static int amdgpu_cs_pass1(struct amdgpu_cs_parser *p,
uint64_t *chunk_array_user;
uint64_t *chunk_array;
uint32_t uf_offset = 0;
- unsigned int size;
+ size_t size;
int ret;
int i;
--
2.39.2
More information about the dri-devel
mailing list