[PATCH] drm/rockchip: fix potential integer overflow in rockchip_gem_dumb_create()

Gax-c zichenxie0106 at gmail.com
Wed Oct 16 20:06:55 UTC 2024


From: Zichen Xie <zichenxie0106 at gmail.com>

There may be potential integer overflow issue in
rockchip_gem_dumb_create(). args->size is defined
as "__u64" while args->pitch and args->height are
both defined as "__u32". The result of
"args->pitch * args->height" will be limited to
"__u32" without correct casting.
Cast it to "__u64" first to avoid possible
integer overflow.

Fixes: e3c4abdb3bc9 ("drm/rockchip: fix wrong pitch/size using on gem")
Signed-off-by: Zichen Xie <zichenxie0106 at gmail.com>
---
 drivers/gpu/drm/rockchip/rockchip_drm_gem.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_gem.c b/drivers/gpu/drm/rockchip/rockchip_drm_gem.c
index 93ed841f5dce..76dea12fe394 100644
--- a/drivers/gpu/drm/rockchip/rockchip_drm_gem.c
+++ b/drivers/gpu/drm/rockchip/rockchip_drm_gem.c
@@ -409,7 +409,7 @@ int rockchip_gem_dumb_create(struct drm_file *file_priv,
 	 * align to 64 bytes since Mali requires it.
 	 */
 	args->pitch = ALIGN(min_pitch, 64);
-	args->size = args->pitch * args->height;
+	args->size = (__u64)args->pitch * args->height;
 
 	rk_obj = rockchip_gem_create_with_handle(file_priv, dev, args->size,
 						 &args->handle);
-- 
2.25.1



More information about the dri-devel mailing list