[PATCH] drm/rockchip: fix potential integer overflow in rockchip_gem_dumb_create()
Gax-c
zichenxie0106 at gmail.com
Wed Oct 16 20:06:55 UTC 2024
From: Zichen Xie <zichenxie0106 at gmail.com>
There may be potential integer overflow issue in
rockchip_gem_dumb_create(). args->size is defined
as "__u64" while args->pitch and args->height are
both defined as "__u32". The result of
"args->pitch * args->height" will be limited to
"__u32" without correct casting.
Cast it to "__u64" first to avoid possible
integer overflow.
Fixes: e3c4abdb3bc9 ("drm/rockchip: fix wrong pitch/size using on gem")
Signed-off-by: Zichen Xie <zichenxie0106 at gmail.com>
---
drivers/gpu/drm/rockchip/rockchip_drm_gem.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_gem.c b/drivers/gpu/drm/rockchip/rockchip_drm_gem.c
index 93ed841f5dce..76dea12fe394 100644
--- a/drivers/gpu/drm/rockchip/rockchip_drm_gem.c
+++ b/drivers/gpu/drm/rockchip/rockchip_drm_gem.c
@@ -409,7 +409,7 @@ int rockchip_gem_dumb_create(struct drm_file *file_priv,
* align to 64 bytes since Mali requires it.
*/
args->pitch = ALIGN(min_pitch, 64);
- args->size = args->pitch * args->height;
+ args->size = (__u64)args->pitch * args->height;
rk_obj = rockchip_gem_create_with_handle(file_priv, dev, args->size,
&args->handle);
--
2.25.1
More information about the dri-devel
mailing list