projects / cascardo / linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0913eab)
drm/amdgpu: integer overflow in amdgpu_mode_dumb_create()
authorDan Carpenter <dan.carpenter@oracle.com>
Wed, 23 Sep 2015 11:00:59 +0000 (14:00 +0300)
committerAlex Deucher <alexander.deucher@amd.com>
Wed, 23 Sep 2015 21:23:44 +0000 (17:23 -0400)
args->size is a u64.  arg->pitch and args->height are u32.  The
multiplication will overflow instead of using the high 32 bits as
intended.

Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c patch | blob | history

diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
index b82fab2..7297ca3 100644 (file)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c
@@ -659,7 +659,7 @@ int amdgpu_mode_dumb_create(struct drm_file *file_priv,
        int r;
 
        args->pitch = amdgpu_align_pitch(adev, args->width, args->bpp, 0) * ((args->bpp + 1) / 8);
-       args->size = args->pitch * args->height;
+       args->size = (u64)args->pitch * args->height;
        args->size = ALIGN(args->size, PAGE_SIZE);
 
        r = amdgpu_gem_object_create(adev, args->size, 0,
Unnamed repository; edit this file 'description' to name the repository.