diff options
author | Dan Carpenter <dan.carpenter@oracle.com> | 2013-08-23 13:18:25 +0300 |
---|---|---|
committer | Thierry Reding <treding@nvidia.com> | 2013-08-27 10:20:11 +0200 |
commit | f5fda676e9a3991aab159418f870351bc7d45d96 (patch) | |
tree | e2cd6626f446753b24f6c4d4f454ebe195a729c1 /drivers/gpu | |
parent | ccaddfe1a2e10f50aa6f553f9791c2724b6d3c4a (diff) | |
download | op-kernel-dev-f5fda676e9a3991aab159418f870351bc7d45d96.zip op-kernel-dev-f5fda676e9a3991aab159418f870351bc7d45d96.tar.gz |
gpu: host1x: fix an integer overflow check
Tegra is a 32 bit arch. On 32 bit systems then size_t is 32 bits so
"total" will never be higher than UINT_MAX because of integer overflows.
We need cast to u64 first before doing the math.
Also the addition earlier:
unsigned int num_unpins = num_cmdbufs + num_relocs;
That can overflow as well, but I think it's still safe because we check
both "num_cmdbufs" and "num_relocs" again in this test.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Thierry Reding <treding@nvidia.com>
Diffstat (limited to 'drivers/gpu')
-rw-r--r-- | drivers/gpu/host1x/job.c | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/drivers/gpu/host1x/job.c b/drivers/gpu/host1x/job.c index cc80766..18a47f9 100644 --- a/drivers/gpu/host1x/job.c +++ b/drivers/gpu/host1x/job.c @@ -42,12 +42,12 @@ struct host1x_job *host1x_job_alloc(struct host1x_channel *ch, /* Check that we're not going to overflow */ total = sizeof(struct host1x_job) + - num_relocs * sizeof(struct host1x_reloc) + - num_unpins * sizeof(struct host1x_job_unpin_data) + - num_waitchks * sizeof(struct host1x_waitchk) + - num_cmdbufs * sizeof(struct host1x_job_gather) + - num_unpins * sizeof(dma_addr_t) + - num_unpins * sizeof(u32 *); + (u64)num_relocs * sizeof(struct host1x_reloc) + + (u64)num_unpins * sizeof(struct host1x_job_unpin_data) + + (u64)num_waitchks * sizeof(struct host1x_waitchk) + + (u64)num_cmdbufs * sizeof(struct host1x_job_gather) + + (u64)num_unpins * sizeof(dma_addr_t) + + (u64)num_unpins * sizeof(u32 *); if (total > ULONG_MAX) return NULL; |