Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b8fab6ae authored by hackyzh002's avatar hackyzh002 Committed by Greg Kroah-Hartman
Browse files

drm/radeon: Fix integer overflow in radeon_cs_parser_init 



[ Upstream commit f828b681d0cd566f86351c0b913e6cb6ed8c7b9c ]

The type of size is unsigned, if size is 0x40000000, there will be an
integer overflow, size will be zero after size *= sizeof(uint32_t),
will cause uninitialized memory to be referenced later

Reviewed-by: default avatarChristian König <christian.koenig@amd.com>
Signed-off-by: default avatarhackyzh002 <hackyzh002@gmail.com>
Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
parent 3a3bb438

drivers/gpu/drm/radeon/radeon_cs.c

+2 −1
Original line number Diff line number Diff line
@@ -271,7 +271,8 @@ int radeon_cs_parser_init(struct radeon_cs_parser *p, void *data) 
{

	struct drm_radeon_cs *cs = data;

	uint64_t *chunk_array_ptr;

	unsigned size, i;

	u64 size;

	unsigned i;

	u32 ring = RADEON_CS_RING_GFX;

	s32 priority = 0;