drm/amdgpu: Fix integer overflow in amdgpu_gem_add_input_fence()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The "num_syncobj_handles" is a u32 value that comes from the user via the
ioctl. On 32bit systems the "sizeof(uint32_t) * num_syncobj_handles"
multiplication can have an integer overflow. Use size_mul() to fix that.

Fixes: 38c67ec9aa4b ("drm/amdgpu: Add input fence to sync bo map/unmap")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>

authored by

Dan Carpenter and committed by

Alex Deucher 10 months ago 335f1e79 98a46a40

+1 -1

1 changed file

expand all

drivers

gpu

drm

amd

amdgpu

amdgpu_gem.c

+1 -1

drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c

··· 58 58 return 0; 59 59 60 60 syncobj_handles = memdup_user(u64_to_user_ptr(syncobj_handles_array), 61 - sizeof(uint32_t) * num_syncobj_handles); 61 + size_mul(sizeof(uint32_t), num_syncobj_handles)); 62 62 if (IS_ERR(syncobj_handles)) 63 63 return PTR_ERR(syncobj_handles); 64 64