drm/radeon/r600_cs: Fix possible int overflow in r600_packet3_check()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

It is possible, although unlikely, that an integer overflow will occur
when the result of radeon_get_ib_value() is shifted to the left.

Avoid it by casting one of the operands to larger data type (u64).

Found by Linux Verification Center (linuxtesting.org) with static
analysis tool SVACE.

Signed-off-by: Igor Artemiev <Igor.A.Artemiev@mcst.ru>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>

authored by

Igor Artemiev and committed by

Alex Deucher 2 years ago a1e2da6a a3f4060e

+1 -1

1 changed file

expand all

drivers

gpu

drm

radeon

r600_cs.c

+1 -1

drivers/gpu/drm/radeon/r600_cs.c

··· 2104 2104 return -EINVAL; 2105 2105 } 2106 2106 2107 - offset = radeon_get_ib_value(p, idx+1) << 8; 2107 + offset = (u64)radeon_get_ib_value(p, idx+1) << 8; 2108 2108 if (offset != track->vgt_strmout_bo_offset[idx_value]) { 2109 2109 DRM_ERROR("bad STRMOUT_BASE_UPDATE, bo offset does not match: 0x%llx, 0x%x\n", 2110 2110 offset, track->vgt_strmout_bo_offset[idx_value]);