diff mbox

[RFC,013/111] staging: etnaviv: fix ring buffer overflow check

Message ID 1427988653-754-14-git-send-email-l.stach@pengutronix.de (mailing list archive)
State New, archived
Headers show

Commit Message

Lucas Stach April 2, 2015, 3:29 p.m. UTC 
From: Russell King <rmk+kernel@arm.linux.org.uk>

The ring buffer offset is an index into an array of uint32_t, whereas
obj->base.size is measured in bytes.  Comparing these two is nonsense.
Convert the index into a byte offset first.

Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
---
 drivers/staging/etnaviv/etnaviv_buffer.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff mbox

Patch

diff --git a/drivers/staging/etnaviv/etnaviv_buffer.c b/drivers/staging/etnaviv/etnaviv_buffer.c
index 6afb9c702628..729387571537 100644
--- a/drivers/staging/etnaviv/etnaviv_buffer.c
+++ b/drivers/staging/etnaviv/etnaviv_buffer.c
@@ -30,7 +30,7 @@ 
 static inline void OUT(struct etnaviv_gem_object *buffer, uint32_t data)
 {
 	u32 *vaddr = (u32 *)buffer->vaddr;
-	BUG_ON(buffer->offset >= buffer->base.size);
+	BUG_ON(buffer->offset * sizeof(*vaddr) >= buffer->base.size);
 
 	vaddr[buffer->offset++] = data;
 }