diff mbox series

drm/gem: fix overflow in calculating DMA GEM size

Message ID 20250325084645.37258-1-a.vatoropin@crpt.ru (mailing list archive)
State New
Headers show
Series drm/gem: fix overflow in calculating DMA GEM size | expand

Commit Message

Ваторопин Андрей March 25, 2025, 8:46 a.m. UTC 
From: Andrey Vatoropin <a.vatoropin@crpt.ru>

The IOCTL handler drm_gem_dma_dumb_create() calculates "size" by
multiplying "pitch" and "height." This expression is currently being 
evaluated using 32-bit arithmetic, which can lead to an overflow during 
multiplication.

Since a value of type 'u64' is used to store the eventual size, it is 
necessary to perform 64-bit arithmetic to avoid overflow during the
multiplication.

The same thing was done in commit 0f8f8a643000 
("drm/i915/gem: Detect overflow in calculating dumb buffer size")

Found by Linux Verification Center (linuxtesting.org) with SVACE.
       
Fixes: 6d1782919dc9 ("drm/cma: Introduce drm_gem_cma_dumb_create_internal()")
Signed-off-by: Andrey Vatoropin <a.vatoropin@crpt.ru> 
---
 drivers/gpu/drm/drm_gem_dma_helper.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/drivers/gpu/drm/drm_gem_dma_helper.c b/drivers/gpu/drm/drm_gem_dma_helper.c
index 16988d316a6d..ac300777c79e 100644
--- a/drivers/gpu/drm/drm_gem_dma_helper.c
+++ b/drivers/gpu/drm/drm_gem_dma_helper.c
@@ -306,7 +306,7 @@  int drm_gem_dma_dumb_create(struct drm_file *file_priv,
 	struct drm_gem_dma_object *dma_obj;
 
 	args->pitch = DIV_ROUND_UP(args->width * args->bpp, 8);
-	args->size = args->pitch * args->height;
+	args->size = mul_u32_u32(args->pitch, args->height);
 
 	dma_obj = drm_gem_dma_create_with_handle(file_priv, drm, args->size,
 						 &args->handle);