From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: "Sasha Levin" <sashal@kernel.org>,
airlied@linux.ie, amd-gfx@lists.freedesktop.org,
dri-devel@lists.freedesktop.org,
"Alex Deucher" <alexander.deucher@amd.com>,
hackyzh002 <hackyzh002@gmail.com>,
"Christian König" <christian.koenig@amd.com>
Subject: [PATCH AUTOSEL 5.10 01/22] drm/radeon: Fix integer overflow in radeon_cs_parser_init
Date: Sun, 23 Jul 2023 21:23:58 -0400 [thread overview]
Message-ID: <20230724012419.2317649-1-sashal@kernel.org> (raw)
From: hackyzh002 <hackyzh002@gmail.com>
[ Upstream commit f828b681d0cd566f86351c0b913e6cb6ed8c7b9c ]
The type of size is unsigned, if size is 0x40000000, there will be an
integer overflow, size will be zero after size *= sizeof(uint32_t),
will cause uninitialized memory to be referenced later
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: hackyzh002 <hackyzh002@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/radeon/radeon_cs.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/radeon/radeon_cs.c b/drivers/gpu/drm/radeon/radeon_cs.c
index a78b60b62caf2..87a57e5588a28 100644
--- a/drivers/gpu/drm/radeon/radeon_cs.c
+++ b/drivers/gpu/drm/radeon/radeon_cs.c
@@ -271,7 +271,8 @@ int radeon_cs_parser_init(struct radeon_cs_parser *p, void *data)
{
struct drm_radeon_cs *cs = data;
uint64_t *chunk_array_ptr;
- unsigned size, i;
+ u64 size;
+ unsigned i;
u32 ring = RADEON_CS_RING_GFX;
s32 priority = 0;
--
2.39.2
WARNING: multiple messages have this Message-ID (diff)
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: hackyzh002 <hackyzh002@gmail.com>,
"Christian König" <christian.koenig@amd.com>,
"Alex Deucher" <alexander.deucher@amd.com>,
"Sasha Levin" <sashal@kernel.org>,
airlied@linux.ie, amd-gfx@lists.freedesktop.org,
dri-devel@lists.freedesktop.org
Subject: [PATCH AUTOSEL 5.10 01/22] drm/radeon: Fix integer overflow in radeon_cs_parser_init
Date: Sun, 23 Jul 2023 21:23:58 -0400 [thread overview]
Message-ID: <20230724012419.2317649-1-sashal@kernel.org> (raw)
From: hackyzh002 <hackyzh002@gmail.com>
[ Upstream commit f828b681d0cd566f86351c0b913e6cb6ed8c7b9c ]
The type of size is unsigned, if size is 0x40000000, there will be an
integer overflow, size will be zero after size *= sizeof(uint32_t),
will cause uninitialized memory to be referenced later
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: hackyzh002 <hackyzh002@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/radeon/radeon_cs.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/radeon/radeon_cs.c b/drivers/gpu/drm/radeon/radeon_cs.c
index a78b60b62caf2..87a57e5588a28 100644
--- a/drivers/gpu/drm/radeon/radeon_cs.c
+++ b/drivers/gpu/drm/radeon/radeon_cs.c
@@ -271,7 +271,8 @@ int radeon_cs_parser_init(struct radeon_cs_parser *p, void *data)
{
struct drm_radeon_cs *cs = data;
uint64_t *chunk_array_ptr;
- unsigned size, i;
+ u64 size;
+ unsigned i;
u32 ring = RADEON_CS_RING_GFX;
s32 priority = 0;
--
2.39.2
next reply other threads:[~2023-07-24 1:24 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-24 1:23 Sasha Levin [this message]
2023-07-24 1:23 ` [PATCH AUTOSEL 5.10 01/22] drm/radeon: Fix integer overflow in radeon_cs_parser_init Sasha Levin
2023-07-24 1:23 ` [PATCH AUTOSEL 5.10 02/22] ALSA: emu10k1: roll up loops in DSP setup code for Audigy Sasha Levin
2023-07-24 1:24 ` [PATCH AUTOSEL 5.10 03/22] ASoC: Intel: sof_sdw: add quirk for MTL RVP Sasha Levin
2023-07-24 1:24 ` [PATCH AUTOSEL 5.10 04/22] ASoC: Intel: sof_sdw: add quirk for LNL RVP Sasha Levin
2023-07-24 1:24 ` [PATCH AUTOSEL 5.10 05/22] PCI: tegra194: Fix possible array out of bounds access Sasha Levin
2023-07-24 1:24 ` [PATCH AUTOSEL 5.10 06/22] ARM: dts: imx6dl: prtrvt, prtvt7, prti6q, prtwd2: fix USB related warnings Sasha Levin
2023-07-24 1:24 ` [PATCH AUTOSEL 5.10 07/22] ASoC: Intel: sof_sdw: Add support for Rex soundwire Sasha Levin
2023-07-24 1:24 ` [PATCH AUTOSEL 5.10 08/22] iopoll: Call cpu_relax() in busy loops Sasha Levin
2023-07-24 1:24 ` [PATCH AUTOSEL 5.10 09/22] quota: Properly disable quotas when add_dquot_ref() fails Sasha Levin
2023-07-24 1:24 ` [PATCH AUTOSEL 5.10 10/22] quota: fix warning in dqgrab() Sasha Levin
2023-07-24 1:24 ` [PATCH AUTOSEL 5.10 11/22] ALSA: hda: Add Loongson LS7A HD-Audio support Sasha Levin
2023-07-24 1:24 ` [PATCH AUTOSEL 5.10 12/22] dma-remap: use kvmalloc_array/kvfree for larger dma memory remap Sasha Levin
2023-07-24 1:24 ` [PATCH AUTOSEL 5.10 13/22] drm/amdgpu: install stub fence into potential unused fence pointers Sasha Levin
2023-07-24 1:24 ` Sasha Levin
2023-07-24 1:24 ` Sasha Levin
2023-08-30 18:53 ` Chia-I Wu
2023-08-30 18:53 ` Chia-I Wu
2023-08-31 10:27 ` Christian König
2023-08-31 10:27 ` Christian König
2023-08-31 10:56 ` Greg KH
2023-08-31 10:56 ` Greg KH
2023-08-31 10:56 ` Greg KH
2023-08-31 13:26 ` Christian König
2023-08-31 13:26 ` Christian König
2023-08-31 13:26 ` Christian König
2023-08-31 14:01 ` Greg KH
2023-08-31 14:01 ` Greg KH
2023-08-31 14:01 ` Greg KH
2023-08-31 18:55 ` Chia-I Wu
2023-08-31 18:55 ` Chia-I Wu
2023-09-01 6:02 ` Christian König
2023-09-01 6:02 ` Christian König
2023-09-04 0:41 ` Eddie Chapman
2023-09-04 0:41 ` Eddie Chapman
2023-08-31 10:29 ` Greg KH
2023-08-31 10:29 ` Greg KH
2023-09-10 20:43 ` Bryan Jennings
2023-09-10 20:43 ` Bryan Jennings
2023-09-10 20:43 ` Bryan Jennings
2023-09-12 11:31 ` Greg KH
2023-09-12 11:31 ` Greg KH
2023-09-12 11:31 ` Greg KH
2023-10-07 9:50 ` Greg KH
2023-10-07 9:50 ` Greg KH
2023-10-07 9:50 ` Greg KH
2023-10-09 12:46 ` Christian König
2023-10-09 12:46 ` Christian König
2023-10-09 12:46 ` Christian König
2023-10-09 18:09 ` Greg KH
2023-10-09 18:09 ` Greg KH
2023-10-09 18:09 ` Greg KH
2023-07-24 1:24 ` [PATCH AUTOSEL 5.10 14/22] HID: add quirk for 03f0:464a HP Elite Presenter Mouse Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230724012419.2317649-1-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=airlied@linux.ie \
--cc=alexander.deucher@amd.com \
--cc=amd-gfx@lists.freedesktop.org \
--cc=christian.koenig@amd.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=hackyzh002@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.