Driver can initialize without any fences. If so
roundup_power_of_two will overflow as it will try to
subtract one from initial value before shift,
(1 << fls_long(-1)).
Fix this using default (4) if num_fences is zero.
Another more radical option would be to return error on
zero but that would need a callsite comb.
Caught-by: UBSAN
Cc: Christian König <christian.koenig@xxxxxxx>
Cc: Thomas Hellström <thomas.hellstrom@xxxxxxxxxxxxxxx>
Signed-off-by: Mika Kuoppala <mika.kuoppala@xxxxxxxxxxxxxxx>
---
drivers/dma-buf/dma-resv.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/dma-buf/dma-resv.c b/drivers/dma-buf/dma-resv.c
index 38b4110378de..f5ad3ecd0d4f 100644
--- a/drivers/dma-buf/dma-resv.c
+++ b/drivers/dma-buf/dma-resv.c
@@ -192,7 +192,10 @@ int dma_resv_reserve_fences(struct dma_resv *obj, unsigned int num_fences)
return 0;
max = max(old->num_fences + num_fences, old->max_fences * 2);
} else {
- max = max(4ul, roundup_pow_of_two(num_fences));
+ if (num_fences)
+ max = max(4ul, roundup_pow_of_two(num_fences));
+ else
+ max = 4ul;
}
new = dma_resv_list_alloc(max);
--
2.34.1
