[PATCH RFC 013/111] staging: etnaviv: fix ring buffer overflow check

Lucas Stach <l.stach@xxxxxxxxxxxxxx> · Thu, 2 Apr 2015 17:29:15 +0200

From: Russell King <rmk+kernel@xxxxxxxxxxxxxxxx>

The ring buffer offset is an index into an array of uint32_t, whereas
obj->base.size is measured in bytes.  Comparing these two is nonsense.
Convert the index into a byte offset first.

Signed-off-by: Russell King <rmk+kernel@xxxxxxxxxxxxxxxx>
---
 drivers/staging/etnaviv/etnaviv_buffer.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/etnaviv/etnaviv_buffer.c b/drivers/staging/etnaviv/etnaviv_buffer.c
index 6afb9c702628..729387571537 100644
--- a/drivers/staging/etnaviv/etnaviv_buffer.c
+++ b/drivers/staging/etnaviv/etnaviv_buffer.c
@@ -30,7 +30,7 @@
 static inline void OUT(struct etnaviv_gem_object *buffer, uint32_t data)
 {
 	u32 *vaddr = (u32 *)buffer->vaddr;
-	BUG_ON(buffer->offset >= buffer->base.size);
+	BUG_ON(buffer->offset * sizeof(*vaddr) >= buffer->base.size);
 
 	vaddr[buffer->offset++] = data;
 }
-- 
2.1.4

_______________________________________________
dri-devel mailing list
dri-devel@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/dri-devel








