This is a note to let you know that I've just added the patch titled
drm/amdgpu: Fix integer overflow in amdgpu_cs_pass1
to the 6.1-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
drm-amdgpu-fix-integer-overflow-in-amdgpu_cs_pass1.patch
and it can be found in the queue-6.1 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
commit fabbb4f1999594036fb93eb33f19cf209eb0cf31
Author: hackyzh002 <hackyzh002@xxxxxxxxx>
Date: Wed Apr 19 20:22:33 2023 +0800
drm/amdgpu: Fix integer overflow in amdgpu_cs_pass1
[ Upstream commit 87c2213e85bd81e4a9a4d0880c256568794ae388 ]
The type of size is unsigned int, if size is 0x40000000, there will
be an integer overflow, size will be zero after size *= sizeof(uint32_t),
will cause uninitialized memory to be referenced later.
Reviewed-by: Christian König <christian.koenig@xxxxxxx>
Signed-off-by: hackyzh002 <hackyzh002@xxxxxxxxx>
Signed-off-by: Alex Deucher <alexander.deucher@xxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
index fdb53d4394f30..6d3d01c5f0a28 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
@@ -185,7 +185,7 @@ static int amdgpu_cs_pass1(struct amdgpu_cs_parser *p,
uint64_t *chunk_array_user;
uint64_t *chunk_array;
uint32_t uf_offset = 0;
- unsigned int size;
+ size_t size;
int ret;
int i;
