Patch "drm/radeon/r100: Fix integer overflow issues in r100_cs_track_check()" has been added to the 6.1-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sat, 20 Jan 2024 20:19:42 -0500

This is a note to let you know that I've just added the patch titled

    drm/radeon/r100: Fix integer overflow issues in r100_cs_track_check()

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     drm-radeon-r100-fix-integer-overflow-issues-in-r100_.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 4187ca50829c07b24f826284d67a379e354ad88c
Author: Nikita Zhandarovich <n.zhandarovich@xxxxxxxxxx>
Date:   Wed Nov 29 07:22:12 2023 -0800

    drm/radeon/r100: Fix integer overflow issues in r100_cs_track_check()
    
    [ Upstream commit b5c5baa458faa5430c445acd9a17481274d77ccf ]
    
    It may be possible, albeit unlikely, to encounter integer overflow
    during the multiplication of several unsigned int variables, the
    result being assigned to a variable 'size' of wider type.
    
    Prevent this potential behaviour by converting one of the multiples
    to unsigned long.
    
    Found by Linux Verification Center (linuxtesting.org) with static
    analysis tool SVACE.
    
    Fixes: 0242f74d29df ("drm/radeon: clean up CS functions in r100.c")
    Signed-off-by: Nikita Zhandarovich <n.zhandarovich@xxxxxxxxxx>
    Signed-off-by: Alex Deucher <alexander.deucher@xxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/gpu/drm/radeon/r100.c b/drivers/gpu/drm/radeon/r100.c
index d4f09ecc3d22..f336b5b3b11f 100644
--- a/drivers/gpu/drm/radeon/r100.c
+++ b/drivers/gpu/drm/radeon/r100.c
@@ -2321,7 +2321,7 @@ int r100_cs_track_check(struct radeon_device *rdev, struct r100_cs_track *track)
 	switch (prim_walk) {
 	case 1:
 		for (i = 0; i < track->num_arrays; i++) {
-			size = track->arrays[i].esize * track->max_indx * 4;
+			size = track->arrays[i].esize * track->max_indx * 4UL;
 			if (track->arrays[i].robj == NULL) {
 				DRM_ERROR("(PW %u) Vertex array %u no buffer "
 					  "bound\n", prim_walk, i);
@@ -2340,7 +2340,7 @@ int r100_cs_track_check(struct radeon_device *rdev, struct r100_cs_track *track)
 		break;
 	case 2:
 		for (i = 0; i < track->num_arrays; i++) {
-			size = track->arrays[i].esize * (nverts - 1) * 4;
+			size = track->arrays[i].esize * (nverts - 1) * 4UL;
 			if (track->arrays[i].robj == NULL) {
 				DRM_ERROR("(PW %u) Vertex array %u no buffer "
 					  "bound\n", prim_walk, i);







