drm/amdgpu: Fix integer overflow in amdgpu_cs_pass1

[ Upstream commit 87c2213 ] The type of size is unsigned int, if size is 0x40000000, there will be an integer overflow, size will be zero after size *= sizeof(uint32_t), will cause uninitialized memory to be referenced later. Reviewed-by: Christian König <christian.koenig@amd.com> Signed-off-by: hackyzh002 <hackyzh002@gmail.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
xanmod · Aug 23, 2023 · c3deb09 · c3deb09
1 parent 756d674
commit c3deb09
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
@@ -189,7 +189,7 @@ static int amdgpu_cs_pass1(struct amdgpu_cs_parser *p,
 	uint64_t *chunk_array_user;
 	uint64_t *chunk_array;
 	uint32_t uf_offset = 0;
-	unsigned int size;
+	size_t size;
 	int ret;
 	int i;