[PATCH] drm/gem: fix overflow in calculating DMA GEM size
From: Ваторопин Андрей
Date: Tue Mar 25 2025 - 04:47:49 EST
From: Andrey Vatoropin <a.vatoropin@xxxxxxx>
The IOCTL handler drm_gem_dma_dumb_create() calculates "size" by
multiplying "pitch" and "height." This expression is currently being
evaluated using 32-bit arithmetic, which can lead to an overflow during
multiplication.
Since a value of type 'u64' is used to store the eventual size, it is
necessary to perform 64-bit arithmetic to avoid overflow during the
multiplication.
The same thing was done in commit 0f8f8a643000
("drm/i915/gem: Detect overflow in calculating dumb buffer size")
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 6d1782919dc9 ("drm/cma: Introduce drm_gem_cma_dumb_create_internal()")
Signed-off-by: Andrey Vatoropin <a.vatoropin@xxxxxxx>
---
drivers/gpu/drm/drm_gem_dma_helper.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/drm_gem_dma_helper.c b/drivers/gpu/drm/drm_gem_dma_helper.c
index 16988d316a6d..ac300777c79e 100644
--- a/drivers/gpu/drm/drm_gem_dma_helper.c
+++ b/drivers/gpu/drm/drm_gem_dma_helper.c
@@ -306,7 +306,7 @@ int drm_gem_dma_dumb_create(struct drm_file *file_priv,
struct drm_gem_dma_object *dma_obj;
args->pitch = DIV_ROUND_UP(args->width * args->bpp, 8);
- args->size = args->pitch * args->height;
+ args->size = mul_u32_u32(args->pitch, args->height);
dma_obj = drm_gem_dma_create_with_handle(file_priv, drm, args->size,
&args->handle);
--
2.43.0