diff options
| author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2026-04-20 21:16:09 +0200 |
|---|---|---|
| committer | Danilo Krummrich <dakr@kernel.org> | 2026-04-20 21:23:14 +0200 |
| commit | 2fc87d37be1b730a149b035f9375fdb8cc5333a5 (patch) | |
| tree | b979e29dd6a12680730826258a53cb0c68f4b34b /include/linux/mpage.h | |
| parent | 15d649a3e5eab779a08a30fc2093116de16b2e3e (diff) | |
drm/nouveau: fix u32 overflow in pushbuf reloc bounds check
nouveau_gem_pushbuf_reloc_apply() validates each relocation with
if (r->reloc_bo_offset + 4 > nvbo->bo.base.size)
but reloc_bo_offset is __u32 (uapi/drm/nouveau_drm.h) and the integer
literal 4 promotes to unsigned int, so the addition is performed in 32
bits and wraps before the comparison against the size_t bo size.
Cast to u64 so the addition happens in 64-bit arithmetic.
Cc: Lyude Paul <lyude@redhat.com>
Cc: Danilo Krummrich <dakr@kernel.org>
Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Cc: Maxime Ripard <mripard@kernel.org>
Cc: Thomas Zimmermann <tzimmermann@suse.de>
Cc: David Airlie <airlied@gmail.com>
Cc: Simona Vetter <simona@ffwll.ch>
Reported-by: Anthropic
Cc: stable <stable@kernel.org>
Assisted-by: gkh_clanker_t1000
Fixes: a1606a9596e5 ("drm/nouveau: new gem pushbuf interface, bump to 0.0.16")
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Add Fixes: tag. - Danilo ]
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Diffstat (limited to 'include/linux/mpage.h')
0 files changed, 0 insertions, 0 deletions