drm: fix division-by-zero on dumb_create()drm-next

Kinda unexpected, but DIV_ROUND_UP() can overflow if passed an argument bigger than UINT_MAX - DIVISOR. Fix this by testing for "!cpp" before using it in the following division. Note that DIV_ROUND_UP() is defined as: #define DIV_ROUND_UP(n,d) (((n) + (d) - 1) / (d)) ..this will obviously overflow if (n + d - 1) is bigger than UINT_MAX. Reported-by: Tommi Rantala <tt.rantala@gmail.com> Signed-off-by: David Herrmann <dh.herrmann@gmail.com> Reviewed-by: Rob Clark <robdclark@gmail.com>
author: David Herrmann <dh.herrmann@gmail.com> 2014-08-24 19:23:26 +0200
committer: David Herrmann <dh.herrmann@gmail.com> 2014-08-28 15:45:43 +0200
commit: 171e7ac302f6992ba9fce64903611c2435de1dd3 (patch)
tree: 839357bf5c7b0b49df58fca820cee46aaeb43bac
parent: 04cd214516d8a6f0f8c0116185d6e360df0860d2 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c
index f09b75212081..61b6978e1581 100644
--- a/drivers/gpu/drm/drm_crtc.c
+++ b/drivers/gpu/drm/drm_crtc.c
@@ -4720,8 +4720,8 @@ int drm_mode_create_dumb_ioctl(struct drm_device *dev,
 		return -EINVAL;
 
 	/* overflow checks for 32bit size calculations */
-	cpp = DIV_ROUND_UP(args->bpp, 8);
-	if (cpp > 0xffffffffU / args->width)
+	cpp = DIV_ROUND_UP(args->bpp, 8); /* might overflow! */
+	if (!cpp || cpp > 0xffffffffU / args->width)
 		return -EINVAL;
 	stride = cpp * args->width;
 	if (args->height > 0xffffffffU / stride)
author	David Herrmann <dh.herrmann@gmail.com>	2014-08-24 19:23:26 +0200
committer	David Herrmann <dh.herrmann@gmail.com>	2014-08-28 15:45:43 +0200
commit	171e7ac302f6992ba9fce64903611c2435de1dd3 (patch)
tree	839357bf5c7b0b49df58fca820cee46aaeb43bac
parent	04cd214516d8a6f0f8c0116185d6e360df0860d2 (diff)