summaryrefslogtreecommitdiff
path: root/drivers/video/tegra
diff options
context:
space:
mode:
authorTuomas Tynkkynen <ttynkkynen@nvidia.com>2012-08-13 15:43:31 +0300
committerSimone Willett <swillett@nvidia.com>2012-08-20 16:25:52 -0700
commit1c9102f23b9140a045e2be4dc80735f1268b7961 (patch)
treec69003c96d2ce69b5f359b3c2dcd8de112983ef1 /drivers/video/tegra
parentadd7d47849cd54bd37967b72534089dd32ed9b3c (diff)
video: tegra: nvmap: Fix overflow in nvmap_heap
do_heap_alloc locates a suitable free block from a nvmap heap given a size and alignment. Unfortunately, if a heap block happens to be smaller than the alignment passed to the function, an integer overflow will occur, and a block that's too small gets accidentally returned. Bug 1032642 Change-Id: Ic650c520409134d753e968f62f144ddeb065ccc7 Signed-off-by: Tuomas Tynkkynen <ttynkkynen@nvidia.com> Reviewed-on: http://git-master/r/123076 Reviewed-by: Automatic_Commit_Validation_User GVS: Gerrit_Virtual_Submit Reviewed-by: Krishna Reddy <vdumpa@nvidia.com>
Diffstat (limited to 'drivers/video/tegra')
-rw-r--r--drivers/video/tegra/nvmap/nvmap_heap.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/drivers/video/tegra/nvmap/nvmap_heap.c b/drivers/video/tegra/nvmap/nvmap_heap.c
index a6fe78c..738ba26 100644
--- a/drivers/video/tegra/nvmap/nvmap_heap.c
+++ b/drivers/video/tegra/nvmap/nvmap_heap.c
@@ -3,7 +3,7 @@
*
* GPU heap allocator.
*
- * Copyright (c) 2011, NVIDIA Corporation.
+ * Copyright (c) 2012, NVIDIA Corporation.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -420,6 +420,9 @@ static struct nvmap_heap_block *do_heap_alloc(struct nvmap_heap *heap,
list_for_each_entry(i, &heap->free_list, free_list) {
size_t fix_size;
fix_base = ALIGN(i->block.base, align);
+ if(!fix_base || fix_base >= i->block.base + i->size)
+ continue;
+
fix_size = i->size - (fix_base - i->block.base);
/* needed for compaction. relocated chunk