diff options
| author | Tuomas Tynkkynen <ttynkkynen@nvidia.com> | 2012-08-13 15:43:31 +0300 |
|---|---|---|
| committer | Simone Willett <swillett@nvidia.com> | 2012-08-20 16:25:52 -0700 |
| commit | 1c9102f23b9140a045e2be4dc80735f1268b7961 (patch) | |
| tree | c69003c96d2ce69b5f359b3c2dcd8de112983ef1 /drivers/video | |
| parent | add7d47849cd54bd37967b72534089dd32ed9b3c (diff) | |
video: tegra: nvmap: Fix overflow in nvmap_heap
do_heap_alloc locates a suitable free block from a nvmap heap given a
size and alignment. Unfortunately, if a heap block happens to be
smaller than the alignment passed to the function, an integer overflow
will occur, and a block that's too small gets accidentally returned.
Bug 1032642
Change-Id: Ic650c520409134d753e968f62f144ddeb065ccc7
Signed-off-by: Tuomas Tynkkynen <ttynkkynen@nvidia.com>
Reviewed-on: http://git-master/r/123076
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Krishna Reddy <vdumpa@nvidia.com>
Diffstat (limited to 'drivers/video')
| -rw-r--r-- | drivers/video/tegra/nvmap/nvmap_heap.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/drivers/video/tegra/nvmap/nvmap_heap.c b/drivers/video/tegra/nvmap/nvmap_heap.c index a6fe78c42f87..738ba26232d3 100644 --- a/drivers/video/tegra/nvmap/nvmap_heap.c +++ b/drivers/video/tegra/nvmap/nvmap_heap.c @@ -3,7 +3,7 @@ * * GPU heap allocator. * - * Copyright (c) 2011, NVIDIA Corporation. + * Copyright (c) 2012, NVIDIA Corporation. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -420,6 +420,9 @@ static struct nvmap_heap_block *do_heap_alloc(struct nvmap_heap *heap, list_for_each_entry(i, &heap->free_list, free_list) { size_t fix_size; fix_base = ALIGN(i->block.base, align); + if(!fix_base || fix_base >= i->block.base + i->size) + continue; + fix_size = i->size - (fix_base - i->block.base); /* needed for compaction. relocated chunk |