From 1c9102f23b9140a045e2be4dc80735f1268b7961 Mon Sep 17 00:00:00 2001 From: Tuomas Tynkkynen Date: Mon, 13 Aug 2012 15:43:31 +0300 Subject: video: tegra: nvmap: Fix overflow in nvmap_heap do_heap_alloc locates a suitable free block from a nvmap heap given a size and alignment. Unfortunately, if a heap block happens to be smaller than the alignment passed to the function, an integer overflow will occur, and a block that's too small gets accidentally returned. Bug 1032642 Change-Id: Ic650c520409134d753e968f62f144ddeb065ccc7 Signed-off-by: Tuomas Tynkkynen Reviewed-on: http://git-master/r/123076 Reviewed-by: Automatic_Commit_Validation_User GVS: Gerrit_Virtual_Submit Reviewed-by: Krishna Reddy --- drivers/video/tegra/nvmap/nvmap_heap.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'drivers/video/tegra/nvmap/nvmap_heap.c') diff --git a/drivers/video/tegra/nvmap/nvmap_heap.c b/drivers/video/tegra/nvmap/nvmap_heap.c index a6fe78c42f87..738ba26232d3 100644 --- a/drivers/video/tegra/nvmap/nvmap_heap.c +++ b/drivers/video/tegra/nvmap/nvmap_heap.c @@ -3,7 +3,7 @@ * * GPU heap allocator. * - * Copyright (c) 2011, NVIDIA Corporation. + * Copyright (c) 2012, NVIDIA Corporation. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -420,6 +420,9 @@ static struct nvmap_heap_block *do_heap_alloc(struct nvmap_heap *heap, list_for_each_entry(i, &heap->free_list, free_list) { size_t fix_size; fix_base = ALIGN(i->block.base, align); + if(!fix_base || fix_base >= i->block.base + i->size) + continue; + fix_size = i->size - (fix_base - i->block.base); /* needed for compaction. relocated chunk -- cgit v1.2.3