From 8a01798884c3d16fbdad19ba331cb7b981b32ce0 Mon Sep 17 00:00:00 2001 From: Ketan Patil Date: Wed, 22 Feb 2023 11:29:43 +0000 Subject: [PATCH] video: tegra: nvmap: Fix overflow condition When the carveout size is changed to 2GB, mem->size << PAGE_SHIFT will overflow the int limit and get wrapped to negative value. Hence during freeing bitmap, one of the comparison condition is not meeting, resulting into not freeing bitmap. Ultimately the entire bitmap get consumed even though it is expected to have empty bits. Fix this by typecasting the size to u64. Bug 3962552 Change-Id: Ieaf93a3a91062d3f630921259aa9b3935853e91c Signed-off-by: Ketan Patil Reviewed-on: https://git-master.nvidia.com/r/c/linux-nvidia/+/2861614 Reviewed-by: svcacv Reviewed-by: svc_kernel_abi Reviewed-by: svc-mobile-coverity Reviewed-by: svc-mobile-cert Reviewed-by: Sachin Nikam GVS: Gerrit_Virtual_Submit --- drivers/video/tegra/nvmap/nvmap_init.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/video/tegra/nvmap/nvmap_init.c b/drivers/video/tegra/nvmap/nvmap_init.c index 9a009665..ccd372c8 100644 --- a/drivers/video/tegra/nvmap/nvmap_init.c +++ b/drivers/video/tegra/nvmap/nvmap_init.c @@ -398,7 +398,7 @@ static void *__nvmap_dma_alloc_from_coherent(struct device *dev, spin_lock_irqsave(&mem->spinlock, flags); - if (unlikely(size > (mem->size << PAGE_SHIFT))) + if (unlikely(size > ((u64)mem->size << PAGE_SHIFT))) goto err; if ((mem->flags & DMA_MEMORY_NOMAP) && @@ -507,7 +507,7 @@ void nvmap_dma_free_attrs(struct device *dev, size_t size, void *cpu_addr, mem_addr = mem->virt_base; if (mem && cpu_addr >= mem_addr && - cpu_addr - mem_addr < mem->size << PAGE_SHIFT) { + cpu_addr - mem_addr < (u64)mem->size << PAGE_SHIFT) { unsigned int page = (cpu_addr - mem_addr) >> PAGE_SHIFT; unsigned long flags; unsigned int count;