From caaae6b1d95890ec648fea38d4990b155281122b Mon Sep 17 00:00:00 2001 From: N V S Abhishek Date: Sun, 8 Dec 2024 14:42:08 +0000 Subject: [PATCH] tegra: nvmap: Decrement variable with correct value to avoid wrap around Decrement hrange->offs_start with hs[i]->size instead of tot_sz. tot_sz holds the cumulitive sum of hs[0...i]->size and decrementing this from hrange->offs_start will decrement values from 0..(i-1) multiple times, which is incorrect and can cause a wrap around. Bug 4479044 Change-Id: If6afe9f05fc0d246d42a95fa6d9708361efcc9f8 Signed-off-by: N V S Abhishek Reviewed-on: https://git-master.nvidia.com/r/c/linux-nv-oot/+/3263927 Reviewed-by: Ketan Patil Reviewed-by: Sachin Nikam --- drivers/video/tegra/nvmap/nvmap_handle.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/video/tegra/nvmap/nvmap_handle.c b/drivers/video/tegra/nvmap/nvmap_handle.c index 65ed9226..79702535 100644 --- a/drivers/video/tegra/nvmap/nvmap_handle.c +++ b/drivers/video/tegra/nvmap/nvmap_handle.c @@ -139,7 +139,7 @@ int find_range_of_handles(struct nvmap_handle **hs, u32 nr, tot_sz = sum; if (offs > tot_sz) { - if (check_sub_overflow(hrange->offs_start, tot_sz, &difference)) + if (check_sub_overflow(hrange->offs_start, (u64)hs[i]->size, &difference)) return -EOVERFLOW; hrange->offs_start = difference;