1. Patchew
  2. linux
  3. View series

[PATCH v2] drm/radeon: fix integer overflow in radeon_align_pitch()

Werner Kasselman posted 1 patch 2 months ago
There is a newer version of this series
drivers/gpu/drm/radeon/radeon_gem.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
[PATCH v2] drm/radeon: fix integer overflow in radeon_align_pitch()
Posted by Werner Kasselman 2 months ago 
radeon_align_pitch() has the same kind of overflow issue as the old
amdgpu helper: the alignment round-up add and the final 'aligned * cpp'
calculation can overflow signed int.

If that wraps to 0, radeon_mode_dumb_create() can end up with an invalid
pitch value from DRM_IOCTL_MODE_CREATE_DUMB.

Fix this by using check_add_overflow() for the alignment round-up and
check_mul_overflow() for the final pitch calculation, returning 0 on
overflow.

Found via AST-based call-graph analysis using sqry.

Fixes: ff72145badb8 ("drm: dumb scanout create/mmap for intel/radeon (v3)")
Cc: stable@vger.kernel.org
Signed-off-by: Werner Kasselman <werner@verivus.com>
---
v2:
- Use overflow helpers like amdgpu.
- Drop the stale zero pitch/size change from the original submission.
- Fix the changelog wording around reachability.

 drivers/gpu/drm/radeon/radeon_gem.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/drivers/gpu/drm/radeon/radeon_gem.c b/drivers/gpu/drm/radeon/radeon_gem.c
index 2cd179fef347..8ce180e22d1d 100644
--- a/drivers/gpu/drm/radeon/radeon_gem.c
+++ b/drivers/gpu/drm/radeon/radeon_gem.c
@@ -28,6 +28,7 @@
 
 #include <linux/debugfs.h>
 #include <linux/iosys-map.h>
+#include <linux/overflow.h>
 #include <linux/pci.h>
 
 #include <drm/drm_device.h>
@@ -812,6 +813,7 @@ int radeon_align_pitch(struct radeon_device *rdev, int width, int cpp, bool tile
 	int aligned = width;
 	int align_large = (ASIC_IS_AVIVO(rdev)) || tiled;
 	int pitch_mask = 0;
+	int pitch;
 
 	switch (cpp) {
 	case 1:
@@ -826,14 +828,12 @@ int radeon_align_pitch(struct radeon_device *rdev, int width, int cpp, bool tile
 		break;
 	}
 
-	aligned += pitch_mask;
+	if (check_add_overflow(aligned, pitch_mask, &aligned))
+		return 0;
 	aligned &= ~pitch_mask;
-
-	/* Guard against integer overflow in aligned * cpp. */
-	if (aligned > INT_MAX / (cpp ? cpp : 1) || aligned <= 0)
+	if (check_mul_overflow(aligned, cpp, &pitch))
 		return 0;
-
-	return aligned * cpp;
+	return pitch;
 }
 
 int radeon_mode_dumb_create(struct drm_file *file_priv,
-- 
2.43.0
Re: [PATCH v2] drm/radeon: fix integer overflow in radeon_align_pitch()
Posted by Alex Deucher 2 months ago 
Can you squash this with the previous radeon patch?  I only applied
the amdgpu patch at this point.

Alex

On Tue, Apr 14, 2026 at 5:14 PM Werner Kasselman <werner@verivus.ai> wrote:
>
> radeon_align_pitch() has the same kind of overflow issue as the old
> amdgpu helper: the alignment round-up add and the final 'aligned * cpp'
> calculation can overflow signed int.
>
> If that wraps to 0, radeon_mode_dumb_create() can end up with an invalid
> pitch value from DRM_IOCTL_MODE_CREATE_DUMB.
>
> Fix this by using check_add_overflow() for the alignment round-up and
> check_mul_overflow() for the final pitch calculation, returning 0 on
> overflow.
>
> Found via AST-based call-graph analysis using sqry.
>
> Fixes: ff72145badb8 ("drm: dumb scanout create/mmap for intel/radeon (v3)")
> Cc: stable@vger.kernel.org
> Signed-off-by: Werner Kasselman <werner@verivus.com>
> ---
> v2:
> - Use overflow helpers like amdgpu.
> - Drop the stale zero pitch/size change from the original submission.
> - Fix the changelog wording around reachability.
>
>  drivers/gpu/drm/radeon/radeon_gem.c | 12 ++++++------
>  1 file changed, 6 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/gpu/drm/radeon/radeon_gem.c b/drivers/gpu/drm/radeon/radeon_gem.c
> index 2cd179fef347..8ce180e22d1d 100644
> --- a/drivers/gpu/drm/radeon/radeon_gem.c
> +++ b/drivers/gpu/drm/radeon/radeon_gem.c
> @@ -28,6 +28,7 @@
>
>  #include <linux/debugfs.h>
>  #include <linux/iosys-map.h>
> +#include <linux/overflow.h>
>  #include <linux/pci.h>
>
>  #include <drm/drm_device.h>
> @@ -812,6 +813,7 @@ int radeon_align_pitch(struct radeon_device *rdev, int width, int cpp, bool tile
>         int aligned = width;
>         int align_large = (ASIC_IS_AVIVO(rdev)) || tiled;
>         int pitch_mask = 0;
> +       int pitch;
>
>         switch (cpp) {
>         case 1:
> @@ -826,14 +828,12 @@ int radeon_align_pitch(struct radeon_device *rdev, int width, int cpp, bool tile
>                 break;
>         }
>
> -       aligned += pitch_mask;
> +       if (check_add_overflow(aligned, pitch_mask, &aligned))
> +               return 0;
>         aligned &= ~pitch_mask;
> -
> -       /* Guard against integer overflow in aligned * cpp. */
> -       if (aligned > INT_MAX / (cpp ? cpp : 1) || aligned <= 0)
> +       if (check_mul_overflow(aligned, cpp, &pitch))
>                 return 0;
> -
> -       return aligned * cpp;
> +       return pitch;
>  }
>
>  int radeon_mode_dumb_create(struct drm_file *file_priv,
> --
> 2.43.0

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.