video: tegra: nvmap: Fix overflow in nvmap_heap
Tuomas Tynkkynen [Mon, 13 Aug 2012 12:43:31 +0000 (15:43 +0300)]
do_heap_alloc locates a suitable free block from a nvmap heap given a
size and alignment. Unfortunately, if a heap block happens to be
smaller than the alignment passed to the function, an integer overflow
will occur, and a block that's too small gets accidentally returned.

Bug 1032642

Change-Id: Ic650c520409134d753e968f62f144ddeb065ccc7
Signed-off-by: Tuomas Tynkkynen <ttynkkynen@nvidia.com>
Reviewed-on: http://git-master/r/123076
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Krishna Reddy <vdumpa@nvidia.com>

drivers/video/tegra/nvmap/nvmap_heap.c

index a6fe78c..738ba26 100644 (file)
@@ -3,7 +3,7 @@
  *
  * GPU heap allocator.
  *
- * Copyright (c) 2011, NVIDIA Corporation.
+ * Copyright (c) 2012, NVIDIA Corporation.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -420,6 +420,9 @@ static struct nvmap_heap_block *do_heap_alloc(struct nvmap_heap *heap,
                list_for_each_entry(i, &heap->free_list, free_list) {
                        size_t fix_size;
                        fix_base = ALIGN(i->block.base, align);
+                       if(!fix_base || fix_base >= i->block.base + i->size)
+                               continue;
+
                        fix_size = i->size - (fix_base - i->block.base);
 
                        /* needed for compaction. relocated chunk