drm/radeon/r600_cs: Fix possible int overflow in r600_packet3_check()

It is possible, although unlikely, that an integer overflow will occur
when the result of radeon_get_ib_value() is shifted to the left.

Avoid it by casting one of the operands to larger data type (u64).

Found by Linux Verification Center (linuxtesting.org) with static
analysis tool SVACE.

Signed-off-by: Igor Artemiev <Igor.A.Artemiev@mcst.ru>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>

diff --git a/drivers/gpu/drm/radeon/r600_cs.c b/drivers/gpu/drm/radeon/r600_cs.c
index 1b2d31c4d77caa6c50038d4f7a7bbed0e94a9383..ac77d1246b945337fec98b44f9eafa09fa3387cc 100644 (file)
--- a/drivers/gpu/drm/radeon/r600_cs.c
+++ b/drivers/gpu/drm/radeon/r600_cs.c
@@ -2104,7 +2104,7 @@ static int r600_packet3_check(struct radeon_cs_parser *p,
                                return -EINVAL;
                        }
 
-                       offset = radeon_get_ib_value(p, idx+1) << 8;
+                       offset = (u64)radeon_get_ib_value(p, idx+1) << 8;
                        if (offset != track->vgt_strmout_bo_offset[idx_value]) {
                                DRM_ERROR("bad STRMOUT_BASE_UPDATE, bo offset does not match: 0x%llx, 0x%x\n",
                                          offset, track->vgt_strmout_bo_offset[idx_value]);