The ubuf size calculation may overflow, resulting in an undersized
allocation and possible memory corruption.
Use check_add_overflow() helpers to validate the size calculation before
allocation.
Fixes: bd72d4acda10 ("accel/amdxdna: Support user space allocated buffer")
Signed-off-by: Lizhi Hou <[email protected]>
---
drivers/accel/amdxdna/amdxdna_ubuf.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/accel/amdxdna/amdxdna_ubuf.c
b/drivers/accel/amdxdna/amdxdna_ubuf.c
index 9e3b3b055caa..62a478f6b45f 100644
--- a/drivers/accel/amdxdna/amdxdna_ubuf.c
+++ b/drivers/accel/amdxdna/amdxdna_ubuf.c
@@ -7,6 +7,7 @@
#include <drm/drm_device.h>
#include <drm/drm_print.h>
#include <linux/dma-buf.h>
+#include <linux/overflow.h>
#include <linux/pagemap.h>
#include <linux/vmalloc.h>
@@ -176,7 +177,10 @@ struct dma_buf *amdxdna_get_ubuf(struct drm_device *dev,
goto free_ent;
}
- exp_info.size += va_ent[i].len;
+ if (check_add_overflow(exp_info.size, va_ent[i].len,
&exp_info.size)) {
+ ret = -EINVAL;
+ goto free_ent;
+ }
}
ubuf->nr_pages = exp_info.size >> PAGE_SHIFT;
--
2.34.1
