]> git-server-git.apps.pok.os.sepia.ceph.com Git - ceph-client.git/commitdiff
projects / ceph-client.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 1110a94)
accel/amdxdna: Prevent ubuf size overflow
authorLizhi Hou <lizhi.hou@amd.com>
Tue, 17 Feb 2026 19:28:15 +0000 (11:28 -0800)
committerLizhi Hou <lizhi.hou@amd.com>
Mon, 23 Feb 2026 17:24:21 +0000 (09:24 -0800)
The ubuf size calculation may overflow, resulting in an undersized
allocation and possible memory corruption.

Use check_add_overflow() helpers to validate the size calculation before
allocation.

Fixes: bd72d4acda10 ("accel/amdxdna: Support user space allocated buffer")
Reviewed-by: Mario Limonciello (AMD) <superm1@kernel.org>
Signed-off-by: Lizhi Hou <lizhi.hou@amd.com>
Link: https://patch.msgid.link/20260217192815.1784689-1-lizhi.hou@amd.com
drivers/accel/amdxdna/amdxdna_ubuf.c patch | blob | history

diff --git a/drivers/accel/amdxdna/amdxdna_ubuf.c b/drivers/accel/amdxdna/amdxdna_ubuf.c
index b509f10b155cb9b71ef5ab296865acbbf72bfe1a..fb71d6e3f44d146acc0f49fbd086e8dacd64994c 100644 (file)
--- a/drivers/accel/amdxdna/amdxdna_ubuf.c
+++ b/drivers/accel/amdxdna/amdxdna_ubuf.c
@@ -7,6 +7,7 @@
 #include <drm/drm_device.h>
 #include <drm/drm_print.h>
 #include <linux/dma-buf.h>
+#include <linux/overflow.h>
 #include <linux/pagemap.h>
 #include <linux/vmalloc.h>
 
@@ -176,7 +177,10 @@ struct dma_buf *amdxdna_get_ubuf(struct drm_device *dev,
                        goto free_ent;
                }
 
-               exp_info.size += va_ent[i].len;
+               if (check_add_overflow(exp_info.size, va_ent[i].len, &exp_info.size)) {
+                       ret = -EINVAL;
+                       goto free_ent;
+               }
        }
 
        ubuf->nr_pages = exp_info.size >> PAGE_SHIFT;
Unnamed repository; edit this file 'description' to name the repository.