From: Yu'an Wang <wangyuan46@huawei.com> driver inclusion category: Bugfix bugzilla: NA CVE: NA Size in uacce_alloc_dma_buffers api is from mmap size. If size is too big, which can cause size + max_size - 1 overflow. Then ss_num is negative, uacce_sort_dma_buffers api may cause out-of-bounds arraywrite. Signed-off-by: Yu'an Wang <wangyuan46@huawei.com> Signed-off-by: Kai Ye <yekai13@huawei.com> Reviewed-by: Zhou Wang <wangzhou1@hisilicon.com> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> --- drivers/misc/uacce/uacce.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/misc/uacce/uacce.c b/drivers/misc/uacce/uacce.c index 49fc5dbf40157..db7b3936aec6f 100644 --- a/drivers/misc/uacce/uacce.c +++ b/drivers/misc/uacce/uacce.c @@ -321,13 +321,14 @@ static int uacce_alloc_dma_buffers(struct uacce_queue *q, unsigned long start = vma->vm_start; struct uacce *uacce = q->uacce; struct uacce_dma_slice *slice; - int i, ss_num; + unsigned long ss_num; + int i; /* Set maximum slice size is 128MB */ if (max_size > UACCE_GRAN_NUM_MASK << UACCE_GRAN_SHIFT) max_size = (UACCE_GRAN_NUM_MASK + 1) << (UACCE_GRAN_SHIFT - 1); - ss_num = (size + max_size - 1) / max_size; + ss_num = size / max_size + (size % max_size ? 1 : 0); slice = kcalloc(ss_num + 1, sizeof(*slice), GFP_KERNEL | __GFP_ZERO); if (!slice) return -ENOMEM; -- 2.25.1