From: Yu'an Wang wangyuan46@huawei.com
driver inclusion category: Bugfix bugzilla: NA CVE: NA
Size in uacce_alloc_dma_buffers api is from mmap size. If size is too big, which can cause size + max_size - 1 overflow. Then ss_num is negative, uacce_sort_dma_buffers api may cause out-of-bounds arraywrite.
Signed-off-by: Yu'an Wang wangyuan46@huawei.com Signed-off-by: Kai Ye yekai13@huawei.com Reviewed-by: Zhou Wang wangzhou1@hisilicon.com Signed-off-by: Yang Yingliang yangyingliang@huawei.com --- drivers/misc/uacce/uacce.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/misc/uacce/uacce.c b/drivers/misc/uacce/uacce.c index 49fc5dbf40157..db7b3936aec6f 100644 --- a/drivers/misc/uacce/uacce.c +++ b/drivers/misc/uacce/uacce.c @@ -321,13 +321,14 @@ static int uacce_alloc_dma_buffers(struct uacce_queue *q, unsigned long start = vma->vm_start; struct uacce *uacce = q->uacce; struct uacce_dma_slice *slice; - int i, ss_num; + unsigned long ss_num; + int i;
/* Set maximum slice size is 128MB */ if (max_size > UACCE_GRAN_NUM_MASK << UACCE_GRAN_SHIFT) max_size = (UACCE_GRAN_NUM_MASK + 1) << (UACCE_GRAN_SHIFT - 1);
- ss_num = (size + max_size - 1) / max_size; + ss_num = size / max_size + (size % max_size ? 1 : 0); slice = kcalloc(ss_num + 1, sizeof(*slice), GFP_KERNEL | __GFP_ZERO); if (!slice) return -ENOMEM;