[PATCH openEuler-5.10-LTS-SP1 42/74] xen/grants: prevent integer overflow in gnttab_dma_alloc_pages()

From: Dan Carpenter dan.carpenter@oracle.com

stable inclusion from stable-v5.10.142 commit 5d0d46e6255aa87bbca0e6831648dcecd2a7ebfd category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I6CSFH

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...

--------------------------------

[ Upstream commit e9ea0b30ada008f4e65933f449db6894832cb242 ]

The change from kcalloc() to kvmalloc() means that arg->nr_pages might now be large enough that the "args->nr_pages << PAGE_SHIFT" can result in an integer overflow.

Fixes: b3f7931f5c61 ("xen/gntdev: switch from kcalloc() to kvcalloc()") Signed-off-by: Dan Carpenter dan.carpenter@oracle.com Reviewed-by: Juergen Gross jgross@suse.com Link: https://lore.kernel.org/r/YxDROJqu/RPvR0bi@kili Signed-off-by: Juergen Gross jgross@suse.com Signed-off-by: Sasha Levin sashal@kernel.org Signed-off-by: Jialin Zhang zhangjialin11@huawei.com Reviewed-by: Zheng Zengkai zhengzengkai@huawei.com --- drivers/xen/grant-table.c | 3 +++ 1 file changed, 3 insertions(+)

diff --git a/drivers/xen/grant-table.c b/drivers/xen/grant-table.c index 5c83d41766c8..0a2d24d6ac6f 100644 --- a/drivers/xen/grant-table.c +++ b/drivers/xen/grant-table.c @@ -981,6 +981,9 @@ int gnttab_dma_alloc_pages(struct gnttab_dma_alloc_args *args) size_t size; int i, ret;

+ if (args->nr_pages < 0 || args->nr_pages > (INT_MAX >> PAGE_SHIFT)) + return -ENOMEM; + size = args->nr_pages << PAGE_SHIFT; if (args->coherent) args->vaddr = dma_alloc_coherent(args->dev, size,