accel/amdxdna: Prevent ubuf size overflow

[PATCH V1] accel/amdxdna: Prevent ubuf size overflow

Posted by Lizhi Hou 1 month, 2 weeks ago

The ubuf size calculation may overflow, resulting in an undersized
allocation and possible memory corruption.

Use check_add_overflow() helpers to validate the size calculation before
allocation.

Fixes: bd72d4acda10 ("accel/amdxdna: Support user space allocated buffer")
Signed-off-by: Lizhi Hou <lizhi.hou@amd.com>
---
 drivers/accel/amdxdna/amdxdna_ubuf.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/accel/amdxdna/amdxdna_ubuf.c b/drivers/accel/amdxdna/amdxdna_ubuf.c
index 9e3b3b055caa..62a478f6b45f 100644
--- a/drivers/accel/amdxdna/amdxdna_ubuf.c
+++ b/drivers/accel/amdxdna/amdxdna_ubuf.c
@@ -7,6 +7,7 @@
 #include <drm/drm_device.h>
 #include <drm/drm_print.h>
 #include <linux/dma-buf.h>
+#include <linux/overflow.h>
 #include <linux/pagemap.h>
 #include <linux/vmalloc.h>
 
@@ -176,7 +177,10 @@ struct dma_buf *amdxdna_get_ubuf(struct drm_device *dev,
 			goto free_ent;
 		}
 
-		exp_info.size += va_ent[i].len;
+		if (check_add_overflow(exp_info.size, va_ent[i].len, &exp_info.size)) {
+			ret = -EINVAL;
+			goto free_ent;
+		}
 	}
 
 	ubuf->nr_pages = exp_info.size >> PAGE_SHIFT;
-- 
2.34.1

Re: [PATCH V1] accel/amdxdna: Prevent ubuf size overflow

Posted by Mario Limonciello 1 month, 2 weeks ago

On 2/17/26 1:28 PM, Lizhi Hou wrote:
> The ubuf size calculation may overflow, resulting in an undersized
> allocation and possible memory corruption.
> 
> Use check_add_overflow() helpers to validate the size calculation before
> allocation.
> 
> Fixes: bd72d4acda10 ("accel/amdxdna: Support user space allocated buffer")
> Signed-off-by: Lizhi Hou <lizhi.hou@amd.com>
Reviewed-by: Mario Limonciello (AMD) <superm1@kernel.org>
> ---
>   drivers/accel/amdxdna/amdxdna_ubuf.c | 6 +++++-
>   1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/accel/amdxdna/amdxdna_ubuf.c b/drivers/accel/amdxdna/amdxdna_ubuf.c
> index 9e3b3b055caa..62a478f6b45f 100644
> --- a/drivers/accel/amdxdna/amdxdna_ubuf.c
> +++ b/drivers/accel/amdxdna/amdxdna_ubuf.c
> @@ -7,6 +7,7 @@
>   #include <drm/drm_device.h>
>   #include <drm/drm_print.h>
>   #include <linux/dma-buf.h>
> +#include <linux/overflow.h>
>   #include <linux/pagemap.h>
>   #include <linux/vmalloc.h>
>   
> @@ -176,7 +177,10 @@ struct dma_buf *amdxdna_get_ubuf(struct drm_device *dev,
>   			goto free_ent;
>   		}
>   
> -		exp_info.size += va_ent[i].len;
> +		if (check_add_overflow(exp_info.size, va_ent[i].len, &exp_info.size)) {
> +			ret = -EINVAL;
> +			goto free_ent;
> +		}
>   	}
>   
>   	ubuf->nr_pages = exp_info.size >> PAGE_SHIFT;