From nobody Tue Jun 16 01:37:40 2026 Received: from mail-106116.protonmail.ch (mail-106116.protonmail.ch [79.135.106.116]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3D20E2248BE for ; Wed, 15 Apr 2026 04:47:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=79.135.106.116 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776228447; cv=none; b=jP6c7Dn0hkcuYaoG1b9miExfn3Okar990jhw1Ei2mexKeWec2fwhw1hGUunoumFKNQGOaY7unkKohKMdR6lnJ8pHbVaCalqUecNl6vQMiLlWP4aNewiR94dqj3Rc6lWn4WdyCqS4QGv+dODUSRzCjultrPREGDR5/3HP8MrocgE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776228447; c=relaxed/simple; bh=My2OMjau2bBWeR1qaXJWYR9RaQQRDb1XEOn4XhqZ540=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=BIHR7xS5Nwtx+34cGu5fazANXLL/9kyhgU3HdsK6sLzIse86Mvn6gYG7EX1pES3RSEf0LIT4hzbiMimuCYfD3l1CT2Mp/BnEAE6rgXnpFo5OCdbo8/WxqUmXrrdfMENg2giMh11IXPleVMzJWK606kTSOIAnw/P6jEE0FoW49U8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=innora.ai; spf=pass smtp.mailfrom=innora.ai; dkim=pass (2048-bit key) header.d=innora.ai header.i=@innora.ai header.b=BopgUqsf; arc=none smtp.client-ip=79.135.106.116 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=innora.ai Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=innora.ai Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=innora.ai header.i=@innora.ai header.b="BopgUqsf" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=innora.ai; s=protonmail2; t=1776228435; x=1776487635; bh=wDmce4s2wrLZeOIiK4BdtFj46JvHznACbcs44kK0FU0=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=BopgUqsfi2oSFMTm2ylQEbHh3fGkYOiXQynUmQT123S3oJHbzZKwdsOPuFHlybZ2X qdXnPOOCk76QbzRDqKRd/PUJaekGhxumbct2MGRjylen/Ut+iaqwjOgN6vJklJsN8R KRZTGJYQvuRf758ur9S6KLKdPE0hJT0+0TgiKAMJPgfX69Vk7sNvw9i5XvH+XG4H1w EgFkEpiQQ/XY1ydW4Qcyd293Ftef53WXWCUWE/WAlx9O8G9eUQOe7dz/qaZByIN23t 7buhcgVQeCbz2l9ZbPNP6wfeA+9pa1OyVnMYk5zmi/M+cU1MLifCB6ky1h1KMFq4IU 1W/neArJxoXSw== Date: Wed, 15 Apr 2026 04:47:10 +0000 To: gregkh@linuxfoundation.org From: Feng Ning Cc: andy.shevchenko@gmail.com, linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, Feng Ning Subject: [PATCH v6] staging: media: atomisp: use kvmalloc_objs() for overflow-safe allocations Message-ID: <20260415044700.81764-1-feng@innora.ai> In-Reply-To: <20260413112904.98864-1-feng@innora.ai> References: <20260413112904.98864-1-feng@innora.ai> Feedback-ID: 140578448:user:proton X-Pm-Message-ID: cb584e9aad0b246fa7647975b498926a30777868 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Replace open-coded width * height * sizeof() multiplications with kvmalloc_objs() and array_size() to prevent integer overflow in buffer allocations. The atomisp driver computes DVS, morphing table, and statistics buffer sizes using unchecked arithmetic. When dimensions are large, the product can silently wrap, causing kvmalloc() to allocate an undersized buffer. kvmalloc_objs() uses size_mul() internally, which saturates to SIZE_MAX on overflow, so kvmalloc() returns NULL instead of succeeding with too few bytes. array_size() provides the same overflow protection for the two-factor dimension products. Common size expressions are extracted to local variables to avoid recomputing them across repeated allocations in the same function. Suggested-by: Andy Shevchenko Signed-off-by: Feng Ning --- .../media/atomisp/pci/sh_css_param_dvs.c | 18 ++--- .../staging/media/atomisp/pci/sh_css_params.c | 72 +++++++------------ 2 files changed, 34 insertions(+), 56 deletions(-) diff --git a/drivers/staging/media/atomisp/pci/sh_css_param_dvs.c b/drivers= /staging/media/atomisp/pci/sh_css_param_dvs.c index 9ccdb66de..2947e0f48 100644 --- a/drivers/staging/media/atomisp/pci/sh_css_param_dvs.c +++ b/drivers/staging/media/atomisp/pci/sh_css_param_dvs.c @@ -4,6 +4,9 @@ * Copyright (c) 2015, Intel Corporation. */ =20 +#include +#include + #include "sh_css_param_dvs.h" #include #include @@ -48,16 +51,17 @@ alloc_dvs_6axis_table(const struct ia_css_resolution *f= rame_res, } =20 /* Generate Y buffers */ - dvs_config->xcoords_y =3D kvmalloc(width_y * height_y * sizeof(uint32_t), - GFP_KERNEL); + size_t cnt_y =3D array_size(width_y, height_y); + size_t cnt_uv =3D array_size(width_uv, height_uv); + + dvs_config->xcoords_y =3D kvmalloc_objs(*dvs_config->xcoords_y, cnt_y); if (!dvs_config->xcoords_y) { IA_CSS_ERROR("out of memory"); err =3D -ENOMEM; goto exit; } =20 - dvs_config->ycoords_y =3D kvmalloc(width_y * height_y * sizeof(uint32_t), - GFP_KERNEL); + dvs_config->ycoords_y =3D kvmalloc_objs(*dvs_config->ycoords_y, cnt_y); if (!dvs_config->ycoords_y) { IA_CSS_ERROR("out of memory"); err =3D -ENOMEM; @@ -67,16 +71,14 @@ alloc_dvs_6axis_table(const struct ia_css_resolution *f= rame_res, /* Generate UV buffers */ IA_CSS_LOG("UV W %d H %d", width_uv, height_uv); =20 - dvs_config->xcoords_uv =3D kvmalloc(width_uv * height_uv * sizeof(uint32= _t), - GFP_KERNEL); + dvs_config->xcoords_uv =3D kvmalloc_objs(*dvs_config->xcoords_uv, cnt_uv= ); if (!dvs_config->xcoords_uv) { IA_CSS_ERROR("out of memory"); err =3D -ENOMEM; goto exit; } =20 - dvs_config->ycoords_uv =3D kvmalloc(width_uv * height_uv * sizeof(uint32= _t), - GFP_KERNEL); + dvs_config->ycoords_uv =3D kvmalloc_objs(*dvs_config->ycoords_uv, cnt_uv= ); if (!dvs_config->ycoords_uv) { IA_CSS_ERROR("out of memory"); err =3D -ENOMEM; diff --git a/drivers/staging/media/atomisp/pci/sh_css_params.c b/drivers/st= aging/media/atomisp/pci/sh_css_params.c index fcebace11..00d126665 100644 --- a/drivers/staging/media/atomisp/pci/sh_css_params.c +++ b/drivers/staging/media/atomisp/pci/sh_css_params.c @@ -5,6 +5,8 @@ */ =20 #include +#include +#include =20 #include "gdc_device.h" /* gdc_lut_store(), ... */ #include "isp.h" /* ISP_VEC_ELEMBITS */ @@ -1380,13 +1382,11 @@ struct ia_css_morph_table *ia_css_morph_table_alloc= ate( me->coordinates_y[i] =3D NULL; } =20 + size_t cnt =3D array_size(height, width); + for (i =3D 0; i < IA_CSS_MORPH_TABLE_NUM_PLANES; i++) { - me->coordinates_x[i] =3D kvmalloc(height * width * - sizeof(*me->coordinates_x[i]), - GFP_KERNEL); - me->coordinates_y[i] =3D kvmalloc(height * width * - sizeof(*me->coordinates_y[i]), - GFP_KERNEL); + me->coordinates_x[i] =3D kvmalloc_objs(*me->coordinates_x[i], cnt); + me->coordinates_y[i] =3D kvmalloc_objs(*me->coordinates_y[i], cnt); =20 if ((!me->coordinates_x[i]) || (!me->coordinates_y[i])) { @@ -4206,13 +4206,13 @@ ia_css_dvs_statistics_allocate(const struct ia_css_= dvs_grid_info *grid) goto err; =20 me->grid =3D *grid; - me->hor_proj =3D kvmalloc(grid->height * IA_CSS_DVS_NUM_COEF_TYPES * - sizeof(*me->hor_proj), GFP_KERNEL); + me->hor_proj =3D kvmalloc_objs(*me->hor_proj, + array_size(grid->height, IA_CSS_DVS_NUM_COEF_TYPES)); if (!me->hor_proj) goto err; =20 - me->ver_proj =3D kvmalloc(grid->width * IA_CSS_DVS_NUM_COEF_TYPES * - sizeof(*me->ver_proj), GFP_KERNEL); + me->ver_proj =3D kvmalloc_objs(*me->ver_proj, + array_size(grid->width, IA_CSS_DVS_NUM_COEF_TYPES)); if (!me->ver_proj) goto err; =20 @@ -4245,15 +4245,13 @@ ia_css_dvs_coefficients_allocate(const struct ia_cs= s_dvs_grid_info *grid) =20 me->grid =3D *grid; =20 - me->hor_coefs =3D kvmalloc(grid->num_hor_coefs * - IA_CSS_DVS_NUM_COEF_TYPES * - sizeof(*me->hor_coefs), GFP_KERNEL); + me->hor_coefs =3D kvmalloc_objs(*me->hor_coefs, + array_size(grid->num_hor_coefs, IA_CSS_DVS_NUM_COEF_TYPES)); if (!me->hor_coefs) goto err; =20 - me->ver_coefs =3D kvmalloc(grid->num_ver_coefs * - IA_CSS_DVS_NUM_COEF_TYPES * - sizeof(*me->ver_coefs), GFP_KERNEL); + me->ver_coefs =3D kvmalloc_objs(*me->ver_coefs, + array_size(grid->num_ver_coefs, IA_CSS_DVS_NUM_COEF_TYPES)); if (!me->ver_coefs) goto err; =20 @@ -4286,59 +4284,37 @@ ia_css_dvs2_statistics_allocate(const struct ia_css= _dvs_grid_info *grid) =20 me->grid =3D *grid; =20 - me->hor_prod.odd_real =3D kvmalloc(grid->aligned_width * - grid->aligned_height * - sizeof(*me->hor_prod.odd_real), - GFP_KERNEL); + size_t cnt =3D array_size(grid->aligned_width, grid->aligned_height); + + me->hor_prod.odd_real =3D kvmalloc_objs(*me->hor_prod.odd_real, cnt); if (!me->hor_prod.odd_real) goto err; =20 - me->hor_prod.odd_imag =3D kvmalloc(grid->aligned_width * - grid->aligned_height * - sizeof(*me->hor_prod.odd_imag), - GFP_KERNEL); + me->hor_prod.odd_imag =3D kvmalloc_objs(*me->hor_prod.odd_imag, cnt); if (!me->hor_prod.odd_imag) goto err; =20 - me->hor_prod.even_real =3D kvmalloc(grid->aligned_width * - grid->aligned_height * - sizeof(*me->hor_prod.even_real), - GFP_KERNEL); + me->hor_prod.even_real =3D kvmalloc_objs(*me->hor_prod.even_real, cnt); if (!me->hor_prod.even_real) goto err; =20 - me->hor_prod.even_imag =3D kvmalloc(grid->aligned_width * - grid->aligned_height * - sizeof(*me->hor_prod.even_imag), - GFP_KERNEL); + me->hor_prod.even_imag =3D kvmalloc_objs(*me->hor_prod.even_imag, cnt); if (!me->hor_prod.even_imag) goto err; =20 - me->ver_prod.odd_real =3D kvmalloc(grid->aligned_width * - grid->aligned_height * - sizeof(*me->ver_prod.odd_real), - GFP_KERNEL); + me->ver_prod.odd_real =3D kvmalloc_objs(*me->ver_prod.odd_real, cnt); if (!me->ver_prod.odd_real) goto err; =20 - me->ver_prod.odd_imag =3D kvmalloc(grid->aligned_width * - grid->aligned_height * - sizeof(*me->ver_prod.odd_imag), - GFP_KERNEL); + me->ver_prod.odd_imag =3D kvmalloc_objs(*me->ver_prod.odd_imag, cnt); if (!me->ver_prod.odd_imag) goto err; =20 - me->ver_prod.even_real =3D kvmalloc(grid->aligned_width * - grid->aligned_height * - sizeof(*me->ver_prod.even_real), - GFP_KERNEL); + me->ver_prod.even_real =3D kvmalloc_objs(*me->ver_prod.even_real, cnt); if (!me->ver_prod.even_real) goto err; =20 - me->ver_prod.even_imag =3D kvmalloc(grid->aligned_width * - grid->aligned_height * - sizeof(*me->ver_prod.even_imag), - GFP_KERNEL); + me->ver_prod.even_imag =3D kvmalloc_objs(*me->ver_prod.even_imag, cnt); if (!me->ver_prod.even_imag) goto err; =20 --=20 2.49.0