On 32-bit architectures, calling round_up(io.length, 8) can overflow
when io.length is close to SIZE_MAX, as the internal addition
(io.length + 7) wraps around. This may result in aligned_len becoming
smaller than io.length (even zero), bypassing subsequent bounds checks.

This can lead to an out-of-bounds write when the original io.length is
used in memory operations.

Add an explicit check to ensure io.length + 7 does not overflow before
calling round_up().

Fixes: 3ae9dcce8400 ("firmware: drivers: imx: adds miscdev")
Reported-by: sashiko-bot <sashiko-bot@kernel.org>
Closes: https://sashiko.dev/#/patchset/20260514090321.2186877-1-pankaj.gupta@nxp.com?part=
Signed-off-by: Pankaj Gupta <pankaj.gupta@nxp.com>
---
 drivers/firmware/imx/se_ctrl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/firmware/imx/se_ctrl.c b/drivers/firmware/imx/se_ctrl.c
index 4914d3b6bf0b..05ea7efc016d 100644
--- a/drivers/firmware/imx/se_ctrl.c
+++ b/drivers/firmware/imx/se_ctrl.c
@@ -672,7 +672,7 @@ static int se_ioctl_setup_iobuf_handler(struct se_if_device_ctx *dev_ctx,
 		goto copy;
 	}
 
-	if (io.length > SIZE_MAX - 7) {
+	if ((size_t)io.length > SIZE_MAX - 7) {
 		dev_err(dev_ctx->priv->dev, "%s: Invalid buffer length.",
 			dev_ctx->devname);
 		return -EINVAL;
-- 
2.43.0