From: Dan Carpenter Date: Thu, 1 Sep 2022 15:35:20 +0000 (+0300) Subject: xen/grants: prevent integer overflow in gnttab_dma_alloc_pages() X-Git-Url: https://git.baikalelectronics.ru/sdk/?a=commitdiff_plain;h=e9ea0b30ada008f4e65933f449db6894832cb242;p=kernel.git xen/grants: prevent integer overflow in gnttab_dma_alloc_pages() The change from kcalloc() to kvmalloc() means that arg->nr_pages might now be large enough that the "args->nr_pages << PAGE_SHIFT" can result in an integer overflow. Fixes: b3f7931f5c61 ("xen/gntdev: switch from kcalloc() to kvcalloc()") Signed-off-by: Dan Carpenter Reviewed-by: Juergen Gross Link: https://lore.kernel.org/r/YxDROJqu/RPvR0bi@kili Signed-off-by: Juergen Gross --- diff --git a/drivers/xen/grant-table.c b/drivers/xen/grant-table.c index 738029de3c672..e1ec725c2819d 100644 --- a/drivers/xen/grant-table.c +++ b/drivers/xen/grant-table.c @@ -1047,6 +1047,9 @@ int gnttab_dma_alloc_pages(struct gnttab_dma_alloc_args *args) size_t size; int i, ret; + if (args->nr_pages < 0 || args->nr_pages > (INT_MAX >> PAGE_SHIFT)) + return -ENOMEM; + size = args->nr_pages << PAGE_SHIFT; if (args->coherent) args->vaddr = dma_alloc_coherent(args->dev, size,