Hi Hyunwoo, On 6/11/22 21:28, Hyunwoo Kim wrote: > In pxa3xx_gcu_write, a count parameter of > type size_t is passed to words of type int. > Then, copy_from_user may cause a heap overflow because > it is used as the third argument of copy_from_user. I suggest to simply change the type of "words" a few lines above: Instead of int words = count / 4; use size_t words = count / 4; count is already of type size_t and then you don't need to check against < 0. Can you resend such a patch? Helge > > Signed-off-by: Hyunwoo Kim <imv4bel@xxxxxxxxx> > --- > drivers/video/fbdev/pxa3xx-gcu.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/video/fbdev/pxa3xx-gcu.c b/drivers/video/fbdev/pxa3xx-gcu.c > index 043cc8f9ef1c..5ca6d37e365f 100644 > --- a/drivers/video/fbdev/pxa3xx-gcu.c > +++ b/drivers/video/fbdev/pxa3xx-gcu.c > @@ -389,7 +389,7 @@ pxa3xx_gcu_write(struct file *file, const char *buff, > priv->shared->num_words += words; > > /* Last word reserved for batch buffer end command */ > - if (words >= PXA3XX_GCU_BATCH_WORDS) > + if (words >= PXA3XX_GCU_BATCH_WORDS || words < 0) > return -E2BIG; > > /* Wait for a free buffer */