This is a note to let you know that I've just added the patch titled misc: pci_endpoint_test: Prevent some integer overflows to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: misc-pci_endpoint_test-prevent-some-integer-overflows.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From foo@baz Mon 11 Nov 2019 10:07:22 AM CET From: Mathieu Poirier <mathieu.poirier@xxxxxxxxxx> Date: Thu, 5 Sep 2019 10:17:50 -0600 Subject: misc: pci_endpoint_test: Prevent some integer overflows To: stable@xxxxxxxxxxxxxxx Cc: linux-usb@xxxxxxxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx, linux-pm@xxxxxxxxxxxxxxx, dri-devel@xxxxxxxxxxxxxxxxxxxxx, linux-omap@xxxxxxxxxxxxxxx, linux-i2c@xxxxxxxxxxxxxxx, linux-pci@xxxxxxxxxxxxxxx, linux-mtd@xxxxxxxxxxxxxxxxxxx Message-ID: <20190905161759.28036-10-mathieu.poirier@xxxxxxxxxx> From: Dan Carpenter <dan.carpenter@xxxxxxxxxx> commit 378f79cab12b669928f3a4037f023837ead2ce0c upstream "size + max" can have an arithmetic overflow when we're allocating: orig_src_addr = dma_alloc_coherent(dev, size + alignment, ... I've added a few checks to prevent that. Fixes: 13107c60681f ("misc: pci_endpoint_test: Add support to provide aligned buffer addresses") Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> Signed-off-by: Mathieu Poirier <mathieu.poirier@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/misc/pci_endpoint_test.c | 9 +++++++++ 1 file changed, 9 insertions(+) --- a/drivers/misc/pci_endpoint_test.c +++ b/drivers/misc/pci_endpoint_test.c @@ -226,6 +226,9 @@ static bool pci_endpoint_test_copy(struc u32 src_crc32; u32 dst_crc32; + if (size > SIZE_MAX - alignment) + goto err; + orig_src_addr = dma_alloc_coherent(dev, size + alignment, &orig_src_phys_addr, GFP_KERNEL); if (!orig_src_addr) { @@ -311,6 +314,9 @@ static bool pci_endpoint_test_write(stru size_t alignment = test->alignment; u32 crc32; + if (size > SIZE_MAX - alignment) + goto err; + orig_addr = dma_alloc_coherent(dev, size + alignment, &orig_phys_addr, GFP_KERNEL); if (!orig_addr) { @@ -369,6 +375,9 @@ static bool pci_endpoint_test_read(struc size_t alignment = test->alignment; u32 crc32; + if (size > SIZE_MAX - alignment) + goto err; + orig_addr = dma_alloc_coherent(dev, size + alignment, &orig_phys_addr, GFP_KERNEL); if (!orig_addr) { Patches currently in stable-queue which might be from mathieu.poirier@xxxxxxxxxx are queue-4.14/mailbox-reset-txdone_method-txdone_by_poll-if-client-knows_txdone.patch queue-4.14/mtd-spi-nor-cadence-quadspi-add-a-delay-in-write-sequence.patch queue-4.14/misc-pci_endpoint_test-fix-bug_on-error-during-pci_disable_msi.patch queue-4.14/asoc-tlv320dac31xx-mark-expected-switch-fall-through.patch queue-4.14/pci-dra7xx-add-shutdown-handler-to-cleanly-turn-off-clocks.patch queue-4.14/asoc-tlv320aic31xx-handle-inverted-bclk-in-non-dsp-modes.patch queue-4.14/mtd-spi-nor-enable-4b-opcodes-for-mx66l51235l.patch queue-4.14/cpufreq-ti-cpufreq-add-missing-of_node_put.patch queue-4.14/asoc-davinci-kill-bug_on-usage.patch queue-4.14/mfd-palmas-assign-the-right-powerhold-mask-for-tps65917.patch queue-4.14/asoc-davinci-mcasp-fix-an-error-handling-path-in-davinci_mcasp_probe.patch queue-4.14/misc-pci_endpoint_test-prevent-some-integer-overflows.patch queue-4.14/asoc-davinci-mcasp-handle-return-value-of-devm_kasprintf.patch queue-4.14/i2c-omap-trigger-bus-recovery-in-lockup-case.patch queue-4.14/usb-dwc3-allow-disabling-of-metastability-workaround.patch ______________________________________________________ Linux MTD discussion mailing list http://lists.infradead.org/mailman/listinfo/linux-mtd/