On Fri, Sep 01, 2017 at 02:00:48PM +0800, Dison River wrote: > newFwSize = ALIGN(karg.newImageSize, 4); This is an integer overflow, but it's harmless... As a static checker developer this is where I would print a warning: drivers/message/fusion/mptctl.c:1748 mptctl_replace_fw() warn: potential integer overflow from user '((karg.newImageSize)) + (((4)) - 1)' I also caught the integer overflow from two days ago but there are too many ones like this so I can't check them all. In mpt_alloc_fw_memory() there is another potential integer overflow when we do: ioc->alloc_total += size; But ->alloc_total is not used anywhere. I don't see a buffer overflow here. regards, dan carpenter
