This is a note to let you know that I've just added the patch titled xen/grants: prevent integer overflow in gnttab_dma_alloc_pages() to the 5.10-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: xen-grants-prevent-integer-overflow-in-gnttab_dma_al.patch and it can be found in the queue-5.10 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. commit c562a7c1c17c32db7e26e5da946e6c755afa0efa Author: Dan Carpenter <dan.carpenter@xxxxxxxxxx> Date: Thu Sep 1 18:35:20 2022 +0300 xen/grants: prevent integer overflow in gnttab_dma_alloc_pages() [ Upstream commit e9ea0b30ada008f4e65933f449db6894832cb242 ] The change from kcalloc() to kvmalloc() means that arg->nr_pages might now be large enough that the "args->nr_pages << PAGE_SHIFT" can result in an integer overflow. Fixes: b3f7931f5c61 ("xen/gntdev: switch from kcalloc() to kvcalloc()") Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> Reviewed-by: Juergen Gross <jgross@xxxxxxxx> Link: https://lore.kernel.org/r/YxDROJqu/RPvR0bi@kili Signed-off-by: Juergen Gross <jgross@xxxxxxxx> Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx> diff --git a/drivers/xen/grant-table.c b/drivers/xen/grant-table.c index 5c83d41766c85..0a2d24d6ac6f7 100644 --- a/drivers/xen/grant-table.c +++ b/drivers/xen/grant-table.c @@ -981,6 +981,9 @@ int gnttab_dma_alloc_pages(struct gnttab_dma_alloc_args *args) size_t size; int i, ret; + if (args->nr_pages < 0 || args->nr_pages > (INT_MAX >> PAGE_SHIFT)) + return -ENOMEM; + size = args->nr_pages << PAGE_SHIFT; if (args->coherent) args->vaddr = dma_alloc_coherent(args->dev, size,