This is a note to let you know that I've just added the patch titled
xen/grants: prevent integer overflow in gnttab_dma_alloc_pages()
to the 5.10-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
xen-grants-prevent-integer-overflow-in-gnttab_dma_al.patch
and it can be found in the queue-5.10 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
commit c562a7c1c17c32db7e26e5da946e6c755afa0efa
Author: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Date: Thu Sep 1 18:35:20 2022 +0300
xen/grants: prevent integer overflow in gnttab_dma_alloc_pages()
[ Upstream commit e9ea0b30ada008f4e65933f449db6894832cb242 ]
The change from kcalloc() to kvmalloc() means that arg->nr_pages
might now be large enough that the "args->nr_pages << PAGE_SHIFT" can
result in an integer overflow.
Fixes: b3f7931f5c61 ("xen/gntdev: switch from kcalloc() to kvcalloc()")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Reviewed-by: Juergen Gross <jgross@xxxxxxxx>
Link: https://lore.kernel.org/r/YxDROJqu/RPvR0bi@kili
Signed-off-by: Juergen Gross <jgross@xxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
diff --git a/drivers/xen/grant-table.c b/drivers/xen/grant-table.c
index 5c83d41766c85..0a2d24d6ac6f7 100644
--- a/drivers/xen/grant-table.c
+++ b/drivers/xen/grant-table.c
@@ -981,6 +981,9 @@ int gnttab_dma_alloc_pages(struct gnttab_dma_alloc_args *args)
size_t size;
int i, ret;
+ if (args->nr_pages < 0 || args->nr_pages > (INT_MAX >> PAGE_SHIFT))
+ return -ENOMEM;
+
size = args->nr_pages << PAGE_SHIFT;
if (args->coherent)
args->vaddr = dma_alloc_coherent(args->dev, size,
