From 7b2b2e29aaa0593b09c0addad06c97eef7c35fd6 Mon Sep 17 00:00:00 2001
From: Yu'an Wang <wangyuan46@huawei.com>
Date: Tue, 14 Sep 2021 09:53:12 +0800
Subject: [PATCH] misc/uacce: fixup out-of-bounds array write

driver inclusion
category: Bugfix
bugzilla: NA
CVE: NA

Size in uacce_alloc_dma_buffers api is from mmap size.
If size is too big, which can cause size + max_size - 1
overflow. Then ss_num is negative, uacce_sort_dma_buffers
api may cause out-of-bounds arraywrite.

Signed-off-by: Yu'an Wang <wangyuan46@huawei.com>
Signed-off-by: Kai Ye <yekai13@huawei.com>
Reviewed-by: Zhou Wang <wangzhou1@hisilicon.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
---
 drivers/misc/uacce/uacce.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/misc/uacce/uacce.c b/drivers/misc/uacce/uacce.c
index 49fc5dbf4015..db7b3936aec6 100644
--- a/drivers/misc/uacce/uacce.c
+++ b/drivers/misc/uacce/uacce.c
@@ -321,13 +321,14 @@ static int uacce_alloc_dma_buffers(struct uacce_queue *q,
 	unsigned long start = vma->vm_start;
 	struct uacce *uacce = q->uacce;
 	struct uacce_dma_slice *slice;
-	int i, ss_num;
+	unsigned long ss_num;
+	int i;
 
 	/* Set maximum slice size is 128MB */
 	if (max_size > UACCE_GRAN_NUM_MASK << UACCE_GRAN_SHIFT)
 		max_size = (UACCE_GRAN_NUM_MASK + 1) << (UACCE_GRAN_SHIFT - 1);
 
-	ss_num = (size + max_size - 1) / max_size;
+	ss_num = size / max_size + (size % max_size ? 1 : 0);
 	slice = kcalloc(ss_num + 1, sizeof(*slice), GFP_KERNEL | __GFP_ZERO);
 	if (!slice)
 		return -ENOMEM;
-- 
GitLab