Re: [PATCH v3] staging: media: atomisp: use array3_size() for overflow-safe allocation

Next message: Chia-Lin Kao (AceLan): "[PATCH v4 3/3] usb: typec: ucsi: yoga_c630: Remove redundant duplicate altmode handling"
Previous message: Johan Hovold: "Re: [PATCH] usb: gadget: f_hid: fix device reference leak in hidg_alloc()"
In reply to: Feng Ning: "[PATCH v3] staging: media: atomisp: use array3_size() for overflow-safe allocation"
Next in thread: Andy Shevchenko: "Re: [PATCH v3] staging: media: atomisp: use array3_size() for overflow-safe allocation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Andy Shevchenko

Date: Mon Apr 13 2026 - 03:40:50 EST

On Sun, Apr 12, 2026 at 3:05 AM Feng Ning <feng@xxxxxxxxx> wrote:
>
> Replace open-coded width * height * sizeof() multiplications with
> array3_size() to prevent integer overflow in buffer allocations.
>
> The atomisp driver computes DVS, morphing table, shading table and
> statistics buffer sizes using unchecked arithmetic. When dimensions
> are attacker-controlled or simply large, the product can silently wrap,
> causing kvmalloc() to allocate an undersized buffer.
>
> array3_size() saturates to SIZE_MAX on overflow, so kvmalloc() returns
> NULL instead of succeeding with too few bytes.

...

> +#include <linux/overflow.h>

+ slab.h

...

> /* Generate Y buffers */
> - dvs_config->xcoords_y = kvmalloc(width_y * height_y * sizeof(uint32_t),
> + dvs_config->xcoords_y = kvmalloc(array3_size(width_y, height_y, sizeof(uint32_t)),
> GFP_KERNEL);

Please, go further, id est

dvs_config->xcoords_y = kvmalloc_objs(sizeof(uint32_t),
array_size(width_y, height_y));

and so on...

--
With Best Regards,
Andy Shevchenko