From cb233ff6f57bb525d1096e0765fa236bc1b2fb27 Mon Sep 17 00:00:00 2001
From: Surbhi Singh <surbhis@nvidia.com>
Date: Mon, 3 Mar 2025 11:34:02 +0000
Subject: [PATCH] video: tegra: nvmap: Add checks for addition overflow

Add check for overflow when two unsigned integers are added or
multiplied and return error in case of overflow condition.

JIRA TMM-5993
Bug 4479044

Change-Id: I8c9f6c55d413a2f95e445e09209d392a4c90b1e0
Signed-off-by: Surbhi Singh <surbhis@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/c/linux-nv-oot/+/3312702
Reviewed-by: Sachin Nikam <snikam@nvidia.com>
GVS: buildbot_gerritrpt <buildbot_gerritrpt@nvidia.com>
Reviewed-by: Ketan Patil <ketanp@nvidia.com>
---
 drivers/video/tegra/nvmap/nvmap_alloc.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/video/tegra/nvmap/nvmap_alloc.c b/drivers/video/tegra/nvmap/nvmap_alloc.c
index 543e2664..9687e8c7 100644
--- a/drivers/video/tegra/nvmap/nvmap_alloc.c
+++ b/drivers/video/tegra/nvmap/nvmap_alloc.c
@@ -103,6 +103,7 @@ static int handle_page_alloc(struct nvmap_client *client,
 	struct page **pages;
 	gfp_t gfp = GFP_NVMAP | __GFP_ZERO;
 	u64 result;
+	size_t tot_size;
 #ifdef CONFIG_ARM64_4K_PAGES
 	int cc_index = 0;
 #ifdef NVMAP_CONFIG_PAGE_POOLS
@@ -112,7 +113,10 @@ static int handle_page_alloc(struct nvmap_client *client,
 #endif
 #endif /* CONFIG_ARM64_4K_PAGES */
 
-	pages = nvmap_altalloc(nr_page * sizeof(*pages));
+	if (check_mul_overflow(nr_page, sizeof(*pages), &tot_size))
+		return -EOVERFLOW;
+
+	pages = nvmap_altalloc(tot_size);
 	if (!pages)
 		return -ENOMEM;
 
@@ -212,7 +216,7 @@ static int handle_page_alloc(struct nvmap_client *client,
 fail:
 	while (i--)
 		__free_page(pages[i]);
-	nvmap_altfree(pages, nr_page * sizeof(*pages));
+	nvmap_altfree(pages, tot_size);
 	wmb();
 	return -ENOMEM;
 }