udmabuf: fix a buf size overflow issue during udmabuf creation

pvts-mat · PlaidCat · commit f644d6a99be7 · 2025-07-16T11:49:26.000-04:00
jira VULN-67675 cve CVE-2025-37803 commit-author Xiaogang Chen <xiaogang.chen@amd.com> commit 021ba7f by casting size_limit_mb to u64 when calculate pglimit. Signed-off-by: Xiaogang Chen<Xiaogang.Chen@amd.com> Link: https://patchwork.freedesktop.org/patch/msgid/20250321164126.329638-1-xiaogang.chen@amd.com Signed-off-by: Christian König <christian.koenig@amd.com> (cherry picked from commit 021ba7f) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl> Signed-off-by: Jonathan Maple <jmaple@ciq.com>
diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c
@@ -186,7 +186,7 @@ static long udmabuf_create(struct miscdevice *device,
 	if (!ubuf)
 		return -ENOMEM;
 
-	pglimit = (size_limit_mb * 1024 * 1024) >> PAGE_SHIFT;
+	pglimit = ((u64)size_limit_mb * 1024 * 1024) >> PAGE_SHIFT;
 	for (i = 0; i < head->count; i++) {
 		if (!IS_ALIGNED(list[i].offset, PAGE_SIZE))
 			goto err;
