[PATCH] staging: media: atomisp: use array3_size() for overflow-safe allocation

[PATCH] staging: media: atomisp: use array3_size() for overflow-safe allocation

[Feng Ning]

[-- Attachment #1.1: Type: text/plain, Size: 1605 bytes --]

Replace bare width * height * sizeof() multiplications with
array3_size() to prevent integer overflow in buffer allocations.

The atomisp driver computes DVS and shading buffer sizes using
unchecked u32 multiplication. When dimensions are large, the
product wraps and kvmalloc allocates an undersized buffer.

Use array3_size() which returns SIZE_MAX on overflow, causing
kvmalloc to fail safely instead of allocating too little memory.

Affected locations (11 instances across 3 files):
  - sh_css_params.c: ia_css_dvs_6axis_config_allocate (lines 4482-4498)
  - sh_css_params.c: ia_css_morph_table_allocate (lines 1384-1387)
  - sh_css_params.c: ia_css_dvs_stat_allocate (lines 4209-4214)
  - sh_css_param_dvs.c: ia_css_dvs_6axis_config_allocate (lines 52-79)
  - sh_css_param_shading.c: ia_css_shading_table_alloc (line 342)

Example fix for one location:

  -  dvs_config->xcoords_y = kvmalloc(width_y * height_y * sizeof(uint32_t),
  +  dvs_config->xcoords_y = kvmalloc(array3_size(width_y, height_y, sizeof(uint32_t)),
                                       GFP_KERNEL);

The full patch covering all 11 locations is larger than suitable for
email. I can send git format-patch output if preferred, or submit via
a merge request on the kernel gitlab.

Reported-by: Feng Ning <feng@innora.ai>
Signed-off-by: Feng Ning <feng@innora.ai>
---
 drivers/staging/media/atomisp/pci/sh_css_params.c       | 11 changes
 drivers/staging/media/atomisp/pci/sh_css_param_dvs.c    |  4 changes
 drivers/staging/media/atomisp/pci/sh_css_param_shading.c |  1 change

Best regards,
Feng Ning
Innora.ai Security Research

[-- Attachment #1.2: publickey - Jiqiang Feng - 0x7D1A285E.asc --]
[-- Type: application/pgp-keys, Size: 693 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 322 bytes --]

Re: [PATCH] staging: media: atomisp: use array3_size() for overflow-safe allocation

[Greg KH]

On Thu, Apr 02, 2026 at 02:18:32AM +0000, Feng Ning wrote:
> Replace bare width * height * sizeof() multiplications with
> array3_size() to prevent integer overflow in buffer allocations.
> 
> The atomisp driver computes DVS and shading buffer sizes using
> unchecked u32 multiplication. When dimensions are large, the
> product wraps and kvmalloc allocates an undersized buffer.
> 
> Use array3_size() which returns SIZE_MAX on overflow, causing
> kvmalloc to fail safely instead of allocating too little memory.
> 
> Affected locations (11 instances across 3 files):
>   - sh_css_params.c: ia_css_dvs_6axis_config_allocate (lines 4482-4498)
>   - sh_css_params.c: ia_css_morph_table_allocate (lines 1384-1387)
>   - sh_css_params.c: ia_css_dvs_stat_allocate (lines 4209-4214)
>   - sh_css_param_dvs.c: ia_css_dvs_6axis_config_allocate (lines 52-79)
>   - sh_css_param_shading.c: ia_css_shading_table_alloc (line 342)
> 
> Example fix for one location:
> 
>   -  dvs_config->xcoords_y = kvmalloc(width_y * height_y * sizeof(uint32_t),
>   +  dvs_config->xcoords_y = kvmalloc(array3_size(width_y, height_y, sizeof(uint32_t)),
>                                        GFP_KERNEL);
> 
> The full patch covering all 11 locations is larger than suitable for
> email. I can send git format-patch output if preferred, or submit via
> a merge request on the kernel gitlab.

Email is how we accept patches.  Please do so that way, this is not
going to be a "huge" change at all.  Worst case, break it up and make it
a patch series.

thanks,

greg k-h