From: Feng Ning <feng@innora.ai>
To: linux-media@vger.kernel.org
Cc: hansg@kernel.org, mchehab@kernel.org,
sakari.ailus@linux.intel.com, gregkh@linuxfoundation.org
Subject: [PATCH] staging: media: atomisp: use array3_size() for overflow-safe allocation
Date: Thu, 02 Apr 2026 02:18:32 +0000 [thread overview]
Message-ID: <ac3R8_qf4qivmGc2@ans-MacBook-Pro.local> (raw)
[-- Attachment #1.1: Type: text/plain, Size: 1605 bytes --]
Replace bare width * height * sizeof() multiplications with
array3_size() to prevent integer overflow in buffer allocations.
The atomisp driver computes DVS and shading buffer sizes using
unchecked u32 multiplication. When dimensions are large, the
product wraps and kvmalloc allocates an undersized buffer.
Use array3_size() which returns SIZE_MAX on overflow, causing
kvmalloc to fail safely instead of allocating too little memory.
Affected locations (11 instances across 3 files):
- sh_css_params.c: ia_css_dvs_6axis_config_allocate (lines 4482-4498)
- sh_css_params.c: ia_css_morph_table_allocate (lines 1384-1387)
- sh_css_params.c: ia_css_dvs_stat_allocate (lines 4209-4214)
- sh_css_param_dvs.c: ia_css_dvs_6axis_config_allocate (lines 52-79)
- sh_css_param_shading.c: ia_css_shading_table_alloc (line 342)
Example fix for one location:
- dvs_config->xcoords_y = kvmalloc(width_y * height_y * sizeof(uint32_t),
+ dvs_config->xcoords_y = kvmalloc(array3_size(width_y, height_y, sizeof(uint32_t)),
GFP_KERNEL);
The full patch covering all 11 locations is larger than suitable for
email. I can send git format-patch output if preferred, or submit via
a merge request on the kernel gitlab.
Reported-by: Feng Ning <feng@innora.ai>
Signed-off-by: Feng Ning <feng@innora.ai>
---
drivers/staging/media/atomisp/pci/sh_css_params.c | 11 changes
drivers/staging/media/atomisp/pci/sh_css_param_dvs.c | 4 changes
drivers/staging/media/atomisp/pci/sh_css_param_shading.c | 1 change
Best regards,
Feng Ning
Innora.ai Security Research
[-- Attachment #1.2: publickey - Jiqiang Feng - 0x7D1A285E.asc --]
[-- Type: application/pgp-keys, Size: 693 bytes --]
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 322 bytes --]
next reply other threads:[~2026-04-02 2:18 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-02 2:18 Feng Ning [this message]
2026-04-02 4:01 ` [PATCH] staging: media: atomisp: use array3_size() for overflow-safe allocation Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ac3R8_qf4qivmGc2@ans-MacBook-Pro.local \
--to=feng@innora.ai \
--cc=gregkh@linuxfoundation.org \
--cc=hansg@kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=mchehab@kernel.org \
--cc=sakari.ailus@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox