From a905dcf820cb7d4fbe423fa283694cfcacc808bc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marcin=20Wcis=C5=82o?= <marcin.wcislo@conclusive.pl>
Date: Sun, 29 Jun 2025 23:14:16 +0200
Subject: [PATCH] udmabuf: fix a buf size overflow issue during udmabuf
 creation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

jira VULN-67674
cve CVE-2025-37803
commit-author Xiaogang Chen <xiaogang.chen@amd.com>
commit 021ba7f1babd029e714d13a6bf2571b08af96d0f

by casting size_limit_mb to u64  when calculate pglimit.

	Signed-off-by: Xiaogang Chen<Xiaogang.Chen@amd.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20250321164126.329638-1-xiaogang.chen@amd.com
	Signed-off-by: Christian König <christian.koenig@amd.com>
(cherry picked from commit 021ba7f1babd029e714d13a6bf2571b08af96d0f)
	Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
---
 drivers/dma-buf/udmabuf.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c
index c406459996489..c2a11222bc7c0 100644
--- a/drivers/dma-buf/udmabuf.c
+++ b/drivers/dma-buf/udmabuf.c
@@ -212,7 +212,7 @@ static long udmabuf_create(struct miscdevice *device,
 	if (!ubuf)
 		return -ENOMEM;
 
-	pglimit = (size_limit_mb * 1024 * 1024) >> PAGE_SHIFT;
+	pglimit = ((u64)size_limit_mb * 1024 * 1024) >> PAGE_SHIFT;
 	for (i = 0; i < head->count; i++) {
 		if (!IS_ALIGNED(list[i].offset, PAGE_SIZE))
 			goto err;