The patch titled Subject: drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl has been removed from the -mm tree. Its filename was fsl_hypervisor-prevent-integer-overflow-in-ioctl.patch

This patch was dropped because it was merged into mainline or a subsystem tree

------------------------------------------------------ From: Dan Carpenter dan.carpenter@oracle.com Subject: drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl

The "param.count" value is a u64 thatcomes from the user. The code later in the function assumes that param.count is at least one and if it's not then it leads to an Oops when we dereference the ZERO_SIZE_PTR.

Also the addition can have an integer overflow which would lead us to allocate a smaller "pages" array than required. I can't immediately tell what the possible run times implications are, but it's safest to prevent the overflow.

Link: http://lkml.kernel.org/r/20181218082129.GE32567@kadam Fixes: 6db7199407ca ("drivers/virt: introduce Freescale hypervisor management driver") Signed-off-by: Dan Carpenter dan.carpenter@oracle.com Reviewed-by: Andrew Morton akpm@linux-foundation.org Cc: Timur Tabi timur@freescale.com Cc: Mihai Caraman mihai.caraman@freescale.com Cc: Kumar Gala galak@kernel.crashing.org Cc: stable@vger.kernel.org Signed-off-by: Andrew Morton akpm@linux-foundation.org ---

drivers/virt/fsl_hypervisor.c | 3 +++ 1 file changed, 3 insertions(+)

--- a/drivers/virt/fsl_hypervisor.c~fsl_hypervisor-prevent-integer-overflow-in-ioctl +++ a/drivers/virt/fsl_hypervisor.c @@ -215,6 +215,9 @@ static long ioctl_memcpy(struct fsl_hv_i * hypervisor. */ lb_offset = param.local_vaddr & (PAGE_SIZE - 1); + if (param.count == 0 || + param.count > U64_MAX - lb_offset - PAGE_SIZE + 1) + return -EINVAL; num_pages = (param.count + lb_offset + PAGE_SIZE - 1) >> PAGE_SHIFT;

/* Allocate the buffers we need */ _

Patches currently in -mm which might be from dan.carpenter@oracle.com are