diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index 3a1eee5bac77c75fdeb20c5b1f6b67bd83ebe983..d0cf3d6153fde11e4461a0db25f9bf3d3a21fdb1 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -8891,7 +8891,7 @@ static int io_sqe_buffer_register(struct io_ring_ctx *ctx, struct iovec *iov,
 	struct io_mapped_ubuf *imu = NULL;
 	struct vm_area_struct **vmas = NULL;
 	struct page **pages = NULL;
-	unsigned long off, start, end, ubuf;
+	unsigned long off, start, end, ubuf, len;
 	size_t size;
 	int ret, pret, nr_pages, i;
 
@@ -8901,7 +8901,13 @@ static int io_sqe_buffer_register(struct io_ring_ctx *ctx, struct iovec *iov,
 	}
 
 	ubuf = (unsigned long) iov->iov_base;
-	end = (ubuf + iov->iov_len + PAGE_SIZE - 1) >> PAGE_SHIFT;
+	len = (unsigned long) iov->iov_len;
+	if (check_add_overflow(ubuf, len, &end))
+		return -EOVERFLOW;
+	if (check_add_overflow(end, PAGE_SIZE - 1, &end))
+		return -EOVERFLOW;
+
+	end = end >> PAGE_SHIFT;
 	start = ubuf >> PAGE_SHIFT;
 	nr_pages = end - start;