Re: [PATCH] hash: fix overflow of 32-bit offsets

[Bruce Richardson <bruce.richardson@intel.com>]

On Fri, Feb 20, 2026 at 04:09:14PM +0100, Morten Brørup wrote:
> > From: Bruce Richardson [mailto:bruce.richardson@intel.com]
> > Sent: Friday, 20 February 2026 15.40
> > 
> > When computing the offset inside the overall hash structure by adding
> > an
> > offset to a base pointer, the offset was generally calculated by
> > multiplying two 32-bit values, which could then overflow. Prevent
> > overflow by using (uintptr_t) casts on the elements being multiplied to
> > ensure they are 64-bit on 64-bit systems.
> > 
> > Fixes: b26473ff8f4a ("hash: add reset function")
> > Fixes: 406da3dfb3b5 ("hash: move duplicated code into functions")
> > Fixes: 9eca8bd7a61c ("hash: separate lock-free and r/w lock lookup")
> > Fixes: 4d9ca3ed2133 ("hash: use ordered loads only if signature
> > matches")
> > Fixes: 769b2de7fb52 ("hash: implement RCU resources reclamation")
> > Fixes: e605a1d36ca7 ("hash: add lock-free r/w concurrency")
> > Fixes: 6dc34e0afe7a ("hash: retrieve a key given its position")
> > Fixes: f9edbc9bb6bc ("hash: add iterate function")
> > Fixes: 75706568a7eb ("hash: add extendable bucket feature")
> > Cc: stable@dpdk.org
> > 
> > Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
> > ---
> >  lib/hash/rte_cuckoo_hash.c | 36 ++++++++++++++++++------------------
> >  1 file changed, 18 insertions(+), 18 deletions(-)
> > 
> > diff --git a/lib/hash/rte_cuckoo_hash.c b/lib/hash/rte_cuckoo_hash.c
> > index da12825c6e..f2478d5286 100644
> > --- a/lib/hash/rte_cuckoo_hash.c
> > +++ b/lib/hash/rte_cuckoo_hash.c
> > @@ -705,7 +705,7 @@ rte_hash_reset(struct rte_hash *h)
> >  	}
> > 
> >  	memset(h->buckets, 0, h->num_buckets * sizeof(struct
> > rte_hash_bucket));
> > -	memset(h->key_store, 0, h->key_entry_size * (h->entries + 1));
> > +	memset(h->key_store, 0, (size_t)h->key_entry_size * (h->entries +
> > 1));
> 
> Agree.
> 
> >  	*h->tbl_chng_cnt = 0;
> > 
> >  	/* reset the free ring */
> > @@ -774,7 +774,7 @@ search_and_update(const struct rte_hash *h, void
> > *data, const void *key,
> >  	for (i = 0; i < RTE_HASH_BUCKET_ENTRIES; i++) {
> >  		if (bkt->sig_current[i] == sig) {
> >  			k = (struct rte_hash_key *) ((char *)keys +
> > -					bkt->key_idx[i] * h->key_entry_size);
> > +					(uintptr_t)bkt->key_idx[i] * h-
> > >key_entry_size);
> 
> The fix is technically correct.
> However, for source code readability purposes:
> 
> Please don't cast bkt->key_idx[i] (and similar below) to uintptr_t; it's not a pointer type.
> It might be reasonable casting it to ptrdiff_t, but I'm not sure about that.
> 
> The natural type for h->key_entry_size is size_t; it's only smaller to save memory or something.
> So, please cast the type that naturally would be wider, i.e. use: (size_t)h->key_entry_size
> 
> PS: If you change the casting as suggested, remember to update the patch description accordingly.
> 
> With or without above suggestion for readability,
> Acked-by: Morten Brørup <mb@smartsharesystems.com>
>
Ok to use size_t instead. Let me respin.

/Bruce