* [PATCH v2] fpga: afu: fix potential integer overflow
@ 2025-08-07 7:36 xiehongyu1
0 siblings, 0 replies; only message in thread
From: xiehongyu1 @ 2025-08-07 7:36 UTC (permalink / raw)
To: yilun.xu; +Cc: trix, linux-kernel, linux-fpga, mdf, Hongyu Xie
From: Hongyu Xie <xiehongyu1@kylinos.cn>
Without context, There are two overflow scenarios:
1, region->offset + region->size Overflow:
When region->offset is close to U64_MAX and region->size is
sufficiently large, the addition result may wrap around to a
very small value (e.g., 0 or near 0).
In this case, even if the target range [offset, offset+size)
falls within the region, the condition region->offset +
region->size >= offset + size will fail due to the wrapped
value being small. This causes the function to erroneously
return -EINVAL.
2, offset + size overflow:
When offset is close to U64_MAX and size is large, offset +
size wraps around to a small value.
Here, region->offset + region->size (which would be a large
value if not overflowing) might incorrectly satisfy
region->offset + region->size >= offset + size due to the
wrapped small value. This leads to a false match, even though
the actual range [offset, offset+size) spans the wrap-around
boundary and does not belong to this region.
Assume region->offset and region->size had been properly
initialized at the very beginning. And fix the second scenario.
Signed-off-by: Hongyu Xie <xiehongyu1@kylinos.cn>
---
v1->v2: check sum before for loop
drivers/fpga/dfl-afu-region.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/drivers/fpga/dfl-afu-region.c b/drivers/fpga/dfl-afu-region.c
index b11a5b21e666..517a59a9410a 100644
--- a/drivers/fpga/dfl-afu-region.c
+++ b/drivers/fpga/dfl-afu-region.c
@@ -151,13 +151,20 @@ int afu_mmio_region_get_by_offset(struct dfl_feature_dev_data *fdata,
{
struct dfl_afu_mmio_region *region;
struct dfl_afu *afu;
+ u64 sum = 0;
int ret = 0;
mutex_lock(&fdata->lock);
+
+ if (check_add_overflow(offset, size, &sum)) {
+ ret = -EINVAL;
+ goto exit;
+ }
+
afu = dfl_fpga_fdata_get_private(fdata);
for_each_region(region, afu)
if (region->offset <= offset &&
- region->offset + region->size >= offset + size) {
+ region->offset + region->size >= sum) {
*pregion = *region;
goto exit;
}
--
2.25.1
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2025-08-07 7:36 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-08-07 7:36 [PATCH v2] fpga: afu: fix potential integer overflow xiehongyu1
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).