From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-yw1-f177.google.com (mail-yw1-f177.google.com [209.85.128.177])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id AFE2D3CEB9E
	for <linux-kernel@vger.kernel.org>; Mon,  4 May 2026 12:13:40 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.177
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1777896823; cv=none; b=l9lhg/SYIp2I29xzA20tbmSgXif6HPR39mF1LxZH8lyFCBZgr44MPU+ivXqIesjIEfsi3WilwgDlfd+PJVEsljs7QTjWMFDLAu7VpO9eOvRPWQM7fY18eaGA3PX0Er9bGrITHMFvtgdJ8ank/LHuQZVmFaIuo35BwUxrKJ22FIc=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1777896823; c=relaxed/simple;
	bh=Egdo5vrSXhRUuwvCP13xWBmy+e12kq8TwbonylRp/1I=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version; b=nE2NDFY0rjiYjCn3oc29e+02JvKagbE/9Sc0mBr9Z9CfLg3f+4qGQg8ko52A2lDZ//CU72tTk5S9oH1IdHwKGuU6HCGAr6VVI3kkpXZwaq8V1l6DJ6Rt7c4jjq9rzkUW4ppNGAo0MRIehwrh+lt+NYfOdlzHHR+fr9/MbwadClA=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=ZZ8N5eNT; arc=none smtp.client-ip=209.85.128.177
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ZZ8N5eNT"
Received: by mail-yw1-f177.google.com with SMTP id 00721157ae682-79885f4a8ffso37981977b3.3
        for <linux-kernel@vger.kernel.org>; Mon, 04 May 2026 05:13:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1777896820; x=1778501620; darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=/70r6IqZMUzMPLl+F4JoQGxVMmdN9u1Qh2Ykml3WfQY=;
        b=ZZ8N5eNTxmG2M6cMkJCHmZjJxcbyazwHJ2F9x7BD4h6bBXjSwvzVOCbpdG8Kv35uhF
         U4Ci5jjKTwgozMmkZEPA+mBmaTvCXzqrMjIRi4fTjsSSizkcM8ys9D3afpkV1t0L+WbV
         a9yJXmbkHAMJScUtamenb6tH3rW7UzKrTno6zB7Ya50zTEtF/HTpUoZ2nXlOzt6NKzFG
         45wpnJH5mVgGyT0+G+94bpjXk6YRudke0RnnZKNheiE1+nTP+tVDPqI+0ni/+gGA3KfM
         sL7GKxArHVVfsuPWKEnOJrt1wdT5xgIyIFrdOEjK+rbDO51DTY9t1tC/3YNx9Ipv7ewq
         z16Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1777896820; x=1778501620;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=/70r6IqZMUzMPLl+F4JoQGxVMmdN9u1Qh2Ykml3WfQY=;
        b=tXya4X65eOQr/Of7vW0cBGum5KQ0f8pJzYMCj5AV/RaHne/G95i6tWVlauTHDrMAey
         F20LKwfQCYXEAlbt/HbPrdv8gq1OMsbrmca3YtOqqCbGA+mC0Pv0QQOM5c3P53O7mZdg
         ZCPbt9HbGRh1RBRP1242Qq7+APTxXuTXEemA6ZB1lDFkXPD317lVv97LL236woWTzMXV
         2rgQqPTVODEYJHSNJJh5V2LD9Lp8ozje/OlDSMt0gE9RtKV4OnFWXxjb/93apgJ7nXAH
         RIsLEK5zigW6id2ejwXpxrbVoew8cXPnJBzLuoPpvQazOtVLN1QJmPF6F8MtziLgtQ0f
         sALA==
X-Forwarded-Encrypted: i=1; AFNElJ8VefnLy31FqqoMFlilmUKbLknP+ZTwOWiU1tiAcEWYeIEQUJW8YuSaOp2HNS5BQOMJLs7PlMpnByQ+TGM=@vger.kernel.org
X-Gm-Message-State: AOJu0Yw+s1W3UZhQ4vmit0yZkCwrr3r6Zgox+HGaMXblRKUk1ycP9EzL
	FwSAxso5EZLhqHNcl6WFAQ5pJe1MfW8kh1hvWNoUNv2xKAKry4WhGqk3
X-Gm-Gg: AeBDieso9ulUEoa/JfSsODglUEtKefy8kzPUghTYe9Ef2K0dqU/caIum4g71lhymQQs
	W8RieUCMYHpg6ahG+btAc42abQ+0ILy2n0yTmaW9SZesF2CcY0ase3xqpVTnhsoJIao5/yZ+7fe
	GDsK6DuOZPmoJ0CBk3DVO5W7VbzydEIr8z6lYFAd0LyhdMMKfde48t+zQdjieg5CnwohMsYuL2p
	/PyHzBtDzxnqZqQsRFWtQdt2wPVmZ6+9UI5FcnLxstB/64R4tIjgekCjw1fbIPSFTNw1h7pSbGk
	mwQe6VX4byk8W0Ic3vhTp2Bi8CCyoZ4rOFDDs9EiPjpsDH+jPUZrAPdNrRJ0oYEyjcCGGZ6dFfx
	CVk/uA10vdl3KvMHsIWG4ygSA+GaqRH9COqXvQH+1Zn/febSXDXD7oxkDwwY2w1LOSZTl2m1pE2
	0Eml2a34k+NrVuo55yMzC5M8MfG5wXkWiOfTfz4PDDs1kFrSkXVa4CP2U5AB0KATpQzA==
X-Received: by 2002:a05:690c:e3c5:b0:7ba:154:87d1 with SMTP id 00721157ae682-7bd770dbe69mr97087697b3.33.1777896819793;
        Mon, 04 May 2026 05:13:39 -0700 (PDT)
Received: from ubuntu-linux-2404.ts.net ([186.151.100.108])
        by smtp.gmail.com with ESMTPSA id 00721157ae682-7bd665464ccsm48417937b3.11.2026.05.04.05.13.38
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 04 May 2026 05:13:39 -0700 (PDT)
From: Sebastian Alba Vives <sebasjosue84@gmail.com>
To: yilun.xu@linux.intel.com,
	gregkh@linuxfoundation.org
Cc: linux-fpga@vger.kernel.org,
	conor.dooley@microchip.com,
	mdf@kernel.org,
	linux-kernel@vger.kernel.org,
	stable@vger.kernel.org,
	Sebastian Alba Vives <sebasjosue84@gmail.com>
Subject: [PATCH v5 2/3] fpga: dfl-afu: validate DMA mapping length in afu_dma_map_region()
Date: Mon,  4 May 2026 06:13:31 -0600
Message-ID: <20260504121332.1053563-2-sebasjosue84@gmail.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20260504121332.1053563-1-sebasjosue84@gmail.com>
References: <20260504121332.1053563-1-sebasjosue84@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

afu_ioctl_dma_map() accepts a 64-bit length from userspace via
DFL_FPGA_PORT_DMA_MAP ioctl without an upper bound check. The value
is passed to afu_dma_pin_pages() where npages is derived as
length >> PAGE_SHIFT and passed to pin_user_pages_fast() which takes
int nr_pages, causing implicit truncation if length is very large.

Validate map.length at the ioctl entry point before calling
afu_dma_map_region(), rejecting values whose page count exceeds
INT_MAX.

Signed-off-by: Sebastian Alba Vives <sebasjosue84@gmail.com>
---
Changes in v5:
  - Resubmit as full series with v5 corrections to patches 1/3 and 3/3.
    No changes to this patch.
Changes in v4:
  - Resubmit as full series per maintainer request.
Changes in v3:
  - Move validation to afu_ioctl_dma_map() at the ioctl entry point,
    before crossing the userspace/kernel boundary, instead of deep in
    afu_dma_pin_pages(). Suggested by Greg Kroah-Hartman.
Changes in v2:
  - Added cap at INT_MAX in afu_dma_pin_pages() (superseded by v3).
---
 drivers/fpga/dfl-afu-main.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/fpga/dfl-afu-main.c b/drivers/fpga/dfl-afu-main.c
index 3bf8e73..097a97e 100644
--- a/drivers/fpga/dfl-afu-main.c
+++ b/drivers/fpga/dfl-afu-main.c
@@ -723,6 +723,9 @@ afu_ioctl_dma_map(struct dfl_feature_dev_data *fdata, void __user *arg)
 	if (map.argsz < minsz || map.flags)
 		return -EINVAL;
 
+	if (map.length >> PAGE_SHIFT > (u64)INT_MAX)
+		return -EINVAL;
+
 	ret = afu_dma_map_region(fdata, map.user_addr, map.length, &map.iova);
 	if (ret)
 		return ret;
-- 
2.43.0