From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-yw1-f175.google.com (mail-yw1-f175.google.com [209.85.128.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B03393C1F48 for ; Tue, 12 May 2026 13:07:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.175 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778591254; cv=none; b=DrQzgSencklflSBWCrduoLNtZGaCxp+PAqguVYDEqOwqh4/JGOLbedmxR3KZolmuqThAbM4bhwecXL/elo5mV2ROMxVTIA9UmtdbvXDYFAz0I+olkpw4dMzmp/7stgBBr9VTDzY9JqWUE1Y0+JgsB6XJkzzbz3l83G4wTl2jKH4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778591254; c=relaxed/simple; bh=4olwjdhUJV9yQf5ckjVh6vmaJyDU534e4WimvLGZEd0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=PC8Rg4OyIPbPgQK/mVFY6n5Eh2JOAMT6+iIGEz/JyLpc3uKzwjhbLOo81obRaiMknJ5ayRcerPq0z6TnoTAUXrbnqQEncUrZy1LYhukv8YqIOgsFS5wuH6ZaDTJBo3FXKp7/oXDo1RcwGGyYnoI4QcYThU7Sd5gaOgzOl8GUD4U= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=q4BrFZ6B; arc=none smtp.client-ip=209.85.128.175 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="q4BrFZ6B" Received: by mail-yw1-f175.google.com with SMTP id 00721157ae682-7c58e6eb2c8so5807827b3.1 for ; Tue, 12 May 2026 06:07:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778591252; x=1779196052; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=dF+t9homXAdxJUbJz+MKrPNemeLBnB/WpmMKz7l6PWU=; b=q4BrFZ6Bq/LCPbof2IuGhWOTrhZn9jEIKA6ZldUBuBNtEKnJGhD7UGDjvD6zxxgR2h pHP6NhroLwoWFAriD/RFwcvtRBPxIOPUUtVdMnrkyakWVcFY73bONDeO5b8MewusCOK9 T3aKmuVOzqR6l2FuZw5w+EAzdWDFXKhvvyro0pL040igPaqS9svVY2Y6mHAGz7LOQpgR h4mOK/aZqpfxGyiRoxy9LDD5vjBXMO9SY8KQjlv7rfnfrbiIvIChmkKmWfQ90bPusb3g iduvcCTdAAGo8UHCCyZqsG5OlyDgj3N4Tf3ZYPe9zfRjqb0HxDiMaUF0fansE4w4BSLr QEFA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778591252; x=1779196052; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=dF+t9homXAdxJUbJz+MKrPNemeLBnB/WpmMKz7l6PWU=; b=T1zuKzGo6RDlIzy2GrXcYemcQlSycXnhd+cU4Xm4vlxPXMnIcS8jIs+TviLVbmGqoD T7gMq2QaZxnk8s6Z125lIdB+tXpNh/F0IFxl2YLTts9U/IjFN1woHEYVxo6DHk4Wy0kR mcTuV+n88rTxkjxE6YGkGtXe6peb+InE8JBaaKVAXaQlwC+XZ2XJwg7zj9d+Vrykam8E xZTLwd0y/IghNkqCmqqFIkNnbd5p44EapmYI5ti0E2mAVf8fxykYDZWzSBzrN6tJBpuf PUDM1zo0Nw2f6wSG1vVGt81KR49ZSbPMRRaaTKn9tESEng4YT39SKeCEBA4XZ80axr7c 3gGg== X-Forwarded-Encrypted: i=1; AFNElJ9+mQkgL63HFkhE4F3Tcj6R79t+VjGqi2WDqjE6PkeHSj/vVEC6Vv1T061dXupg4dTfiWuv+25jPus7/Ls=@vger.kernel.org X-Gm-Message-State: AOJu0YyIh/HKeImFGXBrLLbawxtJBBNQ1Bfh/5dthYVTZVXXrHMvk1iH qYNnPt1g2D0+ld5lPzDXgdmY2U7l1tRVfcjp7R1sbD4fiTo+ZXNC3yPB X-Gm-Gg: Acq92OFwRIUrDLK3vvIza2plSSt3T7WG1JF2AtMXJpbydINlydNbm1bS9/R+BCoTUFt DbEcNHYqkNVttIykUjRnhMU+g06hdMWcxi466TcDaoYKSESDh6tzOO0qpbhV74AL8ZKouABj+n6 2g3ard42jgUZnXfTUkuW6WcBYiQcUxc8/HTCeThnpoQIl5IOSBS574lwtqsddpv4esRdbM4h3YY a7hzYrR7ivn6jfTJ+WPH1WHThy87Smp2Brn2g65HUXa41oCFrYH1g2bnPwL7yUr12ZGIrcwu7wA QXnfusx/Ad9aXJsJ5SCs6uDeQ6KVIMfLtyTWWi+8h1/a1uHQW/5rH1pZ40pj4ToiX0EKSkyhX5V HRnPWGQczljYRjjccVRibA3CP363geK38SAvx+mFrCZNJvrpkckdFipaydCDkVDqZEybFSyuQz1 FlulqgwK61sp3BN/gqTmj7P48q5PlbLzDU6Z3dg+Lw81Bwk0ecmSHJj8bO X-Received: by 2002:a05:690c:6612:b0:7bd:a4dc:c23b with SMTP id 00721157ae682-7c564141e00mr26031567b3.49.1778591251396; Tue, 12 May 2026 06:07:31 -0700 (PDT) Received: from localhost.localdomain ([186.151.100.108]) by smtp.gmail.com with ESMTPSA id 00721157ae682-7bd6686ead7sm167459037b3.39.2026.05.12.06.07.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 May 2026 06:07:30 -0700 (PDT) From: Sebastian Alba Vives To: yilun.xu@linux.intel.com, gregkh@linuxfoundation.org Cc: linux-fpga@vger.kernel.org, conor.dooley@microchip.com, mdf@kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Sebastian Alba Vives Subject: [PATCH v6 2/3] fpga: dfl-afu: validate DMA mapping length in afu_dma_map_region() Date: Tue, 12 May 2026 07:07:09 -0600 Message-ID: <20260512130710.933089-3-sebasjosue84@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260512130710.933089-1-sebasjosue84@gmail.com> References: <20260512130710.933089-1-sebasjosue84@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit afu_ioctl_dma_map() accepts a 64-bit length from userspace via DFL_FPGA_PORT_DMA_MAP ioctl without an upper bound check. The value is passed to afu_dma_pin_pages() where npages is derived as length >> PAGE_SHIFT and passed to pin_user_pages_fast() which takes int nr_pages, causing implicit truncation if length is very large. Validate map.length at the ioctl entry point before calling afu_dma_map_region(), rejecting values whose page count exceeds INT_MAX. Signed-off-by: Sebastian Alba Vives --- Changes in v6: - Rebase onto linux-next. Add cover letter. Suggested by Xu Yilun. Changes in v3: - Move validation to afu_ioctl_dma_map() at the ioctl entry point. Suggested by Greg Kroah-Hartman. --- drivers/fpga/dfl-afu-main.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/fpga/dfl-afu-main.c b/drivers/fpga/dfl-afu-main.c index 3bf8e7338..097a97eee 100644 --- a/drivers/fpga/dfl-afu-main.c +++ b/drivers/fpga/dfl-afu-main.c @@ -723,6 +723,9 @@ afu_ioctl_dma_map(struct dfl_feature_dev_data *fdata, void __user *arg) if (map.argsz < minsz || map.flags) return -EINVAL; + if (map.length >> PAGE_SHIFT > (u64)INT_MAX) + return -EINVAL; + ret = afu_dma_map_region(fdata, map.user_addr, map.length, &map.iova); if (ret) return ret; -- 2.43.0