From nobody Mon Dec 1 23:33:22 2025 Received: from mx0b-00082601.pphosted.com (mx0b-00082601.pphosted.com [67.231.153.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CC2854207A; Wed, 26 Nov 2025 01:12:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=67.231.153.30 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764119550; cv=none; b=r560oGEbkCH4a0U2rDTalPejLfonjI/cVBjF15tZJYCW/92QJwA4TDNkZFmVb90bohs6qQH2hRYtsdIbQtxfUK9NW+sEQZpuNag2Xyvn9Z/wWpS5D+Jp6aQo/eECgDz7PwDix77jIJWpruy7GuGyMPrXu1q4iqw3hsHBH07aVs0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764119550; c=relaxed/simple; bh=O0ZRBT+tVwwcKhGWyDE1V1whGqdO4aZFHE3C/lLgvHg=; h=From:Date:Subject:MIME-Version:Content-Type:Message-ID:To:CC; b=D8ifmSwwnB87RNn3MV7pghmml9rgdaJXtsmlCC8TDPT0c0eLqnRXmszfa7EQp1cDihhk89KPEpOzFAGVtE6oP0pyJ8IMYHL5F7bKHf0aJ60g1YmBn7Saofv2E3ccTOykSgy6EioyjRgwYO866WQ03nJ4QCTeFUTtfmLhzxmddWs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=fb.com; spf=pass smtp.mailfrom=meta.com; dkim=pass (2048-bit key) header.d=fb.com header.i=@fb.com header.b=4zYeDp57; arc=none smtp.client-ip=67.231.153.30 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=fb.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=meta.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=fb.com header.i=@fb.com header.b="4zYeDp57" Received: from pps.filterd (m0148460.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 5APHf2Rl786424; Tue, 25 Nov 2025 17:11:46 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.com; h=cc :content-transfer-encoding:content-type:date:from:message-id :mime-version:subject:to; s=s2048-2025-q2; bh=0pwajfJmeTimpc9k6J HG6Zxex5YoS5wwfaShFryGPJI=; b=4zYeDp57KcBNA3YeNGWPs58Hr8F7AQ0S/M guQ76Y3JV9xYiMROhiaa817hfCV7iah8M71gcbf35S/NXnYg3AiQBM3Mm+Zg3yVO xfg5dib7uqc1olS565bn5kqgusWa3r85wtIwhl7aRo6RrHaLc1Vc26C5oGu/2jv/ XiXojQgpd9QOguDmMTSOK5gm0PU3RXcSSu37RfgnP/G1488nkJ9X+G4SMGqkJMb2 /VWvDOV8A/+2bad6jxLLYGc6mmAYvSVYFSkP5dV7PtfS1XnpTfQRIAdH4LNGySIL 7EaxjdVBqexlz7GHB27foLAX/SlZIUmyxttekMDCWppghDaCvReQ== Received: from maileast.thefacebook.com ([163.114.135.16]) by mx0a-00082601.pphosted.com (PPS) with ESMTPS id 4anh2qu47c-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Tue, 25 Nov 2025 17:11:46 -0800 (PST) Received: from devgpu015.cco6.facebook.com (2620:10d:c0a8:1c::1b) by mail.thefacebook.com (2620:10d:c0a9:6f::237c) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.2.2562.29; Wed, 26 Nov 2025 01:11:45 +0000 From: Alex Mastro Date: Tue, 25 Nov 2025 17:11:18 -0800 Subject: [PATCH] dma-buf: fix integer overflow in fill_sg_entry() for buffers >= 8GiB Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-ID: <20251125-dma-buf-overflow-v1-1-b70ea1e6c4ba@fb.com> X-B4-Tracking: v=1; b=H4sIALVTJmkC/x3MwQmEMBAF0FaGf3bAJEQkrSweXJ3ogJolQV0Qe xd8BbwLRbJKQaALWQ4tmjYEMhVhmPttEtYRgWBr642xnse15+8eOR2S45JOFme9i6ZuxTWoCL8 sUf9v+enu+wHmIfnEYgAAAA== X-Change-ID: 20251125-dma-buf-overflow-e3253f108e36 To: Sumit Semwal , =?utf-8?q?Christian_K=C3=B6nig?= , Alex Williamson CC: Leon Romanovsky , Jason Gunthorpe , "Kevin Tian" , Nicolin Chen , , , , , , Ankit Agrawal , Alex Mastro X-Mailer: b4 0.14.3 X-Proofpoint-GUID: q8INm3I2xOg6cx0iIU4Kc3VRApXBjpn6 X-Proofpoint-ORIG-GUID: q8INm3I2xOg6cx0iIU4Kc3VRApXBjpn6 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMTI2MDAwNyBTYWx0ZWRfX3XhekP/4jYMT h3vlGZOu7PIVj0MxvIyAWPxvb0dUEReVbwEsSMmKyToaIx2aOj91g42tgfrXUib6UyLFSWNr8qf 7ODlUPowzwVsbZKHSPxA1Cit7LdE9nHT2mTRsi8mItZ6+MoE3NRow2svUKQY+gt6NBjPQ/KyOdY I450z/LaPqbAkuP6NwG8DWeOHoVdX/TXt9ZC9SX7f/j6vz/doHk2l4DLH+uLL8q0bal5fz65EAD J99aaYXO7w5uv3R5kPgOS9OxKZHevVk1EL5T/fU+nAci7mPyq62sruU+NWuQy4FTLziGRoAkvq7 o++VYVWmnJ/baF8BRLlL+SGtwCJSJVVR7QJOv+dSVhTPlam+v2x3cWVV0kurbTljtP6emOpAsa2 iLJVjmJp80u6z0mI7C31SW+LSuiglg== X-Authority-Analysis: v=2.4 cv=F9dat6hN c=1 sm=1 tr=0 ts=692653d2 cx=c_pps a=MfjaFnPeirRr97d5FC5oHw==:117 a=MfjaFnPeirRr97d5FC5oHw==:17 a=IkcTkHD0fZMA:10 a=6UeiqGixMTsA:10 a=VkNPw1HP01LnGYTKEx00:22 a=VwQbUJbxAAAA:8 a=3j4BkbkPAAAA:8 a=Ikd4Dj_1AAAA:8 a=FOH2dFAWAAAA:8 a=UiN8ms7W_JB_tl96y0MA:9 a=QEXdDO2ut3YA:10 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-11-25_02,2025-11-25_01,2025-10-01_01 fill_sg_entry() splits large DMA buffers into multiple scatter-gather entries, each holding up to UINT_MAX bytes. When calculating the DMA address for entries beyond the second one, the expression (i * UINT_MAX) causes integer overflow due to 32-bit arithmetic. This manifests when the input arg length >=3D 8 GiB results in looping for i >=3D 2. Fix by casting i to dma_addr_t before multiplication. Fixes: 3aa31a8bb11e ("dma-buf: provide phys_vec to scatter-gather mapping r= outine") Signed-off-by: Alex Mastro Reviewed-by: Jason Gunthorpe Reviewed-by: Leon Romanovsky --- More color about how I discovered this in [1] for the commit at [2]: [1] https://lore.kernel.org/all/aSZHO6otK0Heh+Qj@devgpu015.cco6.facebook.com [2] https://lore.kernel.org/all/20251120-dmabuf-vfio-v9-6-d7f71607f371@nvid= ia.com --- drivers/dma-buf/dma-buf-mapping.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/dma-buf/dma-buf-mapping.c b/drivers/dma-buf/dma-buf-ma= pping.c index b4819811a64a..b7352e609fbd 100644 --- a/drivers/dma-buf/dma-buf-mapping.c +++ b/drivers/dma-buf/dma-buf-mapping.c @@ -24,7 +24,7 @@ static struct scatterlist *fill_sg_entry(struct scatterli= st *sgl, size_t length, * does not require the CPU list for mapping or unmapping. */ sg_set_page(sgl, NULL, 0, 0); - sg_dma_address(sgl) =3D addr + i * UINT_MAX; + sg_dma_address(sgl) =3D addr + (dma_addr_t)i * UINT_MAX; sg_dma_len(sgl) =3D len; sgl =3D sg_next(sgl); } --- base-commit: 5415d887db0e059920cb5673a32cc4d66daa280f change-id: 20251125-dma-buf-overflow-e3253f108e36 Best regards, --=20 Alex Mastro