1. Patchew
  2. linux
  3. View series

[PATCH] RDMA/hns: Fix arithmetic overflow in calc_hem_config()

Alexander.Chesnokov@kaspersky.com posted 1 patch 2 months ago 
drivers/infiniband/hw/hns/hns_roce_hem.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
[PATCH] RDMA/hns: Fix arithmetic overflow in calc_hem_config()
Posted by Alexander.Chesnokov@kaspersky.com 2 months ago 
From: Alexander Chesnokov <Alexander.Chesnokov@kaspersky.com>

If bt_num is 3 or 2, then the expressions like
l0_idx * chunk_ba_num + l1_idx are computed in 32-bit
arithmetic before being assigned to a u64 index field,
which can lead to overflow.

Cast the first operand to u64 to ensure the arithmetic
is performed in 64-bit.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 2f49de21f3e9 ("RDMA/hns: Optimize mhop get flow for multi-hop addressing")
Cc: stable@vger.kernel.org
Signed-off-by: Alexander Chesnokov <Alexander.Chesnokov@kaspersky.com>
---
 drivers/infiniband/hw/hns/hns_roce_hem.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/infiniband/hw/hns/hns_roce_hem.c b/drivers/infiniband/hw/hns/hns_roce_hem.c
index 173ab794fa78..862acdf59867 100644
--- a/drivers/infiniband/hw/hns/hns_roce_hem.c
+++ b/drivers/infiniband/hw/hns/hns_roce_hem.c
@@ -355,14 +355,14 @@ static int calc_hem_config(struct hns_roce_dev *hr_dev,
 	bt_num = hns_roce_get_bt_num(table->type, mhop->hop_num);
 	switch (bt_num) {
 	case 3:
-		index->l1 = l0_idx * chunk_ba_num + l1_idx;
+		index->l1 = (u64)l0_idx * chunk_ba_num + l1_idx;
 		index->l0 = l0_idx;
-		index->buf = l0_idx * chunk_ba_num * chunk_ba_num +
-			     l1_idx * chunk_ba_num + l2_idx;
+		index->buf = (u64)l0_idx * chunk_ba_num * chunk_ba_num +
+					 (u64)l1_idx * chunk_ba_num + l2_idx;
 		break;
 	case 2:
 		index->l0 = l0_idx;
-		index->buf = l0_idx * chunk_ba_num + l1_idx;
+		index->buf = (u64)l0_idx * chunk_ba_num + l1_idx;
 		break;
 	case 1:
 		index->buf = l0_idx;
-- 
2.43.0
Re: [PATCH] RDMA/hns: Fix arithmetic overflow in calc_hem_config()
Posted by Leon Romanovsky 1 month ago 
On Mon, 13 Apr 2026 12:14:43 +0300, Alexander.Chesnokov@kaspersky.com wrote:
> If bt_num is 3 or 2, then the expressions like
> l0_idx * chunk_ba_num + l1_idx are computed in 32-bit
> arithmetic before being assigned to a u64 index field,
> which can lead to overflow.
> 
> Cast the first operand to u64 to ensure the arithmetic
> is performed in 64-bit.
> 
> [...]

Applied, thanks!

[1/1] RDMA/hns: Fix arithmetic overflow in calc_hem_config()
      https://git.kernel.org/rdma/rdma/c/784e12a8c45571

Best regards,
-- 
Leon Romanovsky <leon@kernel.org>

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.