From nobody Mon May 25 04:34:00 2026 Received: from mail-yx1-f51.google.com (mail-yx1-f51.google.com [74.125.224.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 47616494A07 for ; Mon, 18 May 2026 16:53:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.224.51 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779123216; cv=none; b=K4IcxRz8G5IdIRt7flnXKCjIIzYizWiJxThANk2RchMO3bRCw9U81812jz9z2/Xjg57Pl9hrRDw7sXZyANpA2LjfS39OYiscfGmQBXJyj43F781BZCrAQDG5NghMUk91SWQW/VlAFOU1krdA7hsgCaSyVglyMZEW66fjAlcX+AA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779123216; c=relaxed/simple; bh=URFYTieCVSZC7c5z09SQJ1b36jUaan5k48W0s0/ZCLA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=nLachthfUBGGfUPDlOxgE8MQ3Il9E+p1zaufYSC1jxoo/nm8FkmGPtZpa2EsgbHomPPXgY+/NGqAFu2ANDyFy9niaHI87bBmN7xzNdHD61h62BG8BAaNPX64+EAIc6P4/7god6vaqFpC8O4kTFA5+DPBrdyfN1UlcxK50glfDYY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=rn1wewad; arc=none smtp.client-ip=74.125.224.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="rn1wewad" Received: by mail-yx1-f51.google.com with SMTP id 956f58d0204a3-65d071aac6eso2128033d50.0 for ; Mon, 18 May 2026 09:53:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779123213; x=1779728013; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Qta+TGt8f8bCNU5lXsak/sMOHDnwEN56jda27IdO8xA=; b=rn1wewadbMdYNBApEV9E1quik05bze1uz5pNbmVDetrKQLcHduphxPpJqPOlzFz4Ha bemBwZR+M2j1Zy8C6IvX8LmT4YaYy/AyHH0TzZuB3J7P1Y72vmYNLnMWpcPrrZtZNVVe G0fkHM2WnxxnDqPyBgAvBhfew7mxF/OzaXKV+Z7rN1MK3VWDYYpHaPTqWApqJ2bn/EYJ kI2470hRWueZen/ObOtLjqSaH3TNn5QkaOlG/BLLlG20Wiamq6G17jxLIyYC8n8t3+Ze /0Ot75kKWD0FRqO88wdKxQLWSAmF/3XfEnckEH5P1zDnjArhGInQnOi5pyG+aEoX2oAa GYyw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779123213; x=1779728013; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=Qta+TGt8f8bCNU5lXsak/sMOHDnwEN56jda27IdO8xA=; b=aFD/kravk88GQ7keBnbRrNV4tQb/8grlJ0YkO7CEK+Upwz/jsSS4XaEzBnZOY05VAU NLFoNVCIQObQpWZSqFQTLr3K06joENIduGf6NOymxlcMjKhnVX56YAmrPNSFcpnZkZrV QRfSfomPPj/W232k8BZDwfwvtH1p7qki2CaX9xoToYdHjC9Iw1iQslCC41bzJeraKqxY 8bl0OleKMPOBaX5XtkMLcro/bx5xTFBMDks+6vkZHSyZp2R8caSKlx0X1sNNIyELsLPG 2fkIUtP2e6WffX2VyAxJj0f1VCI20s8254s9ZBZRS31dZBlAo1OuZ3sIxy7per3Ilpgz x6+g== X-Forwarded-Encrypted: i=1; AFNElJ+XrAVpgJ+ymQHXmbsn3D+Rmbt5g/vg5VKr7i/k0+eSmJ5jpQzLx/Y7P9k0yomzIx11AqgL8A3+K1tgq8s=@vger.kernel.org X-Gm-Message-State: AOJu0YyOhFzZ3XATDDA3gReSzz25i772m8vMXGU8SYAtlN++EXnfj4Ub H73NypfeOeqGUVIEI/LPpLwfUponNpLqGW0r37MjVfqlZqG1hzAyvTth X-Gm-Gg: Acq92OESes4rCXvV//siyiahLckW6F1w0mCeB+/sMblgDSc5EednMuzHg7D+6hM6D13 Ee37yza6MME9If5HVYS3neczy0T01bMAZ/WBrn092iAuPoS1ANU05mkp7iLpQ26dpocymjovsac /dDLiBLR5QmmR41PWCf6hT2HItKXd+qz7+qRQgvijGxn2O9knNZJnFIlqJUp6oIXu7MeVB0xMTR I8taEkeHepB6x8Yg2RnUZfEb4Kc9QBvXsCgLBlril/VhCyUgsQLHW2RX/FRUMpH9w3jaGHGF/bM 3D4IeoNJUC8xQ3CqZo3aBHZwURF0OSVWbo/iJsAEZdOons3fsLoulHRrDfwwbUAGw4kyjnPGDFJ gz1QIf10/r0t8YQ80zabH8AfGLbqLPXq+f5qhnzTiZV0bjTx6HG8XpEHHVzchnpUL3+83bMQZRj fB3a/uKPEOzsZD2D63VrjoCKhEgcp0t4elytuJEy4RbF0ctwbXlpnvfLFWUg8/bJL8LmAe27TRi Tmb60qjY0S4csiR X-Received: by 2002:a05:690e:1482:b0:651:b13e:f9ef with SMTP id 956f58d0204a3-65e226d2c42mr16777704d50.14.1779123213099; Mon, 18 May 2026 09:53:33 -0700 (PDT) Received: from localhost.localdomain ([186.151.100.108]) by smtp.gmail.com with ESMTPSA id 00721157ae682-7cc965ab98dsm24232957b3.0.2026.05.18.09.53.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 18 May 2026 09:53:32 -0700 (PDT) From: Sebastian Alba Vives To: yilun.xu@linux.intel.com, gregkh@linuxfoundation.org Cc: linux-fpga@vger.kernel.org, conor.dooley@microchip.com, mdf@kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Sebastian Alba Vives Subject: [PATCH v7 1/3] fpga: dfl: add bounds check in dfh_get_param_size() Date: Mon, 18 May 2026 10:52:16 -0600 Message-ID: <20260518165218.35388-2-sebasjosue84@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260518165218.35388-1-sebasjosue84@gmail.com> References: <20260518165218.35388-1-sebasjosue84@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" dfh_get_param_size() can return a parameter size larger than the feature region because the loop bounds check is evaluated before incrementing size. If the EOP (End of Parameters) bit is set in the same iteration, the inflated size is returned without re-validation against max. This can cause create_feature_instance() to call memcpy_fromio() with a size exceeding the ioremap'd region when a malicious FPGA device provides crafted DFHv1 parameter headers. Add a bounds check after the size increment to ensure the accumulated size never exceeds the feature boundary. Fixes: 4747ab89b4a6 ("fpga: dfl: add basic support for DFHv1") Signed-off-by: Sebastian Alba Vives --- Changes in v7: - Correct the Fixes: tag commit hash (checkpatch). Reported by Xu Yilun. Changes in v6: - Rebase onto linux-next. Add cover letter. Suggested by Xu Yilun. Changes in v5: - Add blank line after the new bounds check. Suggested by Xu Yilun. Changes in v2: - Use (size > max) instead of (size + DFHv1_PARAM_HDR > max). Suggested by Xu Yilun. --- drivers/fpga/dfl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/fpga/dfl.c b/drivers/fpga/dfl.c index 4087a36a0..4c63c7c85 100644 --- a/drivers/fpga/dfl.c +++ b/drivers/fpga/dfl.c @@ -1132,6 +1132,8 @@ static int dfh_get_param_size(void __iomem *dfh_base,= resource_size_t max) return -EINVAL; =20 size +=3D next * sizeof(u64); + if (size > max) + return -EINVAL; =20 if (FIELD_GET(DFHv1_PARAM_HDR_NEXT_EOP, v)) return size; --=20 2.43.0 From nobody Mon May 25 04:34:00 2026 Received: from mail-yw1-f176.google.com (mail-yw1-f176.google.com [209.85.128.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 895844949E7 for ; Mon, 18 May 2026 16:53:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.176 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779123218; cv=none; b=RgxtHyaILpKYLCC/SM/w4HVRVnq54OS+uGwdbEOVqD9jQFB5LnFsOT7OkbjwxmuSRHGdbasO9hjCZKbVLET3ShWmc6O/z7IcFRdX2YmQdJBKHgEOr6aGUM9V6mqQQAQ4p3KjbmJuNkHpgi4Md9/PKUUBBMs7SATENPnbkGQ6Sh8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779123218; c=relaxed/simple; bh=NBZHuKv2ldtGIWJAnz+NCfK2xasjAlOHK3ocGE6MaRY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=DA6ljeFTV4kq2lEJNsQfsyZrvDoWYDQ3m1pn/26laLezMqpD1RnTnYnXpND5VwOJtXZY+oVyDFlUOM5/ovDow0p8C2dyWKzp7Pi6Q7C61+VY1vSkEAZYNZjot6zOAiwUPAUgfTAed3p4c8wh2k659nZOcuuzBdPuSG1djDIZwpY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=sFbqnw/Q; arc=none smtp.client-ip=209.85.128.176 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="sFbqnw/Q" Received: by mail-yw1-f176.google.com with SMTP id 00721157ae682-7b4ee3a88e1so20677587b3.1 for ; Mon, 18 May 2026 09:53:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779123214; x=1779728014; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=taXFjdWmYy69nXOR8QvrAj+hN3E0MfqomsmbUhRahH0=; b=sFbqnw/QVvvac7icwqA+B83l9++wx76rwbXAuqWO/ojKzdMas9pJCpQwc5fFaG9yBF EpktwLP1DXu53HAdD+Rt/vXkh+Tl6iKvbGHylxqTnlsk6QCsVVVPVmWuWHXZ3udTi4a/ bNbEo3XgVtulBKKnaXSOHTRgudEuDJOaxbU5O9Cc5ec7BdjM4TeH9n2ndSrTc+ac/zi6 AIaONSvERsb9IBsXntp/ubp5tyOG283t6h4KQB9WgaXIHlL4ZkA+TG2/fofRh2/pNRBd w9X5Ph5q7PAB6lKJGHarV1Yd+FHGOOc5dTTRuqEOybjtEasiImQwkYMu2t4/Tw+uqoVy PJ1Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779123214; x=1779728014; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=taXFjdWmYy69nXOR8QvrAj+hN3E0MfqomsmbUhRahH0=; b=G8Ik1clfEEAS9BLq27fmRT02dJxm02RxEirmhOcjwQvFAyJEVQJOfNRn9cguZ9zkfl mwozhCAxMDQyP73C9ja0Z7QY3ZB9f2os1I1lAzot7zu9eQM3VV3HU7XMQCgwFKk8yokF BlYufYoygJjL29CCszX1TKFLvJZDzscGsWUxfpIa0hrmyI85Af7fbqIgSHzRnfdWM5ic HFMmETOpnf2QN8wTVLM1+zo0Y48bhs2UAQwi7Er3kLzl7M20N32nc9U8Ez9bqiFOQEKE NJLlBJIMv7hP8McC8ufM/aCYWb2C/yAz5VxcBCWVkvL0bJ997QM98h31FtsMRNGtPvf2 QYCg== X-Forwarded-Encrypted: i=1; AFNElJ8GuJ5cUdQH/55gwBxaAM+KkfsGeQNnVSliUAz2Gar8iDQIaW/Kl4fD5Kk5a/wWJZXEe46pHvDSE5Y6L8k=@vger.kernel.org X-Gm-Message-State: AOJu0YxoJy36NDoq6xnCLYXh4TKNHldR5GoFYXQUHOAws0ChGTkrRWIf BeoEquUt56wkzK0NoTrnjNBEpNZH7tx9bEn7U/Ly9JVWzhqg8rw8oK8A X-Gm-Gg: Acq92OFrwGYeFL4zGMqGxT5HINwSMFrkM99IrPCnqVYJEgCcsnHP0/OsyuxCaIu7dvN ddrdE7PgOKbLqEYjP8pzHhb9gN3CgwbQx9zW53LnIfpMisdB+8moLxHoFxboXScAOT1IeBK0DoN GAwEoj6njOuWj9JS9df91NMC8qSuhmvZhATnx35v64QYWiDb6EwTG23/CkQ0V3ypDqJvdryo3Wn FKPJtaIc9BUm9Q9TJNKc7+aTKn6ns/ykuyBktawkeDctGo0zA+UcoeeXhV/06kg8Yi4nUs0i5Pf 00J262sMCsBgwSgojdt2l9M8dNDh0xTYeg0llFCLfky1e/mufOFdUpEixmujf7c+ywsYB+Uzmkj xhXwOqWXrUpwb2Bp8wqcZm9fQU1lKloMg8e86US4fF7KkPcS78Wj+76cHpM0/pb+RDDB1DsAhz1 ABiJYWc/4bgULf3muLFj0fhZmUd3Il9JUt6DA+yLpziwkEMfgDrBEe94UgRwG87ZE47l96gVPP9 S5R7VcKRgUZ0us/nxDcJQTmfrk= X-Received: by 2002:a05:690c:38b:b0:7c5:f6c:d132 with SMTP id 00721157ae682-7c95a967084mr182102907b3.17.1779123214581; Mon, 18 May 2026 09:53:34 -0700 (PDT) Received: from localhost.localdomain ([186.151.100.108]) by smtp.gmail.com with ESMTPSA id 00721157ae682-7cc965ab98dsm24232957b3.0.2026.05.18.09.53.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 18 May 2026 09:53:34 -0700 (PDT) From: Sebastian Alba Vives To: yilun.xu@linux.intel.com, gregkh@linuxfoundation.org Cc: linux-fpga@vger.kernel.org, conor.dooley@microchip.com, mdf@kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Sebastian Alba Vives Subject: [PATCH v7 2/3] fpga: dfl-afu: validate DMA mapping length in afu_dma_map_region() Date: Mon, 18 May 2026 10:52:17 -0600 Message-ID: <20260518165218.35388-3-sebasjosue84@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260518165218.35388-1-sebasjosue84@gmail.com> References: <20260518165218.35388-1-sebasjosue84@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" afu_ioctl_dma_map() accepts a 64-bit length from userspace via DFL_FPGA_PORT_DMA_MAP ioctl without an upper bound check. The value is passed to afu_dma_pin_pages() where npages is derived as length >> PAGE_SHIFT and passed to pin_user_pages_fast() which takes int nr_pages, causing implicit truncation if length is very large. Validate map.length at the ioctl entry point before calling afu_dma_map_region(), rejecting values whose page count exceeds INT_MAX. Signed-off-by: Sebastian Alba Vives --- Changes in v7: - No changes. Changes in v6: - Rebase onto linux-next. Add cover letter. Suggested by Xu Yilun. Changes in v3: - Move validation to afu_ioctl_dma_map() at the ioctl entry point. Suggested by Greg Kroah-Hartman. --- drivers/fpga/dfl-afu-main.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/fpga/dfl-afu-main.c b/drivers/fpga/dfl-afu-main.c index 3bf8e7338..097a97eee 100644 --- a/drivers/fpga/dfl-afu-main.c +++ b/drivers/fpga/dfl-afu-main.c @@ -723,6 +723,9 @@ afu_ioctl_dma_map(struct dfl_feature_dev_data *fdata, v= oid __user *arg) if (map.argsz < minsz || map.flags) return -EINVAL; =20 + if (map.length >> PAGE_SHIFT > (u64)INT_MAX) + return -EINVAL; + ret =3D afu_dma_map_region(fdata, map.user_addr, map.length, &map.iova); if (ret) return ret; --=20 2.43.0 From nobody Mon May 25 04:34:00 2026 Received: from mail-yw1-f173.google.com (mail-yw1-f173.google.com [209.85.128.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0E52A49550A for ; Mon, 18 May 2026 16:53:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.173 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779123220; cv=none; b=DkRHASG1IlmD8ltS5wdZpihceVsWjZvLUEXaqh7fe3dcapKWy6cZGVNKOqYYu4MWBorRTKmRPFwHDM771OHnjh9EtTsyANgKMMytyfQMLxqn8cD8nEeNaUMRWQqNV9LrJF5fnFj61gALUWe2KztR+I5SBfleVqBszAVNoTpj0Io= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779123220; c=relaxed/simple; bh=x6fSzNzW8Htmx7JzIRVC3kL/nANgg4e8FJZlKdc/5Ec=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=j/RIqKnzahZkujvjl65wYqOEbG7xkFPDqT3+LclmIW7tPoAKuHMQJ7eCuEH4a6jWmEbEJ9Tr3TFtDQm0aWSjoLJZaz3gAJlzEDD45m78xSKqYCUKp/GPbgMLXUpGIigBcO8+to6eA44pyaT4EHGn919Kgi77OT0u/ZyE8C+ZjpQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=nig/8IGO; arc=none smtp.client-ip=209.85.128.173 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="nig/8IGO" Received: by mail-yw1-f173.google.com with SMTP id 00721157ae682-7bd5e373d07so20708757b3.2 for ; Mon, 18 May 2026 09:53:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779123216; x=1779728016; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=bPQzlCozb0IWzuM5HxK9k54cI0UTN22+Y8fkzM1tXUE=; b=nig/8IGO7fNS4r6cyttyXqDDPnz0GjoUOxDXmCRPmCv/zCxNen/AcirH2lbJPekMLR iqWgcwtocFosAh55PdSXYlcj4b0KCLb6z9UYPpAhRmL1CAnu1BEG698iRkq15VLj6xrh HWsWNtNLbNzctVUX43gVY6bZHNTQuUiLf1c7n2A5FSmw3FgDR2scteXUaSMytvQ79QaV q591vdEonLRaV+1Kd/wQIzju8BycVILPPEgPSdVCsKVcih6q8ERKwdO4jmuU2yEZPEHw XLCgg6Mp++ospBAMpfPBdSQJFU7MVwrWve1HID4MGq1b+gbzhgyUB5pRuIbscyNC/81n AUCA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779123216; x=1779728016; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=bPQzlCozb0IWzuM5HxK9k54cI0UTN22+Y8fkzM1tXUE=; b=Yo7dWg9rXP8BQqS+BEQ9erxDEj4MfPf2kvRYpvFKf88rulI/Pk8ZxgG/iN/ZJObVXw f3K9kYe+9MJEMeDefxJ1ixmpZeCdghuISngADKD2Wc1qx1FU3ryihvwj61ykvmGP+UQG KN1Lo2cAJdqU3EY2hOVX1oLzPrQ5TEA0cRg3k45KGR/zUrQ1S/hIp+dStGP6QAhFtlGx 7KyMjKRgRZNIHzIAlSyIGAYU4EdAROJYQ2C3GBtXrd02wOoSO5PfMSxp97VRPNE+Oh7f Jgw+5E2pPWbF7PIMBOcMUPY0azVlVVn9ijWn9EloWINOPKi8dw9ci0nJSgAR3RI/d4Zw 5Lkg== X-Forwarded-Encrypted: i=1; AFNElJ+57l2xJ2SIEkEOaH7cTP6FuKmMGJOZe0jt2ARFvF4DX7RUAoA0PoXmFB7C+ddOEsY/2eADM8S6WTiSOCc=@vger.kernel.org X-Gm-Message-State: AOJu0YxRnaKbT+s82geCEo5Pl6g+UKKySDwYoSB06JjUBPR3c5G7zo+Y prYXjpfe3fS+a4VeSa7gFJxi/ROCgVI99dvwwfVLpKbcSEuURev32Fzt X-Gm-Gg: Acq92OHrdKfHkleoT4+lAJ4eD0pZv1pvrlx1ch+OReI2LmucS+yfQFOff4rt5yvML/r 9sQLYAoeI+kW78ebDx/JFkOcq/Gi+mSRu7HLCH4niLNiX9rOXnjir1YglAvuZNFUts52e9905AL xBp/rFlrp8OT6y9t8auLkBDUpj/0ea2SGKu9MhXlkH+Juy4ezKuHVSerEA+0fkzyoWNEzsUoryG 85ohk7IQeZJLZgrGBtezm9jtduf1tglOH6oxvlBxBeWgmowtSQLJ40fzcQmuXZfyuTDA1XhZFL9 6mh2q4m4JhC9mtAjcHUSnWyGsS+qwMg7QzpnyQI3nUrnmR6RR1a5ZfnjrJHnzFy/39yxQkku1Nr TG3qGP5y9tq1y3R0vM+cP3lBoyaIQlhNKaaq1cBvXHNHnR0pqcyzZCA2k7mEj8JQA0YJ+EbRZvm /i67I0r2N4qBXrXXOgy6qfa5O4VQJAAUPYQ9BC5s3T/3WwQ05mWE4BZZt2eakQWpbqIqgusw6yg qELK/i1gjr6iiM7 X-Received: by 2002:a05:690c:6811:b0:7b3:c611:7ef5 with SMTP id 00721157ae682-7c958ecab11mr178753267b3.6.1779123216105; Mon, 18 May 2026 09:53:36 -0700 (PDT) Received: from localhost.localdomain ([186.151.100.108]) by smtp.gmail.com with ESMTPSA id 00721157ae682-7cc965ab98dsm24232957b3.0.2026.05.18.09.53.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 18 May 2026 09:53:35 -0700 (PDT) From: Sebastian Alba Vives To: yilun.xu@linux.intel.com, gregkh@linuxfoundation.org Cc: linux-fpga@vger.kernel.org, conor.dooley@microchip.com, mdf@kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Sebastian Alba Vives Subject: [PATCH v7 3/3] fpga: microchip-spi: fix zero header_size OOB read in mpf_ops_parse_header() Date: Mon, 18 May 2026 10:52:18 -0600 Message-ID: <20260518165218.35388-4-sebasjosue84@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260518165218.35388-1-sebasjosue84@gmail.com> References: <20260518165218.35388-1-sebasjosue84@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" mpf_ops_parse_header() reads header_size from the bitstream at MPF_HEADER_SIZE_OFFSET (24). When header_size is zero, the expression *(buf + header_size - 1) reads one byte before the buffer start. Since initial_header_size is set to 71 in mpf_ops, the fpga-mgr core guarantees the buffer is large enough to reach MPF_HEADER_SIZE_OFFSET. The only real gap is the zero header_size case, which cannot be resolved by providing a larger buffer, so return -EINVAL. Fixes: 5f8d4a900830 ("fpga: microchip-spi: add Microchip MPF FPGA manager") Cc: stable@vger.kernel.org Signed-off-by: Sebastian Alba Vives --- Changes in v7: - Correct the Fixes: tag commit hash and wrap commit message at 75 columns (checkpatch). Changes in v6: - Rebase onto linux-next. Add cover letter. Suggested by Xu Yilun. Changes in v5: - Drop redundant count check since initial_header_size =3D 71 already guarantees the buffer covers MPF_HEADER_SIZE_OFFSET. Suggested by Xu Yilun. --- drivers/fpga/microchip-spi.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/fpga/microchip-spi.c b/drivers/fpga/microchip-spi.c index 6134cea86..cc8f6d7bb 100644 --- a/drivers/fpga/microchip-spi.c +++ b/drivers/fpga/microchip-spi.c @@ -116,6 +116,9 @@ static int mpf_ops_parse_header(struct fpga_manager *mg= r, } =20 header_size =3D *(buf + MPF_HEADER_SIZE_OFFSET); + if (!header_size) + return -EINVAL; + if (header_size > count) { info->header_size =3D header_size; return -EAGAIN; --=20 2.43.0