[lvc-project] [PATCH] RDMA/irdma: Prevent overflows in memory contiguity checks

Fedor Pchelkin pchelkin at ispras.ru
Sat Jun 27 12:59:30 MSK 2026


On Wed, 24. Jun 17:48, Aleksandrova Alyona wrote:
> irdma_check_mem_contiguous() and irdma_check_mr_contiguous() verify that
> PBL entries describe physically contiguous memory ranges.

Кстати, заметил, что исправления уже есть в lvc-ветках.  Ивану должно было
прийти уведомление (почти год назад).

Вот с linux-5.10-lvc ветки

commit 0d4aa3c8e0b4dc4ca7db6481722a8a14c818ef53
Author: Ivan Stepchenko <sid at itb.spb.ru>
Date:   Thu Aug 21 17:04:21 2025 +0300

    RDMA/i40iw: avoid 32-bit overflow in i40iw_check_mr_contiguous
    
    The result of i * pg_size * PBLE_PER_PAGE is computed in 32-bit and wraps
    once the total offset reaches 4 GiB (e.g. 2 MiB pages at i == 2048). The
    wrapped value is then widened to u64, which can cause a false negative:
    a physically contiguous MR may be incorrectly reported as non-contiguous.
    
    Found by Linux Verification Center (linuxtesting.org) with SVACE.
    
    Fixes: b6a529da69ce ("i40iw: Utilize physically mapped memory regions")
    Signed-off-by: Ivan Stepchenko <sid at itb.spb.ru>
    Signed-off-by: Fedor Pchelkin <pchelkin at ispras.ru>

commit 919735bba5f3bc071bb8efa55fcb9b67f2175591
Author: Ivan Stepchenko <sid at itb.spb.ru>
Date:   Thu Aug 21 17:04:20 2025 +0300

    RDMA/i40iw: Fix 32-bit overflow in i40iw_check_mem_contiguous()
    
    pg_size and pg_idx are u32, so pg_size * pg_idx is computed in 32-bit
    and wraps once the total offset reaches 4 GiB (e.g. 2 MiB pages at
    pg_idx == 2048). The wrapped offset is then widened to u64, producing
    a false negative: contiguous PBL entries are incorrectly reported
    as non-contiguous.
    
    Found by Linux Verification Center (linuxtesting.org) with SVACE.
    
    Fixes: b6a529da69ce ("i40iw: Utilize physically mapped memory regions")
    Signed-off-by: Ivan Stepchenko <sid at itb.spb.ru>
    Signed-off-by: Fedor Pchelkin <pchelkin at ispras.ru>


Для отражения в свейсере и формального закрытия задачи необходимо написать
комментарий согласно
https://gitlab.linuxtesting.ru/lvc/guides/-/blob/master/lvc_kernel/lvc_patch_dev.md#отправка-исправлений-в-ветки-поддерживаемые-технологическим-центром



More information about the lvc-project mailing list