[lvc-project] [PATCH] RDMA/hns: Fix potential integer overflow in mhop hem cleanup
Junxian Huang
huangjunxian6 at hisilicon.com
Mon Jun 29 11:15:41 MSK 2026
On 2026/6/27 17:59, Danila Chernetsov wrote:
> In hns_roce_cleanup_mhop_hem_table(), the expression:
>
> obj = i * buf_chunk_size / table->obj_size;
>
> is evaluated using 32-bit unsigned arithmetic because
> 'buf_chunk_size' is u32 and the usual arithmetic conversions convert
> 'i' to unsigned int. The result is assigned to a u64 variable, but the
> multiplication may overflow before the assignment.
>
> For sufficiently large HEM tables, this produces an incorrect object
> index passed to hns_roce_table_mhop_put().
>
> Cast 'i' to u64 before the multiplication so that the intermediate
> calculation is performed with 64-bit arithmetic.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: a25d13cbe816 ("RDMA/hns: Add the interfaces to support multi hop addressing for the contexts in hip08")
> Signed-off-by: Danila Chernetsov <listdansp at mail.ru>
It's unlikely to have such a large hem table in practice,
but I'm fine with this patch.
Reviewed-by: Junxian Huang <huangjunxian6 at hisilicon.com>
Thanks,
Junxian
> ---
> drivers/infiniband/hw/hns/hns_roce_hem.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/infiniband/hw/hns/hns_roce_hem.c b/drivers/infiniband/hw/hns/hns_roce_hem.c
> index 7041a8e9134b..92edec4fa61b 100644
> --- a/drivers/infiniband/hw/hns/hns_roce_hem.c
> +++ b/drivers/infiniband/hw/hns/hns_roce_hem.c
> @@ -836,7 +836,7 @@ static void hns_roce_cleanup_mhop_hem_table(struct hns_roce_dev *hr_dev,
> mhop.bt_chunk_size;
>
> for (i = 0; i < table->num_hem; ++i) {
> - obj = i * buf_chunk_size / table->obj_size;
> + obj = (u64)i * buf_chunk_size / table->obj_size;
> if (table->hem[i])
> hns_roce_table_mhop_put(hr_dev, table, obj, 0);
> }
More information about the lvc-project
mailing list