[lvc-project] [PATCH] RDMA/hns: Fix potential integer overflow in mhop hem cleanup

Junxian Huang huangjunxian6 at hisilicon.com
Mon Jun 29 11:15:41 MSK 2026



On 2026/6/27 17:59, Danila Chernetsov wrote:
> In hns_roce_cleanup_mhop_hem_table(), the expression:
> 
>     obj = i * buf_chunk_size / table->obj_size;
> 
> is evaluated using 32-bit unsigned arithmetic because
> 'buf_chunk_size' is u32 and the usual arithmetic conversions convert
> 'i' to unsigned int. The result is assigned to a u64 variable, but the
> multiplication may overflow before the assignment.
> 
> For sufficiently large HEM tables, this produces an incorrect object
> index passed to hns_roce_table_mhop_put().
> 
> Cast 'i' to u64 before the multiplication so that the intermediate
> calculation is performed with 64-bit arithmetic.
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Fixes: a25d13cbe816 ("RDMA/hns: Add the interfaces to support multi hop addressing for the contexts in hip08")
> Signed-off-by: Danila Chernetsov <listdansp at mail.ru>

It's unlikely to have such a large hem table in practice,
but I'm fine with this patch.

Reviewed-by: Junxian Huang <huangjunxian6 at hisilicon.com>

Thanks,
Junxian

> ---
>  drivers/infiniband/hw/hns/hns_roce_hem.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/infiniband/hw/hns/hns_roce_hem.c b/drivers/infiniband/hw/hns/hns_roce_hem.c
> index 7041a8e9134b..92edec4fa61b 100644
> --- a/drivers/infiniband/hw/hns/hns_roce_hem.c
> +++ b/drivers/infiniband/hw/hns/hns_roce_hem.c
> @@ -836,7 +836,7 @@ static void hns_roce_cleanup_mhop_hem_table(struct hns_roce_dev *hr_dev,
>  					mhop.bt_chunk_size;
>  
>  	for (i = 0; i < table->num_hem; ++i) {
> -		obj = i * buf_chunk_size / table->obj_size;
> +		obj = (u64)i * buf_chunk_size / table->obj_size;
>  		if (table->hem[i])
>  			hns_roce_table_mhop_put(hr_dev, table, obj, 0);
>  	}



More information about the lvc-project mailing list