diff options
| author | Sebastian Alba Vives <sebasjosue84@gmail.com> | 2026-05-18 22:07:41 +0300 |
|---|---|---|
| committer | Xu Yilun <yilun.xu@linux.intel.com> | 2026-06-01 07:29:13 +0300 |
| commit | fc3b071a7c8dc0f5d56defddf6e6fd5aaa3e1e27 (patch) | |
| tree | e5f94fa612b8179e38186ce6f319d7ca33e6efc3 | |
| parent | 9e8bc49f91f3f81d957c4f1c1f09fe94e2f88f6a (diff) | |
| download | linux-fc3b071a7c8dc0f5d56defddf6e6fd5aaa3e1e27.tar.xz | |
fpga: dfl-afu: validate DMA mapping length in afu_dma_map_region()
afu_ioctl_dma_map() accepts a 64-bit length from userspace via
DFL_FPGA_PORT_DMA_MAP ioctl without an upper bound check. The value
is passed to afu_dma_pin_pages() where npages is derived as
length >> PAGE_SHIFT and passed to pin_user_pages_fast() which takes
int nr_pages, causing implicit truncation if length is very large.
Validate map.length at the ioctl entry point before calling
afu_dma_map_region(), rejecting values whose page count exceeds
INT_MAX.
Fixes: fa8dda1edef9 ("fpga: dfl: afu: add DFL_FPGA_PORT_DMA_MAP/UNMAP ioctls support")
Cc: stable@vger.kernel.org
Signed-off-by: Sebastian Alba Vives <sebasjosue84@gmail.com>
Reviewed-by: Xu Yilun <yilun.xu@intel.com>
Link: https://lore.kernel.org/r/20260518190742.61426-3-sebasjosue84@gmail.com
Signed-off-by: Xu Yilun <yilun.xu@linux.intel.com>
| -rw-r--r-- | drivers/fpga/dfl-afu-main.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/fpga/dfl-afu-main.c b/drivers/fpga/dfl-afu-main.c index 3bf8e7338dbe..097a97eeea66 100644 --- a/drivers/fpga/dfl-afu-main.c +++ b/drivers/fpga/dfl-afu-main.c @@ -723,6 +723,9 @@ afu_ioctl_dma_map(struct dfl_feature_dev_data *fdata, void __user *arg) if (map.argsz < minsz || map.flags) return -EINVAL; + if (map.length >> PAGE_SHIFT > (u64)INT_MAX) + return -EINVAL; + ret = afu_dma_map_region(fdata, map.user_addr, map.length, &map.iova); if (ret) return ret; |
