[PATCH 2/3] fpga: dfl-afu: fix integer truncation of npages in afu_dma_pin_pages()

[Sebastian Alba Vives]

From: Sebastian Josue Alba Vives <sebasjosue84@xxxxxxxxx>

In afu_dma_pin_pages(), npages is declared as int but is assigned from
region->length >> PAGE_SHIFT where region->length is u64. This causes
implicit truncation on 64-bit systems when length is large.

The truncated value is then passed to account_locked_vm() (which takes
unsigned long) with implicit sign extension, and to pin_user_pages_fast()
which takes int nr_pages, potentially causing incorrect VM accounting.

Change npages to unsigned long and add a cap to prevent values exceeding
INT_MAX from reaching pin_user_pages_fast().

Signed-off-by: Sebastian Alba Vives <sebasjosue84@xxxxxxxxx>
---
 drivers/fpga/dfl-afu-dma-region.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/fpga/dfl-afu-dma-region.c b/drivers/fpga/dfl-afu-dma-region.c
index 87652d5..0d1f973 100644
--- a/drivers/fpga/dfl-afu-dma-region.c
+++ b/drivers/fpga/dfl-afu-dma-region.c
@@ -34,10 +34,13 @@ void afu_dma_region_init(struct dfl_feature_dev_data *fdata)
 static int afu_dma_pin_pages(struct dfl_feature_dev_data *fdata,
 			     struct dfl_afu_dma_region *region)
 {
-	int npages = region->length >> PAGE_SHIFT;
+	unsigned long npages = region->length >> PAGE_SHIFT;
 	struct device *dev = &fdata->dev->dev;
 	int ret, pinned;
 
+	if (npages > INT_MAX)
+		return -EINVAL;
+
 	ret = account_locked_vm(current->mm, npages, true);
 	if (ret)
 		return ret;
-- 
2.43.0