Re: [PATCH 2/3] fpga: dfl-afu: fix integer truncation of npages in afu_dma_pin_pages()
From: Greg KH
Date: Thu Apr 02 2026 - 12:08:30 EST
On Thu, Apr 02, 2026 at 06:54:45AM -0600, Sebastian Alba Vives wrote:
> From: Sebastian Josue Alba Vives <sebasjosue84@xxxxxxxxx>
>
> In afu_dma_pin_pages(), npages is declared as int but is assigned from
> region->length >> PAGE_SHIFT where region->length is u64. This causes
> implicit truncation on 64-bit systems when length is large.
How can length be that large? You are shifting down, not up.
>
> The truncated value is then passed to account_locked_vm() (which takes
> unsigned long) with implicit sign extension, and to pin_user_pages_fast()
> which takes int nr_pages, potentially causing incorrect VM accounting.
>
> Change npages to unsigned long and add a cap to prevent values exceeding
> INT_MAX from reaching pin_user_pages_fast().
>
> Signed-off-by: Sebastian Alba Vives <sebasjosue84@xxxxxxxxx>
> ---
> drivers/fpga/dfl-afu-dma-region.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/fpga/dfl-afu-dma-region.c b/drivers/fpga/dfl-afu-dma-region.c
> index 87652d5..0d1f973 100644
> --- a/drivers/fpga/dfl-afu-dma-region.c
> +++ b/drivers/fpga/dfl-afu-dma-region.c
> @@ -34,10 +34,13 @@ void afu_dma_region_init(struct dfl_feature_dev_data *fdata)
> static int afu_dma_pin_pages(struct dfl_feature_dev_data *fdata,
> struct dfl_afu_dma_region *region)
> {
> - int npages = region->length >> PAGE_SHIFT;
> + unsigned long npages = region->length >> PAGE_SHIFT;
> struct device *dev = &fdata->dev->dev;
> int ret, pinned;
>
> + if (npages > INT_MAX)
> + return -EINVAL;
Why INT_MAX? SHouldn't this be much smaller?
thanks,
greg k-h