[PATCH] x86/mm: guard against overflow in mmap_address_hint_valid

Next message: Jinyu Tang: "[PATCH v7] KVM: riscv: Skip CSR restore if VCPU is reloaded on the same core"
Previous message: Genes Lists: "Re: Linux 6.19.4 - Oops, regression"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Ali Zain

Date: Fri Feb 27 2026 - 07:10:10 EST

Use check_add_overflow() to safely compute addr + len and avoid potential overflow during address validation.

Signed-off-by: Ali Zain <alizainuimx@xxxxxxxxx>
---
arch/x86/mm/mmap.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c
index 8964466ee..0bfb0bfd9 100644
--- a/arch/x86/mm/mmap.c
+++ b/arch/x86/mm/mmap.c
@@ -196,15 +196,17 @@ unsigned long get_mmap_base(int is_legacy)
*/
bool mmap_address_hint_valid(unsigned long addr, unsigned long len)
{
- if (TASK_SIZE - len < addr)
- return false;
+ unsigned long end;

- if (addr + len < addr) // overflow check
- return false;
+ if (TASK_SIZE - len < addr)
+ return false;

- return (addr > DEFAULT_MAP_WINDOW) == (addr + len > DEFAULT_MAP_WINDOW);
-}
+ /* Prevent overflow in addr + len */
+ if (check_add_overflow(addr, len, &end))
+ return false;

+ return (addr > DEFAULT_MAP_WINDOW) == (end > DEFAULT_MAP_WINDOW);
+}
/* Can we access it for direct reading/writing? Must be RAM: */
int valid_phys_addr_range(phys_addr_t addr, size_t count)
{
--
2.53.0