[PATCH] char: mem: keep arch range checks overflow-safe
From: Yousef Alhouseen
Date: Thu Jun 25 2026 - 04:59:54 EST
The generic /dev/mem physical range check now avoids validating
addr + size directly, but ARM and SH provide their own
valid_phys_addr_range() implementations with the same wrapped-addition
pattern.
Use subtraction-based upper-bound checks in those overrides as well. Also
make the ARM mmap pfn check avoid overflowing the pfn plus page-count
expression.
Suggested-by: Arnd Bergmann <arnd@xxxxxxxx>
Signed-off-by: Yousef Alhouseen <alhouseenyousef@xxxxxxxxx>
---
arch/arm/mm/mmap.c | 9 +++++++--
arch/sh/mm/mmap.c | 4 +++-
2 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/arch/arm/mm/mmap.c b/arch/arm/mm/mmap.c
index 3dbb383c2..7467ce8cd 100644
--- a/arch/arm/mm/mmap.c
+++ b/arch/arm/mm/mmap.c
@@ -150,9 +150,11 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
*/
int valid_phys_addr_range(phys_addr_t addr, size_t size)
{
+ phys_addr_t end = __pa(high_memory - 1) + 1;
+
if (addr < PHYS_OFFSET)
return 0;
- if (addr + size > __pa(high_memory - 1) + 1)
+ if (addr > end || size > end - addr)
return 0;
return 1;
@@ -163,5 +165,8 @@ int valid_phys_addr_range(phys_addr_t addr, size_t size)
*/
int valid_mmap_phys_addr_range(unsigned long pfn, size_t size)
{
- return (pfn + (size >> PAGE_SHIFT)) <= (1 + (PHYS_MASK >> PAGE_SHIFT));
+ unsigned long max_pfn = 1 + (PHYS_MASK >> PAGE_SHIFT);
+ unsigned long pages = size >> PAGE_SHIFT;
+
+ return pfn <= max_pfn && pages <= max_pfn - pfn;
}
diff --git a/arch/sh/mm/mmap.c b/arch/sh/mm/mmap.c
index c442734d9..ba7aade46 100644
--- a/arch/sh/mm/mmap.c
+++ b/arch/sh/mm/mmap.c
@@ -170,9 +170,11 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
*/
int valid_phys_addr_range(phys_addr_t addr, size_t count)
{
+ phys_addr_t end = __pa(high_memory);
+
if (addr < __MEMORY_START)
return 0;
- if (addr + count > __pa(high_memory))
+ if (addr > end || count > end - addr)
return 0;
return 1;
--
2.54.0