[PATCH] RDMA/hns: Fix potential integer overflow in mhop hem cleanup

Next message: Runyu Xiao: "[RFC PATCH net-next] netpoll: hold RCU while walking napi_list"
Previous message: Ziran Zhang: "[PATCH v2] drm/amd/display: Remove redundant NULL check before kfree in mod_power_create()"
Next in thread: Junxian Huang: "Re: [PATCH] RDMA/hns: Fix potential integer overflow in mhop hem cleanup"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Danila Chernetsov

Date: Sat Jun 27 2026 - 06:16:27 EST

In hns_roce_cleanup_mhop_hem_table(), the expression:

obj = i * buf_chunk_size / table->obj_size;

is evaluated using 32-bit unsigned arithmetic because
'buf_chunk_size' is u32 and the usual arithmetic conversions convert
'i' to unsigned int. The result is assigned to a u64 variable, but the
multiplication may overflow before the assignment.

For sufficiently large HEM tables, this produces an incorrect object
index passed to hns_roce_table_mhop_put().

Cast 'i' to u64 before the multiplication so that the intermediate
calculation is performed with 64-bit arithmetic.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: a25d13cbe816 ("RDMA/hns: Add the interfaces to support multi hop addressing for the contexts in hip08")
Signed-off-by: Danila Chernetsov <listdansp@xxxxxxx>
---
drivers/infiniband/hw/hns/hns_roce_hem.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/infiniband/hw/hns/hns_roce_hem.c b/drivers/infiniband/hw/hns/hns_roce_hem.c
index 7041a8e9134b..92edec4fa61b 100644
--- a/drivers/infiniband/hw/hns/hns_roce_hem.c
+++ b/drivers/infiniband/hw/hns/hns_roce_hem.c
@@ -836,7 +836,7 @@ static void hns_roce_cleanup_mhop_hem_table(struct hns_roce_dev *hr_dev,
mhop.bt_chunk_size;

for (i = 0; i < table->num_hem; ++i) {
- obj = i * buf_chunk_size / table->obj_size;
+ obj = (u64)i * buf_chunk_size / table->obj_size;
if (table->hem[i])
hns_roce_table_mhop_put(hr_dev, table, obj, 0);
}
--
2.25.1