Commit 2e07a9fe authored Jul 01, 2025 by Artem Sadovnikov Committed by Greg Kroah-Hartman Aug 28, 2025

vfio/mlx5: fix possible overflow in tracking max message size



[ Upstream commit b3060198 ]

MLX cap pg_track_log_max_msg_size consists of 5 bits, value of which is
used as power of 2 for max_msg_size. This can lead to multiplication
overflow between max_msg_size (u32) and integer constant, and afterwards
incorrect value is being written to rq_size.

Fix this issue by extending integer constant to u64 type.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Suggested-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Artem Sadovnikov <a.sadovnikov@ispras.ru>
Reviewed-by: Yishai Hadas <yishaih@nvidia.com>
Link: https://lore.kernel.org/r/20250701144017.2410-2-a.sadovnikov@ispras.ru


Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

parent 48d7bdd8

Show whitespace changes

Inline Side-by-side

CodeLinaro @codelinaro
mentioned in commit ce2b36d4
· Nov 05, 2025

mentioned in commit ce2b36d4

mentioned in commit ce2b36d4e09680a95a26962f0ddb3edd4bc8ae28

Toggle commit list

Please to comment