Re: [PATCH v8 0/3] fpga: bounds checks and input validation fixes

Next message: Fenglin Wu: "Re: [PATCH v2 3/4] pinctrl: qcom: spmi-gpio: Rearchitect for flexible group support"
Previous message: Dev Jain: "Re: [PATCH v2 0/2] mm/hmm: A fix and a selftest"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Xu Yilun

Date: Mon Jun 01 2026 - 01:14:59 EST

On Mon, May 18, 2026 at 01:07:39PM -0600, Sebastian Alba Vives wrote:
> This series adds three defensive fixes to FPGA drivers:
>
> Patch 1/3 fixes dfh_get_param_size() in the DFL driver where the loop
> bounds check is evaluated before incrementing size, potentially returning
> an inflated size that exceeds the feature region boundary.
>
> Patch 2/3 validates the DMA mapping length in afu_ioctl_dma_map() at the
> ioctl entry point before passing it down the call chain, preventing
> implicit integer truncation in pin_user_pages_fast().
>
> Patch 3/3 fixes mpf_ops_parse_header() in the Microchip SPI FPGA manager
> where a zero header_size from the bitstream causes a one-byte read before
> the buffer start.
>
> Sebastian Alba Vives (3):
> fpga: dfl: add bounds check in dfh_get_param_size()
> fpga: dfl-afu: validate DMA mapping length in afu_dma_map_region()
> fpga: microchip-spi: fix zero header_size OOB read in
> mpf_ops_parse_header()
>
> drivers/fpga/dfl-afu-main.c | 3 +++
> drivers/fpga/dfl.c | 2 ++
> drivers/fpga/microchip-spi.c | 3 +++
> 3 files changed, 8 insertions(+)

Reviewed-by: Xu Yilun <yilun.xu@xxxxxxxxx>

Applied to for-next