patch 'net/nbl: fix integer overflow' has been queued to stable release 25.11.1

Kevin Traynor ktraynor at redhat.com
Thu Feb 26 14:09:30 CET 2026

Previous message (by thread): patch 'net/nfb: stop only started queues in fail path' has been queued to stable release 25.11.1
Next message (by thread): patch 'net/nbl: fix null pointer dereference' has been queued to stable release 25.11.1
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

FYI, your patch has been queued to stable release 25.11.1

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 03/02/26. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/kevintraynor/dpdk-stable

This queued commit can be viewed at:
https://github.com/kevintraynor/dpdk-stable/commit/76aa15c204a5eb90cd34198f6adcfacc906d28f9

Thanks.

Kevin

---
>From 76aa15c204a5eb90cd34198f6adcfacc906d28f9 Mon Sep 17 00:00:00 2001
From: Dimon Zhao <dimon.zhao at nebula-matrix.com>
Date: Tue, 3 Feb 2026 19:07:20 -0800
Subject: [PATCH] net/nbl: fix integer overflow

[ upstream commit 9559873f4a74be5ad840a4210436c0b7fdad9aed ]

Cast u16 operands to u64 before multiplication when calculating
buffer sizes and offsets to prevent potential integer overflow.
The num_txq_entries, num_rxq_entries, txq_buf_size, and rxq_buf_size
fields are all u16 types, and their product could overflow before
assignment to size_t or u64 destination variables.

Coverity issue: 490942, 490943, 490946, 490949, 490952
Coverity issue: 490953, 490954, 490955, 490957, 490959
Fixes: a1c5ffa13b2c ("net/nbl: add channel layer")

Signed-off-by: Dimon Zhao <dimon.zhao at nebula-matrix.com>
---
 drivers/net/nbl/nbl_hw/nbl_channel.c | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/drivers/net/nbl/nbl_hw/nbl_channel.c b/drivers/net/nbl/nbl_hw/nbl_channel.c
index 7cc214df01..f81c4c8591 100644
--- a/drivers/net/nbl/nbl_hw/nbl_channel.c
+++ b/drivers/net/nbl/nbl_hw/nbl_channel.c
@@ -37,5 +37,5 @@ static int nbl_chan_init_tx_queue(union nbl_chan_info *chan_info)
 	}
 
-	size = chan_info->mailbox.num_txq_entries * chan_info->mailbox.txq_buf_size;
+	size = (u64)chan_info->mailbox.num_txq_entries * (u64)chan_info->mailbox.txq_buf_size;
 	txq->buf = nbl_alloc_dma_mem(&txq->buf_mem, size);
 	if (!txq->buf) {
@@ -67,5 +67,5 @@ static int nbl_chan_init_rx_queue(union nbl_chan_info *chan_info)
 	}
 
-	size = chan_info->mailbox.num_rxq_entries * chan_info->mailbox.rxq_buf_size;
+	size = (u64)chan_info->mailbox.num_rxq_entries * (u64)chan_info->mailbox.rxq_buf_size;
 	rxq->buf = nbl_alloc_dma_mem(&rxq->buf_mem, size);
 	if (!rxq->buf) {
@@ -164,5 +164,5 @@ static int nbl_chan_prepare_rx_bufs(struct nbl_channel_mgt *chan_mgt,
 	for (i = 0; i < chan_info->mailbox.num_rxq_entries - 1; i++) {
 		desc[i].flags = NBL_CHAN_RX_DESC_AVAIL;
-		desc[i].buf_addr = rxq->buf_mem.pa + i * chan_info->mailbox.rxq_buf_size;
+		desc[i].buf_addr = rxq->buf_mem.pa + (u64)i * (u64)chan_info->mailbox.rxq_buf_size;
 		desc[i].buf_len = chan_info->mailbox.rxq_buf_size;
 	}
@@ -325,5 +325,6 @@ static void nbl_chan_advance_rx_ring(struct nbl_channel_mgt *chan_mgt,
 
 	rx_desc->flags = NBL_CHAN_RX_DESC_AVAIL;
-	rx_desc->buf_addr = rxq->buf_mem.pa + chan_info->mailbox.rxq_buf_size * next_to_use;
+	rx_desc->buf_addr = rxq->buf_mem.pa +
+				(u64)chan_info->mailbox.rxq_buf_size * (u64)next_to_use;
 	rx_desc->buf_len = chan_info->mailbox.rxq_buf_size;
 
@@ -348,5 +349,5 @@ static void nbl_chan_clean_queue(void *priv)
 	next_to_clean = rxq->next_to_clean;
 	rx_desc = NBL_CHAN_RX_DESC(rxq, next_to_clean);
-	data = (u8 *)rxq->buf + next_to_clean * chan_info->mailbox.rxq_buf_size;
+	data = (u8 *)rxq->buf + (u64)next_to_clean * (u64)chan_info->mailbox.rxq_buf_size;
 	while (rx_desc->flags & NBL_CHAN_RX_DESC_USED) {
 		rte_rmb();
@@ -359,5 +360,5 @@ static void nbl_chan_clean_queue(void *priv)
 			next_to_clean = 0;
 		rx_desc = NBL_CHAN_RX_DESC(rxq, next_to_clean);
-		data = (u8 *)rxq->buf + next_to_clean * chan_info->mailbox.rxq_buf_size;
+		data = (u8 *)rxq->buf + (u64)next_to_clean * (u64)chan_info->mailbox.rxq_buf_size;
 	}
 	rxq->next_to_clean = next_to_clean;
@@ -377,6 +378,6 @@ static uint16_t nbl_chan_update_txqueue(union nbl_chan_info *chan_info,
 	txq = &chan_info->mailbox.txq;
 	next_to_use = txq->next_to_use;
-	va = (u8 *)txq->buf + next_to_use * chan_info->mailbox.txq_buf_size;
-	pa = txq->buf_mem.pa + next_to_use * chan_info->mailbox.txq_buf_size;
+	va = (u8 *)txq->buf + (u64)next_to_use * (u64)chan_info->mailbox.txq_buf_size;
+	pa = txq->buf_mem.pa + (u64)next_to_use * (u64)chan_info->mailbox.txq_buf_size;
 	tx_desc = NBL_CHAN_TX_DESC(txq, next_to_use);
 
-- 
2.53.0

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2026-02-26 10:16:50.541486519 +0000
+++ 0088-net-nbl-fix-integer-overflow.patch	2026-02-26 10:16:47.033459596 +0000
@@ -1 +1 @@
-From 9559873f4a74be5ad840a4210436c0b7fdad9aed Mon Sep 17 00:00:00 2001
+From 76aa15c204a5eb90cd34198f6adcfacc906d28f9 Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit 9559873f4a74be5ad840a4210436c0b7fdad9aed ]
+
@@ -15 +16,0 @@
-Cc: stable at dpdk.org

Previous message (by thread): patch 'net/nfb: stop only started queues in fail path' has been queued to stable release 25.11.1
Next message (by thread): patch 'net/nbl: fix null pointer dereference' has been queued to stable release 25.11.1
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the stable mailing list