On Sat, Dec 07, 2024 at 12:17:33PM +0800, Zhihao Cheng wrote: > 在 2024/12/7 4:26, Dan Carpenter 写道: > > The "req.start" and "req.len" variables are u64 values that come from the > > user at the start of the function. We mask away the high 32 bits of > > "req.len" so that's capped at U32_MAX but the "req.start" variable can go > > up to U64_MAX. > > > > Use check_add_overflow() to fix this bug. > > > > Fixes: 6420ac0af95d ("mtdchar: prevent unbounded allocation in MEMWRITE ioctl") > > Hi, Dan. Why this fix tag? I think the adding result('req.start' and > 'req.len') could be overflow too before this commit. > I've looked at this again, and I still don't see the bug before the commit. Secondly, commit a1eda864c04c ("mtdchar: prevent integer overflow in a safety check") is missing a Fixes tag but the message says that it's this commit which introduced the bug. Which commit should get the fixes tag? I should have added a CC to the stable tree though. I did that correctly in an earlier draft of this patch but I messed up in this version. :/ regards, dan carpenter