From: Thomas Weißschuh <thomas.weissschuh@xxxxxxxxxxxxx> commit 15e2f65f2ecfeb8e39315522e2b5cfdc5651fc10 upstream. "resource->end" needs to always be equal to "resource->start + size - 1". The previous version of the function did not perform the "- 1" in case of an empty resource. Also make sure to allow an empty resource at address 0. Reported-by: Basharath Hussain Khaja <basharath@xxxxxxxxxxx> Closes: https://lore.kernel.org/lkml/20250108140414.13530-1-basharath@xxxxxxxxxxx/ Fixes: 1a52a094c2f0 ("of: address: Unify resource bounds overflow checking") Cc: stable@xxxxxxxxxxxxxxx Signed-off-by: Thomas Weißschuh <thomas.weissschuh@xxxxxxxxxxxxx> Link: https://lore.kernel.org/r/20250120-of-address-overflow-v1-1-dd68dbf47bce@xxxxxxxxxxxxx Signed-off-by: Rob Herring (Arm) <robh@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/of/address.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) --- a/drivers/of/address.c +++ b/drivers/of/address.c @@ -200,17 +200,15 @@ static u64 of_bus_pci_map(__be32 *addr, static int __of_address_resource_bounds(struct resource *r, u64 start, u64 size) { - u64 end = start; - if (overflows_type(start, r->start)) return -EOVERFLOW; - if (size && check_add_overflow(end, size - 1, &end)) - return -EOVERFLOW; - if (overflows_type(end, r->end)) - return -EOVERFLOW; r->start = start; - r->end = end; + + if (!size) + r->end = wrapping_sub(typeof(r->end), r->start, 1); + else if (size && check_add_overflow(r->start, size - 1, &r->end)) + return -EOVERFLOW; return 0; } Patches currently in stable-queue which might be from thomas.weissschuh@xxxxxxxxxxxxx are queue-6.12/of-address-fix-empty-resource-handling-in-__of_address_resource_bounds.patch
