From: Dmitry Antipov Date: Tue, 19 May 2026 17:22:52 +0000 (+0300) Subject: lib: fix _parse_integer_limit() to handle overflow X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6e30111dbb4075e3c26c230417b32bc4a1c66831;p=thirdparty%2Flinux.git lib: fix _parse_integer_limit() to handle overflow Patch series "lib and lib/cmdline enhancements", v11. This series is a merge of the recently posted [1] and [2]. The first one is intended to adjust '_parse_integer_limit()' and 'memparse()' to not ignore overflows, extend string to 64-bit integer conversion tests, add KUnit-based test for 'memparse()' and fix kernel-doc glitches found in lib/cmdline.c. The second one was originated from RISCV-specific build fixes needed to integrate the former and now aims to provide platform-specific double-word shifts and corresponding KUnit test. Getting feedback from RISCV core maintainers would be very helpful. Special thanks to Andy Shevchenko, Charlie Jenkins, and Andrew Morton. This patch (of 8): In '_parse_integer_limit()', adjust native integer arithmetic with near-to-overflow branch where 'check_mul_overflow()' and 'check_add_overflow()' are used to check whether an intermediate result goes out of range, and denote such a case with ULLONG_MAX, thus making the function more similar to standard C library's 'strtoull()'. Adjust comment to kernel-doc style as well. Link: https://lore.kernel.org/20260519172259.908980-1-dmantipov@yandex.ru Link: https://lore.kernel.org/20260519172259.908980-2-dmantipov@yandex.ru Link: https://lore.kernel.org/linux-riscv/20260403103338.1122415-1-dmantipov@yandex.ru [1] Link: https://lore.kernel.org/linux-riscv/20260427090105.705529-1-dmantipov@yandex.ru [2] Signed-off-by: Dmitry Antipov Reviewed-by: Andy Shevchenko Cc: Albert Ou Cc: Alexandre Ghiti Cc: Andriy Shevchenko Cc: Ard Biesheuvel Cc: Palmer Dabbelt Cc: Charlie Jenkins Signed-off-by: Andrew Morton --- diff --git a/lib/kstrtox.c b/lib/kstrtox.c index 97be2a39f537..edc4eb7c1bca 100644 --- a/lib/kstrtox.c +++ b/lib/kstrtox.c @@ -39,25 +39,30 @@ const char *_parse_integer_fixup_radix(const char *s, unsigned int *base) return s; } -/* - * Convert non-negative integer string representation in explicitly given radix - * to an integer. A maximum of max_chars characters will be converted. +/** + * _parse_integer_limit - Convert integer string representation to an integer + * @s: Integer string representation + * @base: Radix + * @p: Where to store result + * @max_chars: Maximum amount of characters to convert + * + * Convert non-negative integer string representation in explicitly given + * radix to an integer. If overflow occurs, value at @p is set to ULLONG_MAX. * - * Return number of characters consumed maybe or-ed with overflow bit. - * If overflow occurs, result integer (incorrect) is still returned. + * This function is the workhorse of other string conversion functions and it + * is discouraged to use it explicitly. Consider kstrto*() family instead. * - * Don't you dare use this function. + * Return: Number of characters consumed, maybe ORed with overflow bit */ noinline unsigned int _parse_integer_limit(const char *s, unsigned int base, unsigned long long *p, size_t max_chars) { + unsigned int rv, overflow = 0; unsigned long long res; - unsigned int rv; res = 0; - rv = 0; - while (max_chars--) { + for (rv = 0; rv < max_chars; rv++, s++) { unsigned int c = *s; unsigned int lc = _tolower(c); unsigned int val; @@ -76,15 +81,17 @@ unsigned int _parse_integer_limit(const char *s, unsigned int base, unsigned lon * it in the max base we support (16) */ if (unlikely(res & (~0ull << 60))) { - if (res > div_u64(ULLONG_MAX - val, base)) - rv |= KSTRTOX_OVERFLOW; + if (check_mul_overflow(res, base, &res) || + check_add_overflow(res, val, &res)) { + res = ULLONG_MAX; + overflow = KSTRTOX_OVERFLOW; + } + } else { + res = res * base + val; } - res = res * base + val; - rv++; - s++; } *p = res; - return rv; + return rv | overflow; } noinline