Overflow can occur in a situation where desc->source_address has a maximum value (pow(2, 32) - 1), so add a cast to a larger type before the assignment.
Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: d3c6369a96 ("introduce xlnx-dpdma") Signed-off-by: Alexandra Diupina <adiup...@astralinux.ru> --- hw/dma/xlnx_dpdma.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/hw/dma/xlnx_dpdma.c b/hw/dma/xlnx_dpdma.c index 1f5cd64ed1..224259225c 100644 --- a/hw/dma/xlnx_dpdma.c +++ b/hw/dma/xlnx_dpdma.c @@ -175,24 +175,24 @@ static uint64_t xlnx_dpdma_desc_get_source_address(DPDMADescriptor *desc, switch (frag) { case 0: - addr = desc->source_address - + (extract32(desc->address_extension, 16, 12) << 20); + addr = (uint64_t)(desc->source_address + + (extract32(desc->address_extension, 16, 12) << 20)); break; case 1: - addr = desc->source_address2 - + (extract32(desc->address_extension_23, 0, 12) << 8); + addr = (uint64_t)(desc->source_address2 + + (extract32(desc->address_extension_23, 0, 12) << 8)); break; case 2: - addr = desc->source_address3 - + (extract32(desc->address_extension_23, 16, 12) << 20); + addr = (uint64_t)(desc->source_address3 + + (extract32(desc->address_extension_23, 16, 12) << 20)); break; case 3: - addr = desc->source_address4 - + (extract32(desc->address_extension_45, 0, 12) << 8); + addr = (uint64_t)(desc->source_address4 + + (extract32(desc->address_extension_45, 0, 12) << 8)); break; case 4: - addr = desc->source_address5 - + (extract32(desc->address_extension_45, 16, 12) << 20); + addr = (uint64_t)(desc->source_address5 + + (extract32(desc->address_extension_45, 16, 12) << 20)); break; default: addr = 0; -- 2.30.2