On Tue, Jan 08, 2019 at 09:40:06AM -0700, Alex Williamson wrote:
> The below referenced commit adds a test for integer overflow, but in
> doing so prevents the unmap ioctl from ever including the last page of
> the address space. Subtract one to compare to the last address of the
> unmap to avoid the overflow and wrap-around.
>
> Fixes: 71a7d3d78e3c ("vfio/type1: silence integer overflow warning")
> Link: https://bugzilla.redhat.com/show_bug.cgi?id=1662291
> Cc: Dan Carpenter <[email protected]>
> Reported-by: Pei Zhang <[email protected]>
> Debugged-by: Peter Xu <[email protected]>
> Signed-off-by: Alex Williamson <[email protected]>
I tested this against the QEMU reboot error and it works.
Reviewed-by: Peter Xu <[email protected]>
Tested-by: Peter Xu <[email protected]>
Thanks,
> ---
> drivers/vfio/vfio_iommu_type1.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
> index 7651cfb14836..73652e21efec 100644
> --- a/drivers/vfio/vfio_iommu_type1.c
> +++ b/drivers/vfio/vfio_iommu_type1.c
> @@ -878,7 +878,7 @@ static int vfio_dma_do_unmap(struct vfio_iommu *iommu,
> return -EINVAL;
> if (!unmap->size || unmap->size & mask)
> return -EINVAL;
> - if (unmap->iova + unmap->size < unmap->iova ||
> + if (unmap->iova + unmap->size - 1 < unmap->iova ||
> unmap->size > SIZE_MAX)
> return -EINVAL;
>
>
--
Peter Xu
