From: Joao Martins Date: Mon, 30 Oct 2023 11:34:46 +0000 (+0000) Subject: iommufd/selftest: Fix page-size check in iommufd_test_dirty() X-Git-Tag: v6.7-rc1~121^2~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2e22aac3ea9cfc0ec3209c96644f60c1806a8117;p=thirdparty%2Flinux.git iommufd/selftest: Fix page-size check in iommufd_test_dirty() iommufd_test_dirty()/IOMMU_TEST_OP_DIRTY sets the dirty bits in the mock domain implementation that the userspace side validates against what it obtains via the UAPI. However in introducing iommufd_test_dirty() it forgot to validate page_size being 0 leading to two possible divide-by-zero problems: one at the beginning when calculating @max and while calculating the IOVA in the XArray PFN tracking list. While at it, validate the length to require non-zero value as well, as we can't be allocating a 0-sized bitmap. Link: https://lore.kernel.org/r/20231030113446.7056-1-joao.m.martins@oracle.com Reported-by: syzbot+25dc7383c30ecdc83c38@syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-iommu/00000000000005f6aa0608b9220f@google.com/ Fixes: a9af47e382a4 ("iommufd/selftest: Test IOMMU_HWPT_GET_DIRTY_BITMAP") Signed-off-by: Joao Martins Signed-off-by: Jason Gunthorpe --- diff --git a/drivers/iommu/iommufd/selftest.c b/drivers/iommu/iommufd/selftest.c index 6684ab4cdc7a9..a11d29f368ff8 100644 --- a/drivers/iommu/iommufd/selftest.c +++ b/drivers/iommu/iommufd/selftest.c @@ -1195,14 +1195,15 @@ static int iommufd_test_dirty(struct iommufd_ucmd *ucmd, unsigned int mockpt_id, unsigned long page_size, void __user *uptr, u32 flags) { - unsigned long bitmap_size, i, max = length / page_size; + unsigned long bitmap_size, i, max; struct iommu_test_cmd *cmd = ucmd->cmd; struct iommufd_hw_pagetable *hwpt; struct mock_iommu_domain *mock; int rc, count = 0; void *tmp; - if (iova % page_size || length % page_size || !uptr) + if (!page_size || !length || iova % page_size || length % page_size || + !uptr) return -EINVAL; hwpt = get_md_pagetable(ucmd, mockpt_id, &mock); @@ -1214,6 +1215,7 @@ static int iommufd_test_dirty(struct iommufd_ucmd *ucmd, unsigned int mockpt_id, goto out_put; } + max = length / page_size; bitmap_size = max / BITS_PER_BYTE; tmp = kvzalloc(bitmap_size, GFP_KERNEL_ACCOUNT);