iommufd/selftest: Test reserved regions near ULONG_MAX

This has triggered an overflow inside the ioas iova auto allocation logic,
test it directly. Use the same stimulus syzkaller found.

Link: https://patch.msgid.link/all/2-v1-7b4a16fc390b+10f4-iommufd_alloc_overflow_jgg@nvidia.com/
Tested-by: Yi Liu <yi.l.liu@intel.com>
Tested-by: Nicolin Chen <nicolinc@nvidia.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>

diff --git a/tools/testing/selftests/iommu/iommufd.c b/tools/testing/selftests/iommu/iommufd.c
index d59d48022a24af4570636c0d7c93f6f44fbfee85..9d6c6fbbebb41e8e4ee66eda14fe9ac8ebe544b8 100644 (file)
--- a/tools/testing/selftests/iommu/iommufd.c
+++ b/tools/testing/selftests/iommu/iommufd.c
@@ -968,6 +968,33 @@ TEST_F(iommufd_ioas, area_auto_iova)
                test_ioctl_ioas_unmap(iovas[i], PAGE_SIZE * (i + 1));
 }
 
+/*  https://lore.kernel.org/r/685af644.a00a0220.2e5631.0094.GAE@google.com */
+TEST_F(iommufd_ioas, reserved_overflow)
+{
+       struct iommu_test_cmd test_cmd = {
+               .size = sizeof(test_cmd),
+               .op = IOMMU_TEST_OP_ADD_RESERVED,
+               .id = self->ioas_id,
+               .add_reserved.start = 6,
+       };
+       unsigned int map_len;
+       __u64 iova;
+
+       if (PAGE_SIZE == 4096) {
+               test_cmd.add_reserved.length = 0xffffffffffff8001;
+               map_len = 0x5000;
+       } else {
+               test_cmd.add_reserved.length =
+                       0xffffffffffffffff - MOCK_PAGE_SIZE * 16;
+               map_len = MOCK_PAGE_SIZE * 10;
+       }
+
+       ASSERT_EQ(0,
+                 ioctl(self->fd, _IOMMU_TEST_CMD(IOMMU_TEST_OP_ADD_RESERVED),
+                       &test_cmd));
+       test_err_ioctl_ioas_map(ENOSPC, buffer, map_len, &iova);
+}
+
 TEST_F(iommufd_ioas, area_allowed)
 {
        struct iommu_test_cmd test_cmd = {