Commit 5fcee25a authored by Joao Martins's avatar Joao Martins Committed by Jason Zeng
Browse files

iommufd/selftest: Fix page-size check in iommufd_test_dirty() 

mainline inclusion
from mainline-v6.7-rc1
commit 2e22aac3ea9cfc0ec3209c96644f60c1806a8117
category: feature
bugzilla: https://gitee.com/openeuler/intel-kernel/issues/I8Y6AM
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?2e22aac3ea9cfc0ec3209c96644f60c1806a8117

--------------------------------

iommufd_test_dirty()/IOMMU_TEST_OP_DIRTY sets the dirty bits in the mock
domain implementation that the userspace side validates against what it
obtains via the UAPI.

However in introducing iommufd_test_dirty() it forgot to validate page_size
being 0 leading to two possible divide-by-zero problems: one at the
beginning when calculating @max and while calculating the IOVA in the
XArray PFN tracking list.

While at it, validate the length to require non-zero value as well, as we
can't be allocating a 0-sized bitmap.

Intel-SIG: 2e22aac3ea9c iommufd/selftest: Fix page-size check in iommufd_test_dirty()
Backport IOMMUFD Dirty Tracking

Link: https://lore.kernel.org/r/20231030113446.7056-1-joao.m.martins@oracle.com


Reported-by: default avatar <syzbot+25dc7383c30ecdc83c38@syzkaller.appspotmail.com>
Closes: https://lore.kernel.org/linux-iommu/00000000000005f6aa0608b9220f@google.com/


Fixes: a9af47e382a4 ("iommufd/selftest: Test IOMMU_HWPT_GET_DIRTY_BITMAP")
Signed-off-by: default avatarJoao Martins <joao.m.martins@oracle.com>
Signed-off-by: default avatarJason Gunthorpe <jgg@nvidia.com>
[ jz: amend commit log ]
Signed-off-by: default avatarJason Zeng <jason.zeng@intel.com>
parent 89f4f377

drivers/iommu/iommufd/selftest.c

+4 −2
Original line number Diff line number Diff line
@@ -1098,14 +1098,15 @@ static int iommufd_test_dirty(struct iommufd_ucmd *ucmd, unsigned int mockpt_id, 
			      unsigned long page_size, void __user *uptr,

			      u32 flags)

{

	unsigned long bitmap_size, i, max = length / page_size;

	unsigned long bitmap_size, i, max;

	struct iommu_test_cmd *cmd = ucmd->cmd;

	struct iommufd_hw_pagetable *hwpt;

	struct mock_iommu_domain *mock;

	int rc, count = 0;

	void *tmp;



	if (iova % page_size || length % page_size || !uptr)

	if (!page_size || !length || iova % page_size || length % page_size ||

	    !uptr)

		return -EINVAL;



	hwpt = get_md_pagetable(ucmd, mockpt_id, &mock);
@@ -1117,6 +1118,7 @@ static int iommufd_test_dirty(struct iommufd_ucmd *ucmd, unsigned int mockpt_id, 
		goto out_put;

	}



	max = length / page_size;

	bitmap_size = max / BITS_PER_BYTE;



	tmp = kvzalloc(bitmap_size, GFP_KERNEL_ACCOUNT);