iommufd/iova_bitmap: Fix shift-out-of-bounds in iova_bitmap_offset_to_index()

stable inclusion
from stable-v6.6.76
commit 38ac76fc06bc6826a3e4b12a98efbe98432380a9
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBPBI4
CVE: CVE-2025-21724

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=38ac76fc06bc6826a3e4b12a98efbe98432380a9

--------------------------------

[ Upstream commit e24c1551059268b37f6f40639883eafb281b8b9c ]

Resolve a UBSAN shift-out-of-bounds issue in iova_bitmap_offset_to_index()
where shifting the constant "1" (of type int) by bitmap->mapped.pgshift
(an unsigned long value) could result in undefined behavior.

The constant "1" defaults to a 32-bit "int", and when "pgshift" exceeds
31 (e.g., pgshift = 63) the shift operation overflows, as the result
cannot be represented in a 32-bit type.

To resolve this, the constant is updated to "1UL", promoting it to an
unsigned long type to match the operand's type.

Fixes: 58ccf019 ("vfio: Add an IOVA bitmap support")
Link: https://patch.msgid.link/r/20250113223820.10713-1-qasdev00@gmail.com


Reported-by: syzbot <syzbot+85992ace37d5b7b51635@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=85992ace37d5b7b51635


Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
Reviewed-by: Joao Martins <joao.m.martins@oracle.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

Conflicts:
	drivers/iommu/iommufd/iova_bitmap.c
	drivers/vfio/iova_bitmap.c
[Context conflicts]
Signed-off-by: ZhangPeng <zhangpeng362@huawei.com>
Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>