On Tue, Oct 25, 2022 at 03:12:18PM -0300, Jason Gunthorpe wrote:
> +static int iopt_check_iova(struct io_pagetable *iopt, unsigned long iova,
> + unsigned long length)
> +{
> + unsigned long last;
> +
> + lockdep_assert_held(&iopt->iova_rwsem);
> +
> + if ((iova & (iopt->iova_alignment - 1)) ||
> + (length & (iopt->iova_alignment - 1)) || !length)
> + return -EINVAL;
syzkaller noticed this length check is too late, if userpsace
supplies an invalid length and asks for automatic IOVA allocation
it will trigger a WARN_ON.
@@ -177,8 +177,7 @@ static int iopt_check_iova(struct io_pagetable *iopt, unsigned long iova,
lockdep_assert_held(&iopt->iova_rwsem);
- if ((iova & (iopt->iova_alignment - 1)) ||
- (length & (iopt->iova_alignment - 1)) || !length)
+ if ((iova & (iopt->iova_alignment - 1)))
return -EINVAL;
if (check_add_overflow(iova, length - 1, &last))
@@ -248,6 +247,11 @@ static int iopt_alloc_area_pages(struct io_pagetable *iopt,
}
down_write(&iopt->iova_rwsem);
+ if ((length & (iopt->iova_alignment - 1)) || !length) {
+ rc = -EINVAL;
+ goto out_unlock;
+ }
+
if (flags & IOPT_ALLOC_IOVA) {
/* Use the first entry to guess the ideal IOVA alignment */
elm = list_first_entry(pages_list, struct iopt_pages_list,
And a test to cover it
Jason
