#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master diff --git a/drivers/vhost/iotlb.c b/drivers/vhost/iotlb.c index 670d56c879e5..fef9daa9f09f 100644 --- a/drivers/vhost/iotlb.c +++ b/drivers/vhost/iotlb.c @@ -53,8 +53,13 @@ int vhost_iotlb_add_range_ctx(struct vhost_iotlb *iotlb, void *opaque) { struct vhost_iotlb_map *map; + u64 size = last - start + 1; - if (last < start) + pr_info("vhost_iotlb_add_range: iotlb=%p, start=%llu, last=%llx, addr=%llu\n", + iotlb, start, last, addr); + + // size can overflow to 0 when start is 0 and last is (2^64 - 1). + if (last < start || size == 0) return -EFAULT; if (iotlb->limit && @@ -69,7 +74,7 @@ int vhost_iotlb_add_range_ctx(struct vhost_iotlb *iotlb, return -ENOMEM; map->start = start; - map->size = last - start + 1; + map->size = size; map->last = last; map->addr = addr; map->perm = perm;