Patch "iommufd/iova_bitmap: Bounds check mapped::pages access" has been added to the 6.7-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Mon, 26 Feb 2024 17:22:36 -0500

This is a note to let you know that I've just added the patch titled

    iommufd/iova_bitmap: Bounds check mapped::pages access

to the 6.7-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     iommufd-iova_bitmap-bounds-check-mapped-pages-access.patch
and it can be found in the queue-6.7 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 32290f152fd36f9c87d2647eed124c30a29979b9
Author: Joao Martins <joao.m.martins@xxxxxxxxxx>
Date:   Fri Feb 2 13:34:07 2024 +0000

    iommufd/iova_bitmap: Bounds check mapped::pages access
    
    [ Upstream commit a4ab7dedaee0e39b15653c5fd0367e420739f7ef ]
    
    Dirty IOMMU hugepages reported on a base page page-size granularity can
    lead to an attempt to set dirty pages in the bitmap beyond the limits that
    are pinned.
    
    Bounds check the page index of the array we are trying to access is within
    the limits before we kmap() and return otherwise.
    
    While it is also a defensive check, this is also in preparation to defer
    setting bits (outside the mapped range) to the next iteration(s) when the
    pages become available.
    
    Fixes: b058ea3ab5af ("vfio/iova_bitmap: refactor iova_bitmap_set() to better handle page boundaries")
    Link: https://lore.kernel.org/r/20240202133415.23819-2-joao.m.martins@xxxxxxxxxx
    Signed-off-by: Joao Martins <joao.m.martins@xxxxxxxxxx>
    Tested-by: Avihai Horon <avihaih@xxxxxxxxxx>
    Signed-off-by: Jason Gunthorpe <jgg@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/iommu/iommufd/iova_bitmap.c b/drivers/iommu/iommufd/iova_bitmap.c
index 0a92c9eeaf7f5..a3606b4c22292 100644
--- a/drivers/iommu/iommufd/iova_bitmap.c
+++ b/drivers/iommu/iommufd/iova_bitmap.c
@@ -409,6 +409,7 @@ void iova_bitmap_set(struct iova_bitmap *bitmap,
 			mapped->pgshift) + mapped->pgoff * BITS_PER_BYTE;
 	unsigned long last_bit = (((iova + length - 1) - mapped->iova) >>
 			mapped->pgshift) + mapped->pgoff * BITS_PER_BYTE;
+	unsigned long last_page_idx = mapped->npages - 1;
 
 	do {
 		unsigned int page_idx = cur_bit / BITS_PER_PAGE;
@@ -417,6 +418,9 @@ void iova_bitmap_set(struct iova_bitmap *bitmap,
 					 last_bit - cur_bit + 1);
 		void *kaddr;
 
+		if (unlikely(page_idx > last_page_idx))
+			break;
+
 		kaddr = kmap_local_page(mapped->pages[page_idx]);
 		bitmap_set(kaddr, offset, nbits);
 		kunmap_local(kaddr);







