Patch "iommufd/iova_bitmap: Fix shift-out-of-bounds in iova_bitmap_offset_to_index()" has been added to the 6.13-stable tree

[Sasha Levin <sashal@xxxxxxxxxx>]

This is a note to let you know that I've just added the patch titled

    iommufd/iova_bitmap: Fix shift-out-of-bounds in iova_bitmap_offset_to_index()

to the 6.13-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     iommufd-iova_bitmap-fix-shift-out-of-bounds-in-iova_.patch
and it can be found in the queue-6.13 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 1b57fdf564a3cb290f16b835b3bc296a7f004d5d
Author: Qasim Ijaz <qasdev00@xxxxxxxxx>
Date:   Mon Jan 13 22:38:20 2025 +0000

    iommufd/iova_bitmap: Fix shift-out-of-bounds in iova_bitmap_offset_to_index()
    
    [ Upstream commit e24c1551059268b37f6f40639883eafb281b8b9c ]
    
    Resolve a UBSAN shift-out-of-bounds issue in iova_bitmap_offset_to_index()
    where shifting the constant "1" (of type int) by bitmap->mapped.pgshift
    (an unsigned long value) could result in undefined behavior.
    
    The constant "1" defaults to a 32-bit "int", and when "pgshift" exceeds
    31 (e.g., pgshift = 63) the shift operation overflows, as the result
    cannot be represented in a 32-bit type.
    
    To resolve this, the constant is updated to "1UL", promoting it to an
    unsigned long type to match the operand's type.
    
    Fixes: 58ccf0190d19 ("vfio: Add an IOVA bitmap support")
    Link: https://patch.msgid.link/r/20250113223820.10713-1-qasdev00@xxxxxxxxx
    Reported-by: syzbot <syzbot+85992ace37d5b7b51635@xxxxxxxxxxxxxxxxxxxxxxxxx>
    Closes: https://syzkaller.appspot.com/bug?extid=85992ace37d5b7b51635
    Signed-off-by: Qasim Ijaz <qasdev00@xxxxxxxxx>
    Reviewed-by: Joao Martins <joao.m.martins@xxxxxxxxxx>
    Signed-off-by: Jason Gunthorpe <jgg@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/iommu/iommufd/iova_bitmap.c b/drivers/iommu/iommufd/iova_bitmap.c
index ab665cf38ef4a..39a86a4a1d3af 100644
--- a/drivers/iommu/iommufd/iova_bitmap.c
+++ b/drivers/iommu/iommufd/iova_bitmap.c
@@ -130,7 +130,7 @@ struct iova_bitmap {
 static unsigned long iova_bitmap_offset_to_index(struct iova_bitmap *bitmap,
 						 unsigned long iova)
 {
-	unsigned long pgsize = 1 << bitmap->mapped.pgshift;
+	unsigned long pgsize = 1UL << bitmap->mapped.pgshift;
 
 	return iova / (BITS_PER_TYPE(*bitmap->bitmap) * pgsize);
 }