iommu: Protect against overflow in iommu_pgsize() - kernel

diff options

author	Jason Gunthorpe <[email protected]>	2025-04-25 13:08:37 +0000
committer	Joerg Roedel <[email protected]>	2025-04-28 11:33:30 +0000
commit	e586e22974d2b7acbef3c6c3e01b2d5ce69efe33 (patch)
tree	2eeb7c061345c43f1b8eb858157d57e4ecf6e1cd /drivers/iommu/intel/nested.c
parent	iommu: Handle yet another race around registration (diff)
download	kernel-e586e22974d2b7acbef3c6c3e01b2d5ce69efe33.tar.gz kernel-e586e22974d2b7acbef3c6c3e01b2d5ce69efe33.zip

iommu: Protect against overflow in iommu_pgsize()

On a 32 bit system calling: iommu_map(0, 0x40000000) When using the AMD V1 page table type with a domain->pgsize of 0xfffff000 causes iommu_pgsize() to miscalculate a result of: size=0x40000000 count=2 count should be 1. This completely corrupts the mapping process. This is because the final test to adjust the pagesize malfunctions when the addition overflows. Use check_add_overflow() to prevent this. Fixes: b1d99dc5f983 ("iommu: Hook up '->unmap_pages' driver callback") Signed-off-by: Jason Gunthorpe <[email protected]> Reviewed-by: Lu Baolu <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Joerg Roedel <[email protected]>

Diffstat (limited to 'drivers/iommu/intel/nested.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: