From nobody Fri Dec 19 12:21:33 2025
Received: from mx0b-00082601.pphosted.com (mx0b-00082601.pphosted.com
 [67.231.153.30])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5CDA53469E6
	for <linux-kernel@vger.kernel.org>; Tue, 28 Oct 2025 16:15:13 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=67.231.153.30
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1761668116; cv=none;
 b=rdE4g+DYcWwgual2a57x4YTCglmmZDbUod4fkA8J8ZFntFdd4QpTbfw07inHjQgtYlOlikTtnJY1rt/jMndue08dJSY9KcbYGdqgprRRtncQKEQ33tJ9cRuFXeqzQ3kXUMg3Gntnjx9Dpsa5e2VkyS8gpAc6GUgFFqdijEr/G90=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1761668116; c=relaxed/simple;
	bh=5btW7c2QlUBiHj/dljboPvASBr+YBpM7j/wLAfUdHEc=;
	h=From:Date:Subject:MIME-Version:Content-Type:Message-ID:References:
	 In-Reply-To:To:CC;
 b=uRmCvw8L8lpFnDTgNjU5i46NcYI4orzYGPcbgAW+2lqzrcEdPMKNTzUCNODZgSfwxlcJ4PdDgyA5zKXmXRpYUU0IDaSWLZy5stmI4mUhXpWa1K98Z1c1lcNsEBg0krrwltc9oprWEb4vly5DgPcaXowXliy+HWt23XicgsubUnU=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=fb.com;
 spf=pass smtp.mailfrom=meta.com;
 dkim=pass (2048-bit key) header.d=fb.com header.i=@fb.com header.b=6vfqoTmE;
 arc=none smtp.client-ip=67.231.153.30
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=fb.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=meta.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=fb.com header.i=@fb.com header.b="6vfqoTmE"
Received: from pps.filterd (m0109332.ppops.net [127.0.0.1])
	by mx0a-00082601.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id
 59SDI1Qe471239
	for <linux-kernel@vger.kernel.org>; Tue, 28 Oct 2025 09:15:13 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.com; h=cc
	:content-transfer-encoding:content-type:date:from:in-reply-to
	:message-id:mime-version:references:subject:to; s=s2048-2025-q2;
	 bh=iUWPw0RcWFuSEfLHoYV1wEUtZvKNyBm0Cr9wUiHyf7Q=; b=6vfqoTmEV9EF
	J4LispLKZ0udMKR6O7LKbbI2WAh7AzzFOvhTq9/URftIgEZqJddgadbR/nBZ0bwL
	yyLU+BQjczzua9iLRNRD2yJh/kg5DGKUQRguiziLzlWXGE7D2d8VUEjw5GWuRNT4
	SJOx8HCZ+2ity0GsSShYSEpRje3bNoou1djBm95rbJ0AUMPt9xalof43dUa5iA1c
	2EB3IaHdycoLkCxSPAZEBJWmiZNJ6GYJxrM2RT5cJqlDc1n0V7uUVwthdVI2G3jk
	fenzCUeDY74mCfFAVJIU1Ll7KjOGqugQH63CuWPNmPByQ7r2XnAWHCklNmFqmt6h
	D/1wtvcOpQ==
Received: from mail.thefacebook.com ([163.114.134.16])
	by mx0a-00082601.pphosted.com (PPS) with ESMTPS id 4a2xkhhq1h-9
	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT)
	for <linux-kernel@vger.kernel.org>; Tue, 28 Oct 2025 09:15:12 -0700 (PDT)
Received: from twshared15465.32.frc3.facebook.com (2620:10d:c085:208::7cb7) by
 mail.thefacebook.com (2620:10d:c08b:78::c78f) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.2.2562.20; Tue, 28 Oct 2025 16:15:07 +0000
Received: by devgpu012.nha5.facebook.com (Postfix, from userid 28580)
	id F3B97512935; Tue, 28 Oct 2025 09:15:04 -0700 (PDT)
From: Alex Mastro <amastro@fb.com>
Date: Tue, 28 Oct 2025 09:15:00 -0700
Subject: [PATCH v6 1/5] vfio/type1: sanitize for overflow using
 check_*_overflow()
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID: <20251028-fix-unmap-v6-1-2542b96bcc8e@fb.com>
References: <20251028-fix-unmap-v6-0-2542b96bcc8e@fb.com>
In-Reply-To: <20251028-fix-unmap-v6-0-2542b96bcc8e@fb.com>
To: Alex Williamson <alex@shazbot.org>
CC: Jason Gunthorpe <jgg@ziepe.ca>,
        Alejandro Jimenez
	<alejandro.j.jimenez@oracle.com>,
        David Matlack <dmatlack@google.com>, <kvm@vger.kernel.org>,
        <linux-kernel@vger.kernel.org>, Alex Mastro
	<amastro@fb.com>,
        Jason Gunthorpe <jgg@ziepe.ca>
X-Mailer: b4 0.13.0
X-FB-Internal: Safe
X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMDI4MDEzNyBTYWx0ZWRfX0ToYcnNJgFzb
 KnkXVmFYP4ny0zRbepIPW5SvT55TCwqeNZFpgX5qu51doo270+UhsEN5sNdFH8s8c1FRjdIGJpG
 9l2hjqtIg5Qs/bsuAzLLdyUAtL9cOrHOoZnk24eVmv1QbgK7W+iHy/A2nhJT16vdVyTg1VG4I5w
 GuPwlDTnEoMkB8g18VjKp40x/LJR6l4OR1JGKMFjgYwXdFvDPNmrttQZBQvIZBm4D8bY2nJISmr
 vWC0ZmKxpROY1td+zGSk7CzQsmFgAqObCctvG8T8Jz/hkhfarzxyEsJXG8ESGCJfI1fdGZhMROd
 gcS5RLpBlGVDdRL7G5bCtH6f0fv2Os2vmMrchYcDBJ78TywI2QQJYwYX6Iz7/qIsilPhsbQamD6
 BWPMcqRCuTYTOnodmUJsmussID3vKg==
X-Proofpoint-GUID: jDUOkojAFwKBOg7yi24S05NxM_MyRSHQ
X-Authority-Analysis: v=2.4 cv=Uspu9uwB c=1 sm=1 tr=0 ts=6900ec10 cx=c_pps
 a=CB4LiSf2rd0gKozIdrpkBw==:117 a=CB4LiSf2rd0gKozIdrpkBw==:17
 a=IkcTkHD0fZMA:10 a=x6icFKpwvdMA:10 a=VkNPw1HP01LnGYTKEx00:22
 a=yPCof4ZbAAAA:8 a=Ikd4Dj_1AAAA:8 a=FOH2dFAWAAAA:8 a=kyqc8lFLhbGN_ZoCeBMA:9
 a=QEXdDO2ut3YA:10
X-Proofpoint-ORIG-GUID: jDUOkojAFwKBOg7yi24S05NxM_MyRSHQ
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.80.40
 definitions=2025-10-28_06,2025-10-22_01,2025-03-28_01

Adopt check_*_overflow() functions to clearly express overflow check
intent.

Tested-by: Alejandro Jimenez <alejandro.j.jimenez@oracle.com>
Fixes: 73fa0d10d077 ("vfio: Type1 IOMMU implementation")
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Reviewed-by: Alejandro Jimenez <alejandro.j.jimenez@oracle.com>
Signed-off-by: Alex Mastro <amastro@fb.com>
---
 drivers/vfio/vfio_iommu_type1.c | 86 ++++++++++++++++++++++++++++++-------=
----
 1 file changed, 63 insertions(+), 23 deletions(-)

diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type=
1.c
index 916cad80941c..91b1480b7a37 100644
--- a/drivers/vfio/vfio_iommu_type1.c
+++ b/drivers/vfio/vfio_iommu_type1.c
@@ -38,6 +38,7 @@
 #include <linux/workqueue.h>
 #include <linux/notifier.h>
 #include <linux/mm_inline.h>
+#include <linux/overflow.h>
 #include "vfio.h"
=20
 #define DRIVER_VERSION  "0.2"
@@ -182,7 +183,7 @@ static struct vfio_dma *vfio_find_dma(struct vfio_iommu=
 *iommu,
 }
=20
 static struct rb_node *vfio_find_dma_first_node(struct vfio_iommu *iommu,
-						dma_addr_t start, u64 size)
+						dma_addr_t start, size_t size)
 {
 	struct rb_node *res =3D NULL;
 	struct rb_node *node =3D iommu->dma_list.rb_node;
@@ -895,14 +896,20 @@ static int vfio_iommu_type1_pin_pages(void *iommu_dat=
a,
 	unsigned long remote_vaddr;
 	struct vfio_dma *dma;
 	bool do_accounting;
+	dma_addr_t iova_end;
+	size_t iova_size;
=20
-	if (!iommu || !pages)
+	if (!iommu || !pages || npage <=3D 0)
 		return -EINVAL;
=20
 	/* Supported for v2 version only */
 	if (!iommu->v2)
 		return -EACCES;
=20
+	if (check_mul_overflow(npage, PAGE_SIZE, &iova_size) ||
+	    check_add_overflow(user_iova, iova_size - 1, &iova_end))
+		return -EOVERFLOW;
+
 	mutex_lock(&iommu->lock);
=20
 	if (WARN_ONCE(iommu->vaddr_invalid_count,
@@ -1008,12 +1015,21 @@ static void vfio_iommu_type1_unpin_pages(void *iomm=
u_data,
 {
 	struct vfio_iommu *iommu =3D iommu_data;
 	bool do_accounting;
+	dma_addr_t iova_end;
+	size_t iova_size;
 	int i;
=20
 	/* Supported for v2 version only */
 	if (WARN_ON(!iommu->v2))
 		return;
=20
+	if (WARN_ON(npage <=3D 0))
+		return;
+
+	if (WARN_ON(check_mul_overflow(npage, PAGE_SIZE, &iova_size) ||
+		    check_add_overflow(user_iova, iova_size - 1, &iova_end)))
+		return;
+
 	mutex_lock(&iommu->lock);
=20
 	do_accounting =3D list_empty(&iommu->domain_list);
@@ -1374,7 +1390,8 @@ static int vfio_dma_do_unmap(struct vfio_iommu *iommu,
 	int ret =3D -EINVAL, retries =3D 0;
 	unsigned long pgshift;
 	dma_addr_t iova =3D unmap->iova;
-	u64 size =3D unmap->size;
+	dma_addr_t iova_end;
+	size_t size =3D unmap->size;
 	bool unmap_all =3D unmap->flags & VFIO_DMA_UNMAP_FLAG_ALL;
 	bool invalidate_vaddr =3D unmap->flags & VFIO_DMA_UNMAP_FLAG_VADDR;
 	struct rb_node *n, *first_n;
@@ -1387,6 +1404,11 @@ static int vfio_dma_do_unmap(struct vfio_iommu *iomm=
u,
 		goto unlock;
 	}
=20
+	if (iova !=3D unmap->iova || size !=3D unmap->size) {
+		ret =3D -EOVERFLOW;
+		goto unlock;
+	}
+
 	pgshift =3D __ffs(iommu->pgsize_bitmap);
 	pgsize =3D (size_t)1 << pgshift;
=20
@@ -1396,10 +1418,15 @@ static int vfio_dma_do_unmap(struct vfio_iommu *iom=
mu,
 	if (unmap_all) {
 		if (iova || size)
 			goto unlock;
-		size =3D U64_MAX;
-	} else if (!size || size & (pgsize - 1) ||
-		   iova + size - 1 < iova || size > SIZE_MAX) {
-		goto unlock;
+		size =3D SIZE_MAX;
+	} else {
+		if (!size || size & (pgsize - 1))
+			goto unlock;
+
+		if (check_add_overflow(iova, size - 1, &iova_end)) {
+			ret =3D -EOVERFLOW;
+			goto unlock;
+		}
 	}
=20
 	/* When dirty tracking is enabled, allow only min supported pgsize */
@@ -1446,7 +1473,7 @@ static int vfio_dma_do_unmap(struct vfio_iommu *iommu,
 		if (dma && dma->iova !=3D iova)
 			goto unlock;
=20
-		dma =3D vfio_find_dma(iommu, iova + size - 1, 0);
+		dma =3D vfio_find_dma(iommu, iova_end, 0);
 		if (dma && dma->iova + dma->size !=3D iova + size)
 			goto unlock;
 	}
@@ -1648,7 +1675,9 @@ static int vfio_dma_do_map(struct vfio_iommu *iommu,
 {
 	bool set_vaddr =3D map->flags & VFIO_DMA_MAP_FLAG_VADDR;
 	dma_addr_t iova =3D map->iova;
+	dma_addr_t iova_end;
 	unsigned long vaddr =3D map->vaddr;
+	unsigned long vaddr_end;
 	size_t size =3D map->size;
 	int ret =3D 0, prot =3D 0;
 	size_t pgsize;
@@ -1656,8 +1685,15 @@ static int vfio_dma_do_map(struct vfio_iommu *iommu,
=20
 	/* Verify that none of our __u64 fields overflow */
 	if (map->size !=3D size || map->vaddr !=3D vaddr || map->iova !=3D iova)
+		return -EOVERFLOW;
+
+	if (!size)
 		return -EINVAL;
=20
+	if (check_add_overflow(iova, size - 1, &iova_end) ||
+	    check_add_overflow(vaddr, size - 1, &vaddr_end))
+		return -EOVERFLOW;
+
 	/* READ/WRITE from device perspective */
 	if (map->flags & VFIO_DMA_MAP_FLAG_WRITE)
 		prot |=3D IOMMU_WRITE;
@@ -1673,13 +1709,7 @@ static int vfio_dma_do_map(struct vfio_iommu *iommu,
=20
 	WARN_ON((pgsize - 1) & PAGE_MASK);
=20
-	if (!size || (size | iova | vaddr) & (pgsize - 1)) {
-		ret =3D -EINVAL;
-		goto out_unlock;
-	}
-
-	/* Don't allow IOVA or virtual address wrap */
-	if (iova + size - 1 < iova || vaddr + size - 1 < vaddr) {
+	if ((size | iova | vaddr) & (pgsize - 1)) {
 		ret =3D -EINVAL;
 		goto out_unlock;
 	}
@@ -1710,7 +1740,7 @@ static int vfio_dma_do_map(struct vfio_iommu *iommu,
 		goto out_unlock;
 	}
=20
-	if (!vfio_iommu_iova_dma_valid(iommu, iova, iova + size - 1)) {
+	if (!vfio_iommu_iova_dma_valid(iommu, iova, iova_end)) {
 		ret =3D -EINVAL;
 		goto out_unlock;
 	}
@@ -2977,7 +3007,8 @@ static int vfio_iommu_type1_dirty_pages(struct vfio_i=
ommu *iommu,
 		struct vfio_iommu_type1_dirty_bitmap_get range;
 		unsigned long pgshift;
 		size_t data_size =3D dirty.argsz - minsz;
-		size_t iommu_pgsize;
+		size_t size, iommu_pgsize;
+		dma_addr_t iova, iova_end;
=20
 		if (!data_size || data_size < sizeof(range))
 			return -EINVAL;
@@ -2986,14 +3017,24 @@ static int vfio_iommu_type1_dirty_pages(struct vfio=
_iommu *iommu,
 				   sizeof(range)))
 			return -EFAULT;
=20
-		if (range.iova + range.size < range.iova)
+		iova =3D range.iova;
+		size =3D range.size;
+
+		if (iova !=3D range.iova || size !=3D range.size)
+			return -EOVERFLOW;
+
+		if (!size)
 			return -EINVAL;
+
+		if (check_add_overflow(iova, size - 1, &iova_end))
+			return -EOVERFLOW;
+
 		if (!access_ok((void __user *)range.bitmap.data,
 			       range.bitmap.size))
 			return -EINVAL;
=20
 		pgshift =3D __ffs(range.bitmap.pgsize);
-		ret =3D verify_bitmap_size(range.size >> pgshift,
+		ret =3D verify_bitmap_size(size >> pgshift,
 					 range.bitmap.size);
 		if (ret)
 			return ret;
@@ -3007,19 +3048,18 @@ static int vfio_iommu_type1_dirty_pages(struct vfio=
_iommu *iommu,
 			ret =3D -EINVAL;
 			goto out_unlock;
 		}
-		if (range.iova & (iommu_pgsize - 1)) {
+		if (iova & (iommu_pgsize - 1)) {
 			ret =3D -EINVAL;
 			goto out_unlock;
 		}
-		if (!range.size || range.size & (iommu_pgsize - 1)) {
+		if (size & (iommu_pgsize - 1)) {
 			ret =3D -EINVAL;
 			goto out_unlock;
 		}
=20
 		if (iommu->dirty_page_tracking)
 			ret =3D vfio_iova_dirty_bitmap(range.bitmap.data,
-						     iommu, range.iova,
-						     range.size,
+						     iommu, iova, size,
 						     range.bitmap.pgsize);
 		else
 			ret =3D -EINVAL;

--=20
2.47.3