vfio/type1: Fix unmap overflow off-by-one

The below referenced commit adds a test for integer overflow, but in doing so prevents the unmap ioctl from ever including the last page of the address space. Subtract one to compare to the last address of the unmap to avoid the overflow and wrap-around. Fixes: 71a7d3d ("vfio/type1: silence integer overflow warning") Link: https://bugzilla.redhat.com/show_bug.cgi?id=1662291 Cc: [email protected] # v4.15+ Reported-by: Pei Zhang <[email protected]> Debugged-by: Peter Xu <[email protected]> Reviewed-by: Dan Carpenter <[email protected]> Reviewed-by: Peter Xu <[email protected]> Tested-by: Peter Xu <[email protected]> Reviewed-by: Cornelia Huck <[email protected]> Signed-off-by: Alex Williamson <[email protected]>
ferruhy · Jan 8, 2019 · 58fec83 · 58fec83
1 parent d1fc117
commit 58fec83
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
@@ -878,7 +878,7 @@ static int vfio_dma_do_unmap(struct vfio_iommu *iommu,
 		return -EINVAL;
 	if (!unmap->size || unmap->size & mask)
 		return -EINVAL;
-	if (unmap->iova + unmap->size < unmap->iova ||
+	if (unmap->iova + unmap->size - 1 < unmap->iova ||
 	    unmap->size > SIZE_MAX)
 		return -EINVAL;