Home Home > GIT Browse > stable
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJiri Slaby <jslaby@suse.cz>2019-01-18 07:53:27 +0100
committerJiri Slaby <jslaby@suse.cz>2019-01-18 07:53:38 +0100
commit0e5cea12b8720dd137fbe4aa5a73e6f293728119 (patch)
tree3ea3dfa7fc023e535087f54deebff3a97edd11d7
parentcba28ab858f5b711e262be46e8643c3e5cdf9570 (diff)
vfio/type1: Fix unmap overflow off-by-one (bnc#1012628).
-rw-r--r--patches.kernel.org/4.20.3-036-vfio-type1-Fix-unmap-overflow-off-by-one.patch46
-rw-r--r--series.conf1
2 files changed, 47 insertions, 0 deletions
diff --git a/patches.kernel.org/4.20.3-036-vfio-type1-Fix-unmap-overflow-off-by-one.patch b/patches.kernel.org/4.20.3-036-vfio-type1-Fix-unmap-overflow-off-by-one.patch
new file mode 100644
index 0000000000..3761b26a53
--- /dev/null
+++ b/patches.kernel.org/4.20.3-036-vfio-type1-Fix-unmap-overflow-off-by-one.patch
@@ -0,0 +1,46 @@
+From: Alex Williamson <alex.williamson@redhat.com>
+Date: Mon, 7 Jan 2019 22:13:22 -0700
+Subject: [PATCH] vfio/type1: Fix unmap overflow off-by-one
+References: bnc#1012628
+Patch-mainline: 4.20.3
+Git-commit: 58fec830fc19208354895d9832785505046d6c01
+
+commit 58fec830fc19208354895d9832785505046d6c01 upstream.
+
+The below referenced commit adds a test for integer overflow, but in
+doing so prevents the unmap ioctl from ever including the last page of
+the address space. Subtract one to compare to the last address of the
+unmap to avoid the overflow and wrap-around.
+
+Fixes: 71a7d3d78e3c ("vfio/type1: silence integer overflow warning")
+Link: https://bugzilla.redhat.com/show_bug.cgi?id=1662291
+Cc: stable@vger.kernel.org # v4.15+
+Reported-by: Pei Zhang <pezhang@redhat.com>
+Debugged-by: Peter Xu <peterx@redhat.com>
+Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Peter Xu <peterx@redhat.com>
+Tested-by: Peter Xu <peterx@redhat.com>
+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ drivers/vfio/vfio_iommu_type1.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
+index d9fd3188615d..64cbc2d007c9 100644
+--- a/drivers/vfio/vfio_iommu_type1.c
++++ b/drivers/vfio/vfio_iommu_type1.c
+@@ -878,7 +878,7 @@ static int vfio_dma_do_unmap(struct vfio_iommu *iommu,
+ return -EINVAL;
+ if (!unmap->size || unmap->size & mask)
+ return -EINVAL;
+- if (unmap->iova + unmap->size < unmap->iova ||
++ if (unmap->iova + unmap->size - 1 < unmap->iova ||
+ unmap->size > SIZE_MAX)
+ return -EINVAL;
+
+--
+2.20.1
+
diff --git a/series.conf b/series.conf
index 05cce433c5..78b982e401 100644
--- a/series.conf
+++ b/series.conf
@@ -273,6 +273,7 @@
patches.kernel.org/4.20.3-033-ACPI-IORT-Fix-rc_dma_get_range.patch
patches.kernel.org/4.20.3-034-i2c-dev-prevent-adapter-retries-and-timeout-be.patch
patches.kernel.org/4.20.3-035-mtd-rawnand-qcom-fix-memory-corruption-that-ca.patch
+ patches.kernel.org/4.20.3-036-vfio-type1-Fix-unmap-overflow-off-by-one.patch
########################################################
# Build fixes that apply to the vanilla kernel too.