vfio/type1: Fix unmap overflow off-by-one

The below referenced commit adds a test for integer overflow, but in doing so prevents the unmap ioctl from ever including the last page of the address space. Subtract one to compare to the last address of the unmap to avoid the overflow and wrap-around. Fixes: 71a7d3d78e3c ("vfio/type1: silence integer overflow warning") Link: https://bugzilla.redhat.com/show_bug.cgi?id=1662291 Cc: [email protected] # v4.15+ Reported-by: Pei Zhang <[email protected]> Debugged-by: Peter Xu <[email protected]> Reviewed-by: Dan Carpenter <[email protected]> Reviewed-by: Peter Xu <[email protected]> Tested-by: Peter Xu <[email protected]> Reviewed-by: Cornelia Huck <[email protected]> Signed-off-by: Alex Williamson <[email protected]>
author: Alex Williamson <[email protected]> 2019-01-07 22:13:22 -0700
committer: Alex Williamson <[email protected]> 2019-01-08 09:31:28 -0700
commit: 58fec830fc19208354895d9832785505046d6c01 (patch)
tree: a67fd59017fdf486f854b627c1128675660d9b4d
parent: d1fc1176c055c9ec9c6ec4d113a284e0bad9d09a (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
index 7651cfb14836..73652e21efec 100644
--- a/drivers/vfio/vfio_iommu_type1.c
+++ b/drivers/vfio/vfio_iommu_type1.c
@@ -878,7 +878,7 @@ static int vfio_dma_do_unmap(struct vfio_iommu *iommu,
 		return -EINVAL;
 	if (!unmap->size || unmap->size & mask)
 		return -EINVAL;
-	if (unmap->iova + unmap->size < unmap->iova ||
+	if (unmap->iova + unmap->size - 1 < unmap->iova ||
 	    unmap->size > SIZE_MAX)
 		return -EINVAL;
author	Alex Williamson <[email protected]>	2019-01-07 22:13:22 -0700
committer	Alex Williamson <[email protected]>	2019-01-08 09:31:28 -0700
commit	58fec830fc19208354895d9832785505046d6c01 (patch)
tree	a67fd59017fdf486f854b627c1128675660d9b4d
parent	d1fc1176c055c9ec9c6ec4d113a284e0bad9d09a (diff)