[PATCH] iommufd: Check for overflow in IOMMU_TEST_OP_ADD_RESERVED

[PATCH] iommufd: Check for overflow in IOMMU_TEST_OP_ADD_RESERVED

[Jason Gunthorpe]

syzkaller found it could overflow math in the test infrastructure and
cause a WARN_ON by corrupting the reserved interval tree. This only
effects test kernels with CONFIG_IOMMUFD_TEST.

Validate the user input length in the test ioctl.

Fixes: f4b20bb34c83 ("iommufd: Add kernel support for testing iommufd")
Reported-by: syzbot+57fdb0cf6a0c5d1f15a2@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/69368129.a70a0220.38f243.008f.GAE@google.com
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
---
 drivers/iommu/iommufd/selftest.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/drivers/iommu/iommufd/selftest.c b/drivers/iommu/iommufd/selftest.c
index 86446e1537949a..550ff36dec3a35 100644
--- a/drivers/iommu/iommufd/selftest.c
+++ b/drivers/iommu/iommufd/selftest.c
@@ -1184,14 +1184,20 @@ static int iommufd_test_add_reserved(struct iommufd_ucmd *ucmd,
 				     unsigned int mockpt_id,
 				     unsigned long start, size_t length)
 {
+	unsigned long last;
 	struct iommufd_ioas *ioas;
 	int rc;
 
+	if (!length)
+		return -EINVAL;
+	if (check_add_overflow(start, length - 1, &last))
+		return -EOVERFLOW;
+
 	ioas = iommufd_get_ioas(ucmd->ictx, mockpt_id);
 	if (IS_ERR(ioas))
 		return PTR_ERR(ioas);
 	down_write(&ioas->iopt.iova_rwsem);
-	rc = iopt_reserve_iova(&ioas->iopt, start, start + length - 1, NULL);
+	rc = iopt_reserve_iova(&ioas->iopt, start, last, NULL);
 	up_write(&ioas->iopt.iova_rwsem);
 	iommufd_put_object(ucmd->ictx, &ioas->obj);
 	return rc;

base-commit: b80fab281349f107a07e841eb412a86e2877ae88
-- 
2.43.0

Re: [PATCH] iommufd: Check for overflow in IOMMU_TEST_OP_ADD_RESERVED

[Samiullah Khawaja]

On Tue, Dec 16, 2025 at 9:15 AM Jason Gunthorpe <jgg@nvidia.com> wrote:
>
> syzkaller found it could overflow math in the test infrastructure and
> cause a WARN_ON by corrupting the reserved interval tree. This only
> effects test kernels with CONFIG_IOMMUFD_TEST.
>
> Validate the user input length in the test ioctl.
>
> Fixes: f4b20bb34c83 ("iommufd: Add kernel support for testing iommufd")
> Reported-by: syzbot+57fdb0cf6a0c5d1f15a2@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/all/69368129.a70a0220.38f243.008f.GAE@google.com
> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
> ---
>  drivers/iommu/iommufd/selftest.c | 8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/iommu/iommufd/selftest.c b/drivers/iommu/iommufd/selftest.c
> index 86446e1537949a..550ff36dec3a35 100644
> --- a/drivers/iommu/iommufd/selftest.c
> +++ b/drivers/iommu/iommufd/selftest.c
> @@ -1184,14 +1184,20 @@ static int iommufd_test_add_reserved(struct iommufd_ucmd *ucmd,
>                                      unsigned int mockpt_id,
>                                      unsigned long start, size_t length)
>  {
> +       unsigned long last;
>         struct iommufd_ioas *ioas;
>         int rc;
>
> +       if (!length)
> +               return -EINVAL;
> +       if (check_add_overflow(start, length - 1, &last))
> +               return -EOVERFLOW;
> +
>         ioas = iommufd_get_ioas(ucmd->ictx, mockpt_id);
>         if (IS_ERR(ioas))
>                 return PTR_ERR(ioas);
>         down_write(&ioas->iopt.iova_rwsem);
> -       rc = iopt_reserve_iova(&ioas->iopt, start, start + length - 1, NULL);
> +       rc = iopt_reserve_iova(&ioas->iopt, start, last, NULL);
>         up_write(&ioas->iopt.iova_rwsem);
>         iommufd_put_object(ucmd->ictx, &ioas->obj);
>         return rc;
>
> base-commit: b80fab281349f107a07e841eb412a86e2877ae88
> --
> 2.43.0
>
>

Reviewed-by: Samiullah Khawaja <skhawaja@google.com>

Re: [PATCH] iommufd: Check for overflow in IOMMU_TEST_OP_ADD_RESERVED

[Yi Liu]

On 2025/12/17 01:13, Jason Gunthorpe wrote:
> syzkaller found it could overflow math in the test infrastructure and
> cause a WARN_ON by corrupting the reserved interval tree. This only
> effects test kernels with CONFIG_IOMMUFD_TEST.
> 
> Validate the user input length in the test ioctl.
> 
> Fixes: f4b20bb34c83 ("iommufd: Add kernel support for testing iommufd")
> Reported-by: syzbot+57fdb0cf6a0c5d1f15a2@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/all/69368129.a70a0220.38f243.008f.GAE@google.com
> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
> ---
>   drivers/iommu/iommufd/selftest.c | 8 +++++++-
>   1 file changed, 7 insertions(+), 1 deletion(-)

Tested-by: Yi Liu <yi.l.liu@intel.com>

a nit: is it necessary to add another overflow test case in selftest?

diff --git a/tools/testing/selftests/iommu/iommufd.c 
b/tools/testing/selftests/iommu/iommufd.c
index bb4d33dde3c8..4404889c8b7c 100644
--- a/tools/testing/selftests/iommu/iommufd.c
+++ b/tools/testing/selftests/iommu/iommufd.c
@@ -995,6 +995,12 @@ TEST_F(iommufd_ioas, reserved_overflow)
  		  ioctl(self->fd, _IOMMU_TEST_CMD(IOMMU_TEST_OP_ADD_RESERVED),
  			&test_cmd));
  	test_err_ioctl_ioas_map(ENOSPC, buffer, map_len, &iova);
+
+	test_cmd.add_reserved.start = 0x1000005;
+	test_cmd.add_reserved.length = 0xffffffffffefffff;
+	EXPECT_EQ(EOVERFLOW,
+		  ioctl(self->fd, _IOMMU_TEST_CMD(IOMMU_TEST_OP_ADD_RESERVED),
+			&test_cmd));
  }

  TEST_F(iommufd_ioas, area_allowed)


> diff --git a/drivers/iommu/iommufd/selftest.c b/drivers/iommu/iommufd/selftest.c
> index 86446e1537949a..550ff36dec3a35 100644
> --- a/drivers/iommu/iommufd/selftest.c
> +++ b/drivers/iommu/iommufd/selftest.c
> @@ -1184,14 +1184,20 @@ static int iommufd_test_add_reserved(struct iommufd_ucmd *ucmd,
>   				     unsigned int mockpt_id,
>   				     unsigned long start, size_t length)
>   {
> +	unsigned long last;
>   	struct iommufd_ioas *ioas;
>   	int rc;
>   
> +	if (!length)
> +		return -EINVAL;
> +	if (check_add_overflow(start, length - 1, &last))
> +		return -EOVERFLOW;
> +
>   	ioas = iommufd_get_ioas(ucmd->ictx, mockpt_id);
>   	if (IS_ERR(ioas))
>   		return PTR_ERR(ioas);
>   	down_write(&ioas->iopt.iova_rwsem);
> -	rc = iopt_reserve_iova(&ioas->iopt, start, start + length - 1, NULL);
> +	rc = iopt_reserve_iova(&ioas->iopt, start, last, NULL);
>   	up_write(&ioas->iopt.iova_rwsem);
>   	iommufd_put_object(ucmd->ictx, &ioas->obj);
>   	return rc;
> 
> base-commit: b80fab281349f107a07e841eb412a86e2877ae88

Re: [PATCH] iommufd: Check for overflow in IOMMU_TEST_OP_ADD_RESERVED

[Jason Gunthorpe]

On Wed, Dec 17, 2025 at 05:17:46PM +0800, Yi Liu wrote:
> On 2025/12/17 01:13, Jason Gunthorpe wrote:
> > syzkaller found it could overflow math in the test infrastructure and
> > cause a WARN_ON by corrupting the reserved interval tree. This only
> > effects test kernels with CONFIG_IOMMUFD_TEST.
> > 
> > Validate the user input length in the test ioctl.
> > 
> > Fixes: f4b20bb34c83 ("iommufd: Add kernel support for testing iommufd")
> > Reported-by: syzbot+57fdb0cf6a0c5d1f15a2@syzkaller.appspotmail.com
> > Closes: https://lore.kernel.org/all/69368129.a70a0220.38f243.008f.GAE@google.com
> > Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
> > ---
> >   drivers/iommu/iommufd/selftest.c | 8 +++++++-
> >   1 file changed, 7 insertions(+), 1 deletion(-)
> 
> Tested-by: Yi Liu <yi.l.liu@intel.com>
> 
> a nit: is it necessary to add another overflow test case in selftest?

No, this is just test code not actual production code..

Jason

RE: [PATCH] iommufd: Check for overflow in IOMMU_TEST_OP_ADD_RESERVED

[Tian, Kevin]

> From: Jason Gunthorpe <jgg@nvidia.com>
> Sent: Wednesday, December 17, 2025 1:14 AM
> 
> syzkaller found it could overflow math in the test infrastructure and
> cause a WARN_ON by corrupting the reserved interval tree. This only
> effects test kernels with CONFIG_IOMMUFD_TEST.
> 
> Validate the user input length in the test ioctl.
> 
> Fixes: f4b20bb34c83 ("iommufd: Add kernel support for testing iommufd")
> Reported-by: syzbot+57fdb0cf6a0c5d1f15a2@syzkaller.appspotmail.com
> Closes:
> https://lore.kernel.org/all/69368129.a70a0220.38f243.008f.GAE@google.co
> m
> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>

Reviewed-by: Kevin Tian <kevin.tian@intel.com>