* Re: [PATCH] iommufd: Check for overflow in IOMMU_TEST_OP_ADD_RESERVED
2025-12-16 17:13 [PATCH] iommufd: Check for overflow in IOMMU_TEST_OP_ADD_RESERVED Jason Gunthorpe
@ 2025-12-16 17:42 ` Samiullah Khawaja
2025-12-17 9:17 ` Yi Liu
2025-12-18 6:48 ` Tian, Kevin
2 siblings, 0 replies; 5+ messages in thread
From: Samiullah Khawaja @ 2025-12-16 17:42 UTC (permalink / raw)
To: Jason Gunthorpe
Cc: iommu, Joerg Roedel, Kevin Tian, Robin Murphy, Will Deacon,
Eric Auger, Matthew Rosato, patches, syzbot+57fdb0cf6a0c5d1f15a2
On Tue, Dec 16, 2025 at 9:15 AM Jason Gunthorpe <jgg@nvidia.com> wrote:
>
> syzkaller found it could overflow math in the test infrastructure and
> cause a WARN_ON by corrupting the reserved interval tree. This only
> effects test kernels with CONFIG_IOMMUFD_TEST.
>
> Validate the user input length in the test ioctl.
>
> Fixes: f4b20bb34c83 ("iommufd: Add kernel support for testing iommufd")
> Reported-by: syzbot+57fdb0cf6a0c5d1f15a2@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/all/69368129.a70a0220.38f243.008f.GAE@google.com
> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
> ---
> drivers/iommu/iommufd/selftest.c | 8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/iommu/iommufd/selftest.c b/drivers/iommu/iommufd/selftest.c
> index 86446e1537949a..550ff36dec3a35 100644
> --- a/drivers/iommu/iommufd/selftest.c
> +++ b/drivers/iommu/iommufd/selftest.c
> @@ -1184,14 +1184,20 @@ static int iommufd_test_add_reserved(struct iommufd_ucmd *ucmd,
> unsigned int mockpt_id,
> unsigned long start, size_t length)
> {
> + unsigned long last;
> struct iommufd_ioas *ioas;
> int rc;
>
> + if (!length)
> + return -EINVAL;
> + if (check_add_overflow(start, length - 1, &last))
> + return -EOVERFLOW;
> +
> ioas = iommufd_get_ioas(ucmd->ictx, mockpt_id);
> if (IS_ERR(ioas))
> return PTR_ERR(ioas);
> down_write(&ioas->iopt.iova_rwsem);
> - rc = iopt_reserve_iova(&ioas->iopt, start, start + length - 1, NULL);
> + rc = iopt_reserve_iova(&ioas->iopt, start, last, NULL);
> up_write(&ioas->iopt.iova_rwsem);
> iommufd_put_object(ucmd->ictx, &ioas->obj);
> return rc;
>
> base-commit: b80fab281349f107a07e841eb412a86e2877ae88
> --
> 2.43.0
>
>
Reviewed-by: Samiullah Khawaja <skhawaja@google.com>
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH] iommufd: Check for overflow in IOMMU_TEST_OP_ADD_RESERVED
2025-12-16 17:13 [PATCH] iommufd: Check for overflow in IOMMU_TEST_OP_ADD_RESERVED Jason Gunthorpe
2025-12-16 17:42 ` Samiullah Khawaja
@ 2025-12-17 9:17 ` Yi Liu
2025-12-17 13:39 ` Jason Gunthorpe
2025-12-18 6:48 ` Tian, Kevin
2 siblings, 1 reply; 5+ messages in thread
From: Yi Liu @ 2025-12-17 9:17 UTC (permalink / raw)
To: Jason Gunthorpe, iommu, Joerg Roedel, Kevin Tian, Robin Murphy,
Will Deacon
Cc: Eric Auger, Matthew Rosato, patches, syzbot+57fdb0cf6a0c5d1f15a2
On 2025/12/17 01:13, Jason Gunthorpe wrote:
> syzkaller found it could overflow math in the test infrastructure and
> cause a WARN_ON by corrupting the reserved interval tree. This only
> effects test kernels with CONFIG_IOMMUFD_TEST.
>
> Validate the user input length in the test ioctl.
>
> Fixes: f4b20bb34c83 ("iommufd: Add kernel support for testing iommufd")
> Reported-by: syzbot+57fdb0cf6a0c5d1f15a2@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/all/69368129.a70a0220.38f243.008f.GAE@google.com
> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
> ---
> drivers/iommu/iommufd/selftest.c | 8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
Tested-by: Yi Liu <yi.l.liu@intel.com>
a nit: is it necessary to add another overflow test case in selftest?
diff --git a/tools/testing/selftests/iommu/iommufd.c
b/tools/testing/selftests/iommu/iommufd.c
index bb4d33dde3c8..4404889c8b7c 100644
--- a/tools/testing/selftests/iommu/iommufd.c
+++ b/tools/testing/selftests/iommu/iommufd.c
@@ -995,6 +995,12 @@ TEST_F(iommufd_ioas, reserved_overflow)
ioctl(self->fd, _IOMMU_TEST_CMD(IOMMU_TEST_OP_ADD_RESERVED),
&test_cmd));
test_err_ioctl_ioas_map(ENOSPC, buffer, map_len, &iova);
+
+ test_cmd.add_reserved.start = 0x1000005;
+ test_cmd.add_reserved.length = 0xffffffffffefffff;
+ EXPECT_EQ(EOVERFLOW,
+ ioctl(self->fd, _IOMMU_TEST_CMD(IOMMU_TEST_OP_ADD_RESERVED),
+ &test_cmd));
}
TEST_F(iommufd_ioas, area_allowed)
> diff --git a/drivers/iommu/iommufd/selftest.c b/drivers/iommu/iommufd/selftest.c
> index 86446e1537949a..550ff36dec3a35 100644
> --- a/drivers/iommu/iommufd/selftest.c
> +++ b/drivers/iommu/iommufd/selftest.c
> @@ -1184,14 +1184,20 @@ static int iommufd_test_add_reserved(struct iommufd_ucmd *ucmd,
> unsigned int mockpt_id,
> unsigned long start, size_t length)
> {
> + unsigned long last;
> struct iommufd_ioas *ioas;
> int rc;
>
> + if (!length)
> + return -EINVAL;
> + if (check_add_overflow(start, length - 1, &last))
> + return -EOVERFLOW;
> +
> ioas = iommufd_get_ioas(ucmd->ictx, mockpt_id);
> if (IS_ERR(ioas))
> return PTR_ERR(ioas);
> down_write(&ioas->iopt.iova_rwsem);
> - rc = iopt_reserve_iova(&ioas->iopt, start, start + length - 1, NULL);
> + rc = iopt_reserve_iova(&ioas->iopt, start, last, NULL);
> up_write(&ioas->iopt.iova_rwsem);
> iommufd_put_object(ucmd->ictx, &ioas->obj);
> return rc;
>
> base-commit: b80fab281349f107a07e841eb412a86e2877ae88
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [PATCH] iommufd: Check for overflow in IOMMU_TEST_OP_ADD_RESERVED
2025-12-17 9:17 ` Yi Liu
@ 2025-12-17 13:39 ` Jason Gunthorpe
0 siblings, 0 replies; 5+ messages in thread
From: Jason Gunthorpe @ 2025-12-17 13:39 UTC (permalink / raw)
To: Yi Liu
Cc: iommu, Joerg Roedel, Kevin Tian, Robin Murphy, Will Deacon,
Eric Auger, Matthew Rosato, patches, syzbot+57fdb0cf6a0c5d1f15a2
On Wed, Dec 17, 2025 at 05:17:46PM +0800, Yi Liu wrote:
> On 2025/12/17 01:13, Jason Gunthorpe wrote:
> > syzkaller found it could overflow math in the test infrastructure and
> > cause a WARN_ON by corrupting the reserved interval tree. This only
> > effects test kernels with CONFIG_IOMMUFD_TEST.
> >
> > Validate the user input length in the test ioctl.
> >
> > Fixes: f4b20bb34c83 ("iommufd: Add kernel support for testing iommufd")
> > Reported-by: syzbot+57fdb0cf6a0c5d1f15a2@syzkaller.appspotmail.com
> > Closes: https://lore.kernel.org/all/69368129.a70a0220.38f243.008f.GAE@google.com
> > Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
> > ---
> > drivers/iommu/iommufd/selftest.c | 8 +++++++-
> > 1 file changed, 7 insertions(+), 1 deletion(-)
>
> Tested-by: Yi Liu <yi.l.liu@intel.com>
>
> a nit: is it necessary to add another overflow test case in selftest?
No, this is just test code not actual production code..
Jason
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: [PATCH] iommufd: Check for overflow in IOMMU_TEST_OP_ADD_RESERVED
2025-12-16 17:13 [PATCH] iommufd: Check for overflow in IOMMU_TEST_OP_ADD_RESERVED Jason Gunthorpe
2025-12-16 17:42 ` Samiullah Khawaja
2025-12-17 9:17 ` Yi Liu
@ 2025-12-18 6:48 ` Tian, Kevin
2 siblings, 0 replies; 5+ messages in thread
From: Tian, Kevin @ 2025-12-18 6:48 UTC (permalink / raw)
To: Jason Gunthorpe, iommu@lists.linux.dev, Joerg Roedel,
Robin Murphy, Will Deacon
Cc: Eric Auger, Matthew Rosato, patches@lists.linux.dev,
syzbot+57fdb0cf6a0c5d1f15a2@syzkaller.appspotmail.com
> From: Jason Gunthorpe <jgg@nvidia.com>
> Sent: Wednesday, December 17, 2025 1:14 AM
>
> syzkaller found it could overflow math in the test infrastructure and
> cause a WARN_ON by corrupting the reserved interval tree. This only
> effects test kernels with CONFIG_IOMMUFD_TEST.
>
> Validate the user input length in the test ioctl.
>
> Fixes: f4b20bb34c83 ("iommufd: Add kernel support for testing iommufd")
> Reported-by: syzbot+57fdb0cf6a0c5d1f15a2@syzkaller.appspotmail.com
> Closes:
> https://lore.kernel.org/all/69368129.a70a0220.38f243.008f.GAE@google.co
> m
> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
^ permalink raw reply [flat|nested] 5+ messages in thread