Commit cb30dfa7 authored Oct 08, 2025 by Jason Gunthorpe

iommufd: Don't overflow during division for dirty tracking

If pgshift is 63 then BITS_PER_TYPE(*bitmap->bitmap) * pgsize will overflow
to 0 and this triggers divide by 0.

In this case the index should just be 0, so reorganize things to divide
by shift and avoid hitting any overflows.

Link: https://patch.msgid.link/r/0-v1-663679b57226+172-iommufd_dirty_div0_jgg@nvidia.com


Cc: stable@vger.kernel.org
Fixes: 58ccf019 ("vfio: Add an IOVA bitmap support")
Reviewed-by: Joao Martins <joao.m.martins@oracle.com>
Reviewed-by: Nicolin Chen <nicolinc@nvidia.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Reported-by:  <syzbot+093a8a8b859472e6c257@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=093a8a8b859472e6c257


Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>

parent 211ddde0

drivers/iommu/iommufd/iova_bitmap.c

+2 −3

Original line number	Diff line number	Diff line
		@@ -130,9 +130,8 @@ struct iova_bitmap {
		static unsigned long iova_bitmap_offset_to_index(struct iova_bitmap *bitmap,
		unsigned long iova)
		{
		unsigned long pgsize = 1UL << bitmap->mapped.pgshift;

		return iova / (BITS_PER_TYPE(bitmap->bitmap) pgsize);
		return (iova >> bitmap->mapped.pgshift) /
		BITS_PER_TYPE(*bitmap->bitmap);
		}

		/*