On Wed, Jun 24, 2026 at 02:51:53PM -0700, Yousef Alhouseen wrote: > vhost_vdpa_pa_map() adds the IOVA page offset to the user-controlled map > size before computing the number of pages to pin. On 32-bit systems, > where unsigned long is narrower than u64, that addition can overflow and > the code can pin and map fewer pages than the requested IOTLB range. > > Reject sizes that overflow the unsigned long page-count calculation. >
And a Fixes: tag, please. > Signed-off-by: Yousef Alhouseen <[email protected]> > --- > Changes in v2: > - Clarify that the overflow is on 32-bit systems. > - Drop the unrelated memlock check change. > > drivers/vhost/vdpa.c | 9 ++++++++- > 1 file changed, 8 insertions(+), 1 deletion(-) > > diff --git a/drivers/vhost/vdpa.c b/drivers/vhost/vdpa.c > index ac55275fa..38b28ed3d 100644 > --- a/drivers/vhost/vdpa.c > +++ b/drivers/vhost/vdpa.c > @@ -1102,6 +1102,7 @@ static int vhost_vdpa_pa_map(struct vhost_vdpa *v, > unsigned int gup_flags = FOLL_LONGTERM; > unsigned long npages, cur_base, map_pfn, last_pfn = 0; > unsigned long lock_limit, sz2pin, nchunks, i; > + unsigned long page_offset; > u64 start = iova; > long pinned; > int ret = 0; > @@ -1114,7 +1115,13 @@ static int vhost_vdpa_pa_map(struct vhost_vdpa *v, > if (perm & VHOST_ACCESS_WO) > gup_flags |= FOLL_WRITE; > > - npages = PFN_UP(size + (iova & ~PAGE_MASK)); > + page_offset = iova & ~PAGE_MASK; > + if (size > ULONG_MAX - page_offset) { > + ret = -EINVAL; > + goto free; > + } > + > + npages = PFN_UP(size + page_offset); > if (!npages) { > ret = -EINVAL; > goto free; > -- > 2.54.0
