vfio/type1: Fix unmap overflow off-by-one

The below referenced commit adds a test for integer overflow, but in
doing so prevents the unmap ioctl from ever including the last page of
the address space.  Subtract one to compare to the last address of the
unmap to avoid the overflow and wrap-around.

Fixes: 71a7d3d78e3c ("vfio/type1: silence integer overflow warning")
Link: https://bugzilla.redhat.com/show_bug.cgi?id=1662291
Cc: [email protected] # v4.15+
Reported-by: Pei Zhang <[email protected]>
Debugged-by: Peter Xu <[email protected]>
Reviewed-by: Dan Carpenter <[email protected]>
Reviewed-by: Peter Xu <[email protected]>
Tested-by: Peter Xu <[email protected]>
Reviewed-by: Cornelia Huck <[email protected]>
Signed-off-by: Alex Williamson <[email protected]>

diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
index 7651cfb14836ab3d751b770797fd3c7e3b985bb2..73652e21efec6a28393bd979d2d42caef711b280 100644 (file)
--- a/drivers/vfio/vfio_iommu_type1.c
+++ b/drivers/vfio/vfio_iommu_type1.c
@@ -878,7 +878,7 @@ static int vfio_dma_do_unmap(struct vfio_iommu *iommu,
                return -EINVAL;
        if (!unmap->size || unmap->size & mask)
                return -EINVAL;
-       if (unmap->iova + unmap->size < unmap->iova ||
+       if (unmap->iova + unmap->size - 1 < unmap->iova ||
            unmap->size > SIZE_MAX)
                return -EINVAL;