iommufd: Don't overflow during division for dirty tracking

jgunthorpe · jgunthorpe · commit cb30dfa75d55 · 2025-10-20T19:58:37.000-03:00
If pgshift is 63 then BITS_PER_TYPE(*bitmap->bitmap) * pgsize will overflow to 0 and this triggers divide by 0. In this case the index should just be 0, so reorganize things to divide by shift and avoid hitting any overflows. Link: https://patch.msgid.link/r/0-v1-663679b57226+172-iommufd_dirty_div0_jgg@nvidia.com Cc: stable@vger.kernel.org Fixes: 58ccf01 ("vfio: Add an IOVA bitmap support") Reviewed-by: Joao Martins <joao.m.martins@oracle.com> Reviewed-by: Nicolin Chen <nicolinc@nvidia.com> Reviewed-by: Kevin Tian <kevin.tian@intel.com> Reported-by: syzbot+093a8a8b859472e6c257@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=093a8a8b859472e6c257 Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
diff --git a/drivers/iommu/iommufd/iova_bitmap.c b/drivers/iommu/iommufd/iova_bitmap.c
@@ -130,9 +130,8 @@ struct iova_bitmap {
 static unsigned long iova_bitmap_offset_to_index(struct iova_bitmap *bitmap,
 						 unsigned long iova)
 {
-	unsigned long pgsize = 1UL << bitmap->mapped.pgshift;
-
-	return iova / (BITS_PER_TYPE(*bitmap->bitmap) * pgsize);
+	return (iova >> bitmap->mapped.pgshift) /
+	       BITS_PER_TYPE(*bitmap->bitmap);
 }
 
 /*

Original file line number	Diff line number	Diff line change
`@@ -130,9 +130,8 @@ struct iova_bitmap {`
`130`	`130`	`static unsigned long iova_bitmap_offset_to_index(struct iova_bitmap *bitmap,`
`131`	`131`	`unsigned long iova)`
`132`	`132`	`{`
`133`		`- unsigned long pgsize = 1UL << bitmap->mapped.pgshift;`
`134`		`-`
`135`		`- return iova / (BITS_PER_TYPE(bitmap->bitmap) pgsize);`
	`133`	`+ return (iova >> bitmap->mapped.pgshift) /`
	`134`	`+ BITS_PER_TYPE(*bitmap->bitmap);`
`136`	`135`	`}`
`137`	`136`
`138`	`137`	`/*`