Re: [Syzkaller & bisect] There was "iommufd_test" WARNING in v6.2 in guest
From: Jason Gunthorpe
Date: Fri Feb 24 2023 - 09:49:02 EST
On Fri, Feb 24, 2023 at 01:43:38PM +0800, Pengfei Xu wrote:
> Hi Jason,
>
> Greeting!
>
> Platform: ADL-S and x86 platforms
> Host kernel 6.2.0-rc7 which doesn't enable iommufd by host kconfig setting as
> below:
> "# CONFIG_IOMMUFD is not set"
>
> Guest kconfig with iommufd enabled: https://github.com/xupengfe/syzkaller_logs/blob/main/230224_044002_iommufd_test/kconfig_origin
> Reproduced code: https://github.com/xupengfe/syzkaller_logs/blob/main/230224_044002_iommufd_test/repro.c
> v6.2 problem dmesg: https://github.com/xupengfe/syzkaller_logs/blob/main/230224_044002_iommufd_test/v6.2_c9c3395d5e3dcc6daee66c6908354d47bf98cb0c_dmesg.log
> Bisect info: https://github.com/xupengfe/syzkaller_logs/blob/main/230224_044002_iommufd_test/bisect_info.log
>
> There was "iommufd_test" WARNING in v6.2 in guest:
> [ 32.012827] ------------[ cut here ]------------
> [ 32.013027] WARNING: CPU: 1 PID: 393 at drivers/iommu/iommufd/selftest.c:403 iommufd_test+0xb19/0x16f0
> [ 32.013410] Modules linked in:
I didn't include the IOMMU_TEST_OP_MD_CHECK_REFS in the syzkaller
descriptions, how did you hit this?
Anyhow, it is a small issue in the test suite because uptr + length overflows:
--- a/drivers/iommu/iommufd/selftest.c
+++ b/drivers/iommu/iommufd/selftest.c
@@ -568,13 +568,17 @@ static int iommufd_test_md_check_refs(struct iommufd_ucmd *ucmd,
void __user *uptr, size_t length,
unsigned int refs)
{
- if (length % PAGE_SIZE || (uintptr_t)uptr % PAGE_SIZE)
+ uintptr_t end;
+
+ if (length % PAGE_SIZE || (uintptr_t)uptr % PAGE_SIZE ||
+ check_add_overflow((uintptr_t)uptr, (uintptr_t)length, &end))
return -EINVAL;
Jason