Re: [syzbot] [iommu?] WARNING in iopt_map_pages (3)

Next message: Jason Gunthorpe: "Re: [PATCH v3 2/2] vfio/type1: Set IOMMU_MMIO in dma-&gt;prot for MMIO-backed addresses"
Previous message: Wen Gu: "Re: [PATCH net-next v5 1/2] ptp: introduce Alibaba CIPU PHC driver"
In reply to: Yi Liu: "Re: [syzbot] [iommu?] WARNING in iopt_map_pages (3)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jason Gunthorpe

Date: Fri Dec 12 2025 - 01:56:04 EST

On Tue, Dec 09, 2025 at 07:57:06PM +0800, Yi Liu wrote:

> It looks to be an overflow error as user gives the below arg. But
> this should be expected. no?
>
> // start: int64 = 0x1000005 (8 bytes)
> // length: int64 = 0xffffffffffefffff (8 bytes)

Something probably overflowed, the test is:

r0 = openat$iommufd(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$IOMMU_IOAS_ALLOC(r0, 0x3b81, &(0x7f0000000100)={0xc, 0x0, <r1=>0x0})
ioctl$IOMMU_TEST_OP_ADD_RESERVED(r0, 0x3ba0, &(0x7f0000000040)={0x48, 0x1, r1, 0x0, 0x1000005, 0xffffffffffefffff})
ioctl$IOMMU_TEST_OP_MOCK_DOMAIN_FLAGS(r0, 0x3ba0, &(0x7f00000003c0)={0x48, 0x2, r1})
ioctl$IOMMU_IOAS_MAP$PAGES(r0, 0x3b85, &(0x7f0000001340)={0x28, 0x2, r1, 0x0, &(0x7f00003bd000/0x3000)=nil, 0x3000, 0x80})

And I'm guessing the allocator picked something that failed the
reserved range intersection path:

/* No reserved IOVA intersects the range */
if (iopt_reserved_iter_first(iopt, iova, last))
return -EINVAL;

Maybe due to a corrupted range or something.

I'll look next week

Jason