Re: [PATCH v3 4/5] iommu/s390: Fix incorrect aperture check

[Jason Gunthorpe]

On Thu, Sep 29, 2022 at 05:33:01PM +0200, Niklas Schnelle wrote:
> The domain->geometry.aperture_end specifies the last valid address treat
> it as such when checking if a DMA address is valid.
> 
> Reviewed-by: Pierre Morel <pmorel@xxxxxxxxxxxxx>
> Reviewed-by: Matthew Rosato <mjrosato@xxxxxxxxxxxxx>
> Signed-off-by: Niklas Schnelle <schnelle@xxxxxxxxxxxxx>
> ---
>  drivers/iommu/s390-iommu.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/iommu/s390-iommu.c b/drivers/iommu/s390-iommu.c
> index ed0e64f478cf..6d4a9c7db32c 100644
> --- a/drivers/iommu/s390-iommu.c
> +++ b/drivers/iommu/s390-iommu.c
> @@ -210,7 +210,7 @@ static int s390_iommu_update_trans(struct s390_domain *s390_domain,
>  	int rc = 0;
>  
>  	if (dma_addr < s390_domain->domain.geometry.aperture_start ||
> -	    dma_addr + size > s390_domain->domain.geometry.aperture_end)
> +	    dma_addr + size > s390_domain->domain.geometry.aperture_end + 1)

The reason the iommu layer uses 'last' (= start + size - 1) not 'end'
is to allow for the very last byte of the range to be used.

Meaning (start + size) == 0 in some cases due to the overflow.

Generally when working with lasts's I prefer people write code in a
way that doesn't trigger the overflow, because there are some
complicated C rules about integer promotion that can mean the desired
overflow silently doesn't happen in obscure cases - especially if
unsigned long != u64

So, I'd write this as:

  (dma_addr + size - 1) > s390_domain->domain.geometry.aperture_end

Jason