| Message ID | 1449741505-5559-1-git-send-email-pmorel@linux.vnet.ibm.com |
|---|---|
| State | New |
| Headers | show |
diff --git a/hw/vfio/common.c b/hw/vfio/common.c index 85ee9b0..0da10d6 100644 --- a/hw/vfio/common.c +++ b/hw/vfio/common.c @@ -338,7 +338,7 @@ static void vfio_listener_region_add(MemoryListener *listener, iova = TARGET_PAGE_ALIGN(section->offset_within_address_space); llend = int128_make64(section->offset_within_address_space); - llend = int128_add(llend, section->size); + llend = int128_add(llend, int128_sub(section->size, int128_one())); llend = int128_and(llend, int128_exts64(TARGET_PAGE_MASK)); if (int128_ge(int128_make64(iova), llend)) {
In vfio_listener_region_add(), the code makes sure that the offset in the section is lower than the size of the section. To do this the calculation uses size of the region instead of the region limit (size - 1). This leads to Int128 overflow when the region has been initialized with UINT64_MAX. Let's use the address limit of the region instead of the size. Signed-off-by: Pierre Morel <pmorel@linux.vnet.ibm.com> --- hw/vfio/common.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)