In vfio_listener_region_add(), the code makes sure
that the offset in the section is lower than the size
of the section.
To do this the calculation uses size of the region
instead of the region limit (size - 1).
This leads to Int128 overflow when the region has
been initialized with UINT64_MAX.
Let's use the address limit of the region instead of the size.
Signed-off-by: Pierre Morel <pmo...@linux.vnet.ibm.com>
---
hw/vfio/common.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/hw/vfio/common.c b/hw/vfio/common.c
index 85ee9b0..0da10d6 100644
--- a/hw/vfio/common.c
+++ b/hw/vfio/common.c
@@ -338,7 +338,7 @@ static void vfio_listener_region_add(MemoryListener
*listener,
iova = TARGET_PAGE_ALIGN(section->offset_within_address_space);
llend = int128_make64(section->offset_within_address_space);
- llend = int128_add(llend, section->size);
+ llend = int128_add(llend, int128_sub(section->size, int128_one()));
llend = int128_and(llend, int128_exts64(TARGET_PAGE_MASK));
if (int128_ge(int128_make64(iova), llend)) {
--
1.7.1
