Received: by 10.213.65.68 with SMTP id h4csp487451imn; Fri, 16 Mar 2018 09:13:38 -0700 (PDT) X-Google-Smtp-Source: AG47ELuF4FD5IrFkPEmYl6rSFh1yrSmiMfV5u7ywY7scOCB67a89t60o/v+apUTj1sNx4Ldw6ifY X-Received: by 10.98.94.132 with SMTP id s126mr1297945pfb.191.1521216818731; Fri, 16 Mar 2018 09:13:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521216818; cv=none; d=google.com; s=arc-20160816; b=HVduYp0oG2bPj9kWe9bTbqHrDMEe/6q6QTTqx0g5ZsforB4XpxujnBL17+22DZiG70 kBFCJzU8sOUHSfn39qOsgqgI5B6n8Q9cHcoByn5iBaNxvr9XfxBpgxzhXAR3JB5qY3b3 LWJ1R8jpMuEGahIJimXqGLZGMoPzly/6fFIen0gtbHGjikKwOfb0SXOAsb4Y6/TtDvxy mdMDr14QIvzL3oIRQqxmp4XRbVWqgxYsuwgbihtK35vY69TWfQw5RDKXdHeGGqclBYCl j2lHnnL6cO3IOgp3oOMGLZIhADql02XjxhMkCx73bXkAMn2CZqetY6jQJWwsFA8fJvHN 493Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=DivJ7eOWBJFkLkMv7yb0wRlp67UkWIQKFKS3j4VSvc8=; b=jukvz3h6QQ6aG62ASh0lrAGtLhhJVrausbFhz8Hp+9PLofhjIrMldnrwvM8n5lwYsY Jj6f5k1wR0UFt6A8ZDAWkqAwMysFN+JKx7D8xvAdDddtjnqF1hteO3tIAfayKUiIgeAK qjgQBhmE4mmpaTc7EuxCpGFZ6nV6QHOzsESSmO+PWUTphcEYMxrdCpA6QWkUPNWVYpnp y6tkiMQtXlfmO8moQoIXew7Za8/SlDlT2fFJAhqtfEymDTwqfvbIlzSDFzYdsPKOFi9D mBJdAmTclwrVH3TwBR4610w+aUt+dY1Y/nt5wXljwEkvTxlH+m4dhNYwQgYo8dpskfB0 UCRA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m10-v6si7056104pln.595.2018.03.16.09.13.23; Fri, 16 Mar 2018 09:13:38 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S965080AbeCPPkd (ORCPT + 99 others); Fri, 16 Mar 2018 11:40:33 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:43592 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S965057AbeCPPk1 (ORCPT ); Fri, 16 Mar 2018 11:40:27 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 9410CE1F; Fri, 16 Mar 2018 15:40:26 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Paul Mackerras , Sasha Levin Subject: [PATCH 4.15 031/128] KVM: PPC: Book3S HV: Avoid shifts by negative amounts Date: Fri, 16 Mar 2018 16:22:52 +0100 Message-Id: <20180316152338.111324352@linuxfoundation.org> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180316152336.199007505@linuxfoundation.org> References: <20180316152336.199007505@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.15-stable review patch. If anyone has any objections, please let me know. ------------------ From: Paul Mackerras [ Upstream commit cda2eaa35948893d70145490d5d6ded546fc3bc6 ] The kvmppc_hpte_page_shifts function decodes the actual and base page sizes for a HPTE, returning -1 if it doesn't recognize the page size encoding. This then gets used as a shift amount in various places, which is undefined behaviour. This was reported by Coverity. In fact this should never occur, since we should only get HPTEs in the HPT which have a recognized page size encoding. The only place where this might not be true is in the call to kvmppc_actual_pgsz() near the beginning of kvmppc_do_h_enter(), where we are validating the HPTE value passed in from the guest. So to fix this and eliminate the undefined behaviour, we make kvmppc_hpte_page_shifts return 0 for unrecognized page size encodings, and make kvmppc_actual_pgsz() detect that case and return 0 for the page size, which will then cause kvmppc_do_h_enter() to return an error and refuse to insert any HPTE with an unrecognized page size encoding. To ensure that we don't get undefined behaviour in compute_tlbie_rb(), we take the 4k page size path for any unrecognized page size encoding. This should never be hit in practice because it is only used on HPTE values which have previously been checked for having a recognized page size encoding. Signed-off-by: Paul Mackerras Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- arch/powerpc/include/asm/kvm_book3s_64.h | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/arch/powerpc/include/asm/kvm_book3s_64.h b/arch/powerpc/include/asm/kvm_book3s_64.h index 735cfa35298a..998f7b7aaa9e 100644 --- a/arch/powerpc/include/asm/kvm_book3s_64.h +++ b/arch/powerpc/include/asm/kvm_book3s_64.h @@ -122,13 +122,13 @@ static inline int kvmppc_hpte_page_shifts(unsigned long h, unsigned long l) lphi = (l >> 16) & 0xf; switch ((l >> 12) & 0xf) { case 0: - return !lphi ? 24 : -1; /* 16MB */ + return !lphi ? 24 : 0; /* 16MB */ break; case 1: return 16; /* 64kB */ break; case 3: - return !lphi ? 34 : -1; /* 16GB */ + return !lphi ? 34 : 0; /* 16GB */ break; case 7: return (16 << 8) + 12; /* 64kB in 4kB */ @@ -140,7 +140,7 @@ static inline int kvmppc_hpte_page_shifts(unsigned long h, unsigned long l) return (24 << 8) + 12; /* 16MB in 4kB */ break; } - return -1; + return 0; } static inline int kvmppc_hpte_base_page_shift(unsigned long h, unsigned long l) @@ -159,7 +159,11 @@ static inline int kvmppc_hpte_actual_page_shift(unsigned long h, unsigned long l static inline unsigned long kvmppc_actual_pgsz(unsigned long v, unsigned long r) { - return 1ul << kvmppc_hpte_actual_page_shift(v, r); + int shift = kvmppc_hpte_actual_page_shift(v, r); + + if (shift) + return 1ul << shift; + return 0; } static inline int kvmppc_pgsize_lp_encoding(int base_shift, int actual_shift) @@ -232,7 +236,7 @@ static inline unsigned long compute_tlbie_rb(unsigned long v, unsigned long r, va_low ^= v >> (SID_SHIFT_1T - 16); va_low &= 0x7ff; - if (b_pgshift == 12) { + if (b_pgshift <= 12) { if (a_pgshift > 12) { sllp = (a_pgshift == 16) ? 5 : 4; rb |= sllp << 5; /* AP field */ -- 2.16.2