Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp412240imm;
        Wed, 29 Aug 2018 03:14:13 -0700 (PDT)
X-Google-Smtp-Source: ANB0Vda/bV9LdcTG1uUvWPu/ouN9RRlyS5xzlw5Ve+aRSy98yfndb1Bo82ZTMHRaUitUDxdOF0oe
X-Received: by 2002:a65:6086:: with SMTP id t6-v6mr5141704pgu.424.1535537653458;
        Wed, 29 Aug 2018 03:14:13 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1535537653; cv=none;
        d=google.com; s=arc-20160816;
        b=p6CzKaHym2NECgx9kHa8TY61LaKZm6Z8CfK+Ol/E2IQ7QRmJm0uk7fP7pGk8vHauGe
         bjINrW1LbEECUtkHVQ/WRk0Af8qOFqgwfFWiFzVX2vvLNUPvRTZBeb6/S7NmzFsMwItN
         hY+EkSz4Dxdf+ceZEaNfqFOUgmaml2kQ+nzfkSOyG5z39UcVCPAAl6lNaJw+GF0Pt6Er
         sA5TbGjk72uB6KvzI8FcDrltZvkIuUrJFABToALCgzKKWvuDZ56MRGoC7ZZ6pj6UvjKF
         Y6kkUvBfS7FJvnIkl62Xa6LKooFuseNZRd2g0PWmRjBux1r5ArBihWG1SGXLTCtFA6+W
         cefg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-transfer-encoding:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature
         :arc-authentication-results;
        bh=KDOjQyToVomFMXh5AtOujkrA86txlb8F6Dk13IN4/qA=;
        b=uB4vuD/4IlvU6xT/Wyub+ngukO1hdTlEXwS5lkiXTRpsWuN8/pOAg8J1slrlG6O2R2
         Xl0OrTttfLAfyklJOQTc4ANc+jErWFylusF81rUWHtOyg2cz9JAsF7iAQ/vbOuOX1V6X
         AnOQTt4ru9BKYV+Jr48UZZ0II4VivVqv/UwGac5BUdIu92sFAKm4LRHGg/8VsmnPHPkg
         aKYZL+muh72cXK6wg88eSmxQFs8xqhQVkYdYeSRYbezTQVh9TgufpJlWV4ukC3e91n4k
         S9vlP42kRTbWAtGpulRfX1AKx935i5TPxbO1T3oaEDCMytBUIoQuGbHIa9UMe01FwXzn
         f41g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@oracle.com header.s=corp-2018-07-02 header.b=rQ+ow6iK;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id k10-v6si3305869pfe.41.2018.08.29.03.13.57;
        Wed, 29 Aug 2018 03:14:13 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@oracle.com header.s=corp-2018-07-02 header.b=rQ+ow6iK;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727558AbeH2OI1 (ORCPT <rfc822;xqjcool@gmail.com> + 99 others);
        Wed, 29 Aug 2018 10:08:27 -0400
Received: from userp2130.oracle.com ([156.151.31.86]:52164 "EHLO
        userp2130.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727264AbeH2OI1 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 29 Aug 2018 10:08:27 -0400
Received: from pps.filterd (userp2130.oracle.com [127.0.0.1])
        by userp2130.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w7TABrSR167873;
        Wed, 29 Aug 2018 10:12:14 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=date : from : to : cc
 : subject : message-id : references : mime-version : content-type :
 content-transfer-encoding : in-reply-to; s=corp-2018-07-02;
 bh=KDOjQyToVomFMXh5AtOujkrA86txlb8F6Dk13IN4/qA=;
 b=rQ+ow6iKIvFGOk7CHr6ioUN7onVYW6Epkm/YhXLeeJIiwa3VXCiPXw6Me0A2qSneRLJO
 QKKtyJhZqjtrFjSaSSCjao98cniOGoNZMY6LkuefSkYFjWE85cQms+kqB72V3rO/COgD
 Vc3H1FSveeRgIkzUjYW/Q+9naUzeaOqlh1GkNvEHlXguUwC+kPc9kJ7T9q8nmzHWld/a
 QTsXpmcWzVT4fdm/SunYx3Aiwt6e5O5rfD/RPNW4puPsX0XWoZUKv9OkAxEhros2rSpa
 IRq4PDQrNaWTujk/hHS8DB68aHjWMsn+Nw5UaEzJ4t4Kvv3VfuQfmSaUcYjVVnQBXoW3 SQ== 
Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233])
        by userp2130.oracle.com with ESMTP id 2m2xhtrwvk-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
        Wed, 29 Aug 2018 10:12:13 +0000
Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236])
        by aserv0021.oracle.com (8.14.4/8.14.4) with ESMTP id w7TACDP9014994
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
        Wed, 29 Aug 2018 10:12:13 GMT
Received: from abhmp0009.oracle.com (abhmp0009.oracle.com [141.146.116.15])
        by aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id w7TACC5w005200;
        Wed, 29 Aug 2018 10:12:12 GMT
Received: from mwanda (/197.232.248.111)
        by default (Oracle Beehive Gateway v4.0)
        with ESMTP ; Wed, 29 Aug 2018 03:12:12 -0700
Date:   Wed, 29 Aug 2018 13:12:05 +0300
From:   Dan Carpenter <dan.carpenter@oracle.com>
To:     Liran Alon <liran.alon@oracle.com>
Cc:     Wanpeng Li <kernellwp@gmail.com>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        kvm@vger.kernel.org, Paolo Bonzini <pbonzini@redhat.com>,
        Radim =?utf-8?B?S3LEjW3DocWZ?= <rkrcmar@redhat.com>
Subject: Re: [PATCH] KVM: LAPIC: Fix pv ipis out-of-bounds access
Message-ID: <20180829101205.jsp53e2wq7fc6ukd@mwanda>
References: <1535521943-5547-1-git-send-email-wanpengli@tencent.com>
 <A523C29C-C3E8-4FEF-8620-96365F774582@oracle.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <A523C29C-C3E8-4FEF-8620-96365F774582@oracle.com>
User-Agent: NeoMutt/20170609 (1.8.3)
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8999 signatures=668708
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0
 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=765
 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.0.1-1807170000 definitions=main-1808290113
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Aug 29, 2018 at 12:05:06PM +0300, Liran Alon wrote:
> > arch/x86/kvm/lapic.c | 17 +++++++++++++----
> > 1 file changed, 13 insertions(+), 4 deletions(-)
> > 
> > diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
> > index 0cefba2..86e933c 100644
> > --- a/arch/x86/kvm/lapic.c
> > +++ b/arch/x86/kvm/lapic.c
> > @@ -571,18 +571,27 @@ int kvm_pv_send_ipi(struct kvm *kvm, unsigned long ipi_bitmap_low,
> > 	rcu_read_lock();
> > 	map = rcu_dereference(kvm->arch.apic_map);
> > 
> > +	if (unlikely((s32)(map->max_apic_id - __fls(ipi_bitmap_low)) < min))
> > +		goto out;
> 
> I personally think “if ((min + __fls(ipi_bitmap_low)) > map->max_apic_id)” is more readable.
> But that’s just a matter of taste :)

That's an integer overflow.

But I do prefer to put the variable on the left.  The truth is that some
Smatch checks just ignore code which is backwards written because
otherwise you have to write duplicate code and the most code is written
with the variable on the left.

	if (min > (s32)(map->max_apic_id - __fls(ipi_bitmap_low))

Shouldn't this be >= instead?  It looks off by one.

regards,
dan carpenter