Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp423716imm; Wed, 29 Aug 2018 03:31:56 -0700 (PDT) X-Google-Smtp-Source: ANB0VdY282L3h6XEpmvqzUGTEtc4o0h5gFfXHZKpdBueZ7WKrPvqvAmwrHPVFh+YNXjgj0QP1HiU X-Received: by 2002:a62:4255:: with SMTP id p82-v6mr5348451pfa.238.1535538716270; Wed, 29 Aug 2018 03:31:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535538716; cv=none; d=google.com; s=arc-20160816; b=EluS2GTNlu++4gatdRgkeL9lF/vKMEF4i3yVENGRgqW879qBMYWmxM6cpXy14ezD3C ZPfXD/+RfP4L9ecYvbxXt4GLbUdYOY6eUBL7oQFBK9ihnESC4a8nmieHdEEOXnb+ZnKI CAYL9jY9Rj0jwrgE7qBICOfjLC62IBCDmPtZu2QCFhjRjreNPE/l1gDGNZYcRWl3dMre KrExvZKFtEd6AuT5koJl6FGRqTAW8k6yOjL6InzhOUO8Y9xhij16yRy0F5c/Y6G+tsQ1 IIC3Kt/QgVF4GpFgq7Er9uXcepKbB7B1dHSQ9KGPuwqALs3yCr9a1+LmzKFmvLNwZr/s AvOA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-transfer-encoding:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature :arc-authentication-results; bh=lDwxGjGIc5tOR3cXBBnlJsEDEIYK/FeB6siv9Yoarzw=; b=U/IYPV17jkBLode2xvK/DCGUfJFpNAYYNL2Nfk2QZMfwIG04/PtKFd/p1Q641OIy4g 5+Gxy7Tqm/6DTfMxIl/Wa6VLghHNVFklVf6aZD++WACnOKM9bNZiSiIgh2wlF9pm1cfg yEn1cvphZe5XyRrMnND/N9/DKK41VGLDEImHS3TWsW757dCv+ZxiLqOPYho69VPx/uLe JQgr+IiPzdGHyyMb9mNoBQtIgUdQT1CiNkT60qlI8zSO1Fi2OQ2YmDXsck5zMKZXTm30 JqslvDNWQnJ170oIXqY2Ru0wh8UDoIZ1aOT63pvwy7Yt9xYSIjemYzNe9Eg3cF9e8Dd2 dNpw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2018-07-02 header.b=hAWdRbvo; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i124-v6si3477452pfc.110.2018.08.29.03.31.41; Wed, 29 Aug 2018 03:31:56 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2018-07-02 header.b=hAWdRbvo; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728245AbeH2OZm (ORCPT + 99 others); Wed, 29 Aug 2018 10:25:42 -0400 Received: from aserp2120.oracle.com ([141.146.126.78]:35448 "EHLO aserp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727099AbeH2OZm (ORCPT ); Wed, 29 Aug 2018 10:25:42 -0400 Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w7TAOOFL010528; Wed, 29 Aug 2018 10:29:25 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=date : from : to : cc : subject : message-id : references : mime-version : content-type : content-transfer-encoding : in-reply-to; s=corp-2018-07-02; bh=lDwxGjGIc5tOR3cXBBnlJsEDEIYK/FeB6siv9Yoarzw=; b=hAWdRbvo8okSvx6C2IKdrcj0sKkrUHuuPeLz56gkyaSQk0GgaV/K0FPLr46u3u23AEqb OBd1d7XxoUxsnO8aVEgpgpOvhnbusL1AbKT9diCFdwW97vs08Wae0+0WXRi7Y5fPmVwx bSU/V9cARMn44gsV+r0MeM4Ruq1GZk50psrwPSSjrn3IDSa/CTPC+2UJLD9hyFlEiwZ+ I+Og83y5jQn0ZiHlCMT+d1pr74wXrGFIjTHAwrKMW3/B14d5nSak8jG5SfaGDknH+35v 0DOHQNnpspid7GGLyUe0KnVTEWuF5ADaF6iIXrOKQm/NunhCIRz5sIZIHXQud3XR8F17 7Q== Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by aserp2120.oracle.com with ESMTP id 2m2y2pgy5c-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 29 Aug 2018 10:29:24 +0000 Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id w7TATJGd022533 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 29 Aug 2018 10:29:19 GMT Received: from abhmp0009.oracle.com (abhmp0009.oracle.com [141.146.116.15]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id w7TATIru018242; Wed, 29 Aug 2018 10:29:18 GMT Received: from mwanda (/197.232.248.111) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 29 Aug 2018 03:29:17 -0700 Date: Wed, 29 Aug 2018 13:29:10 +0300 From: Dan Carpenter To: Wanpeng Li Cc: Liran Alon , LKML , kvm , Paolo Bonzini , Radim Krcmar Subject: Re: [PATCH] KVM: LAPIC: Fix pv ipis out-of-bounds access Message-ID: <20180829102910.rkyato47chayt22s@mwanda> References: <1535521943-5547-1-git-send-email-wanpengli@tencent.com> <20180829101205.jsp53e2wq7fc6ukd@mwanda> <20180829101822.qo3u7lsmghs3kcuf@mwanda> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: NeoMutt/20170609 (1.8.3) X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8999 signatures=668708 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=752 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1808290116 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Aug 29, 2018 at 06:23:08PM +0800, Wanpeng Li wrote: > On Wed, 29 Aug 2018 at 18:18, Dan Carpenter wrote: > > > > On Wed, Aug 29, 2018 at 01:12:05PM +0300, Dan Carpenter wrote: > > > On Wed, Aug 29, 2018 at 12:05:06PM +0300, Liran Alon wrote: > > > > > arch/x86/kvm/lapic.c | 17 +++++++++++++---- > > > > > 1 file changed, 13 insertions(+), 4 deletions(-) > > > > > > > > > > diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c > > > > > index 0cefba2..86e933c 100644 > > > > > --- a/arch/x86/kvm/lapic.c > > > > > +++ b/arch/x86/kvm/lapic.c > > > > > @@ -571,18 +571,27 @@ int kvm_pv_send_ipi(struct kvm *kvm, unsigned long ipi_bitmap_low, > > > > > rcu_read_lock(); > > > > > map = rcu_dereference(kvm->arch.apic_map); > > > > > > > > > > + if (unlikely((s32)(map->max_apic_id - __fls(ipi_bitmap_low)) < min)) > > > > > + goto out; > > > > > > > > I personally think “if ((min + __fls(ipi_bitmap_low)) > map->max_apic_id)” is more readable. > > > > But that’s just a matter of taste :) > > > > > > That's an integer overflow. > > > > > > But I do prefer to put the variable on the left. The truth is that some > > > Smatch checks just ignore code which is backwards written because > > > otherwise you have to write duplicate code and the most code is written > > > with the variable on the left. > > > > > > if (min > (s32)(map->max_apic_id - __fls(ipi_bitmap_low)) > > > > Wait, the (s32) cast doesn't make sense. We want negative min values to > > be treated as invalid. > > In v2, how about: > > if (unlikely(min > map->max_apic_id || (min + __fls(ipi_bitmap_low)) > > map->max_apic_id)) > goto out; That works, too. It still has the off by one and we should set "count = -KVM_EINVAL;". Is the unlikely() really required? I don't know what the fast paths are in KVM, so I don't know. regards, dan carpenter