Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp226280imm; Wed, 29 Aug 2018 19:16:58 -0700 (PDT) X-Google-Smtp-Source: ANB0VdZknsryxJWymAbNxy2RdA06XRNjb9csjtCju7GyDc3HC8n5KyWHXq7yt4VUNvOdLbSkFw4r X-Received: by 2002:a63:dd09:: with SMTP id t9-v6mr7525877pgg.370.1535595418913; Wed, 29 Aug 2018 19:16:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535595418; cv=none; d=google.com; s=arc-20160816; b=fd8zGujNig6xUnweijGjMuTmTc/zcsrp/adeIjSStw9a8lHzP4BqAoq85WMGp7H+QJ 5vhB5bnjo2R6nCRQpHl6B/UopsyITaeMCny7KTTXTqxBsMeAGfVt42we16bFt3tfMIuw Q9tJxe1uaCi+kVWe/QwfIbKYTB8RnD/1RkZs5h0Pru9TR8j4TAKgiN+MUWicweCcJqHO rOfxu2FoJpHbTyqxrRAW+L/uYis+H97HWK4a37/h0YSVWweQYFdEyMUclzQMdH9qbbKj nMyqaVhMiAjE7BiqrDZrHNssrAYhJi+H6406zSUMrjrYJiMRVfjoi8hqQvrJrp7zfaK8 dJRg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature:arc-authentication-results; bh=7ZJiIu9/XYP4OcbTPRlsSzHZaHYFu9kC3euTdU/LsVc=; b=iWeSnmePAyc2ChtlO2zb7YIjY9i9vyx6y95GhyIWIyWVuwqjmLELB8W+LukTix8ZxD 4OMK5ReTUBqbUNvBof5LVibAa9jqgW/ptE7ADMnWRK7E1qaBNoDJO5wa4S4wYnLn1uPq IF76ot9vsPuaw4knC94BjGZZD+fB2JR3VmqAPdCW3dvMDYvt8rGadAAzdMmJo1oXkzqr JCP93gfhVXB/0rsF5OgbM/uIgo+iofjo6GivwjAeLyCuzjrr27HHTw8t5iQlwotJ4jWC m4T7iHSGcJeMpVdnqySwO1jEVEvCFZQX2VXDUR8b6ldKxQbgXIo8Cr01vZ3Z9kpJn/tU qsWw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=KzNE0+sX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e3-v6si5442894pgh.385.2018.08.29.19.16.43; Wed, 29 Aug 2018 19:16:58 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=KzNE0+sX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727235AbeH3GPY (ORCPT + 99 others); Thu, 30 Aug 2018 02:15:24 -0400 Received: from mail-oi0-f66.google.com ([209.85.218.66]:43455 "EHLO mail-oi0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725844AbeH3GPY (ORCPT ); Thu, 30 Aug 2018 02:15:24 -0400 Received: by mail-oi0-f66.google.com with SMTP id b15-v6so12750719oib.10; Wed, 29 Aug 2018 19:15:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=7ZJiIu9/XYP4OcbTPRlsSzHZaHYFu9kC3euTdU/LsVc=; b=KzNE0+sXdpscHY4EOUYrBRbp8riD5wFDrju5O2yNWR1RF09YKGyydP0iwE45XGsmt/ GMKwl7bIsIXJSOF46bfSTMlVIjxG/TIQU/v+pqSgyumJE3ox0vdUYzQ07izej6/Iml04 U0k/4U9ELDm5kaVCYGZ5ISr5v1I13lz1zPIbTWhoZDOkMrDf8anZNax1YmGnAU4iZniZ 6911bxfaubii9JGIX6ggwbLe0yuxiiUIyMCWjXD0+DUK74NzD6VsaysY/ycQEyVQWFiB kinhjxKNDNhvpYMFduC492fRuIbt2yKjNHx4gz0+n+SnYw/+gVqoX4BFtf9V0/cB00TD Jkcg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=7ZJiIu9/XYP4OcbTPRlsSzHZaHYFu9kC3euTdU/LsVc=; b=T+/h2RdUMFvG/KMCI7ya7ByKf9aBJ0xQuyw7laXPD70xmP6grg7Ea+xDW0mFTmgHUY WAB4pqAieGD8vDFdUCwI0IyqCtGFj/gCnRojjd245U4mfAVG/Q2FEHSPYqsVCeqwF6oJ FM8JqbRY8akteqkV+Le0IZT+YtLvwXwGrcS46YP7S7Srs3j2N7XcL4CafDq8VY+0ge6w A3YAHJg6qo4kuOvrBa7vamfgQgcTTFWxZgRTu2R77jOPU5X+lzznVisB9UpdesCkYx4G Jv8lqooF9zrfuwaMLd0Wm8RAak5vZ/BVLGjTFAr3kQe/n/Zg9/NWLFRovrFPfavnyju7 6bUA== X-Gm-Message-State: APzg51CswLu5gnzI2pglq5QOaIrnXu+NvF1hBd794Ik/QdS2BbsiIx02 qIIYOkLQxm1DeYfWStN2Ofd/VReGDqk/04IkEK0= X-Received: by 2002:aca:55cd:: with SMTP id j196-v6mr525178oib.202.1535595337030; Wed, 29 Aug 2018 19:15:37 -0700 (PDT) MIME-Version: 1.0 References: <1535521943-5547-1-git-send-email-wanpengli@tencent.com> <20180829101205.jsp53e2wq7fc6ukd@mwanda> <20180829101822.qo3u7lsmghs3kcuf@mwanda> <20180829102910.rkyato47chayt22s@mwanda> <20180829154246.GB19487@flask> In-Reply-To: <20180829154246.GB19487@flask> From: Wanpeng Li Date: Thu, 30 Aug 2018 10:15:39 +0800 Message-ID: Subject: Re: [PATCH] KVM: LAPIC: Fix pv ipis out-of-bounds access To: Radim Krcmar Cc: Dan Carpenter , Liran Alon , LKML , kvm , Paolo Bonzini Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 29 Aug 2018 at 23:42, Radim Krcmar wrote: > > 2018-08-29 13:29+0300, Dan Carpenter: > > On Wed, Aug 29, 2018 at 06:23:08PM +0800, Wanpeng Li wrote: > > > On Wed, 29 Aug 2018 at 18:18, Dan Carpenter wrote: > > > > > > > > On Wed, Aug 29, 2018 at 01:12:05PM +0300, Dan Carpenter wrote: > > > > > On Wed, Aug 29, 2018 at 12:05:06PM +0300, Liran Alon wrote: > > > > > > > arch/x86/kvm/lapic.c | 17 +++++++++++++---- > > > > > > > 1 file changed, 13 insertions(+), 4 deletions(-) > > > > > > > > > > > > > > diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c > > > > > > > index 0cefba2..86e933c 100644 > > > > > > > --- a/arch/x86/kvm/lapic.c > > > > > > > +++ b/arch/x86/kvm/lapic.c > > > > > > > @@ -571,18 +571,27 @@ int kvm_pv_send_ipi(struct kvm *kvm, un= signed long ipi_bitmap_low, > > > > > > > rcu_read_lock(); > > > > > > > map =3D rcu_dereference(kvm->arch.apic_map); > > > > > > > > > > > > > > + if (unlikely((s32)(map->max_apic_id - __fls(ipi_bitmap_low)= ) < min)) > > > > > > > + goto out; > > > > > > > > > > > > I personally think =E2=80=9Cif ((min + __fls(ipi_bitmap_low)) >= map->max_apic_id)=E2=80=9D is more readable. > > > > > > But that=E2=80=99s just a matter of taste :) > > > > > > > > > > That's an integer overflow. > > > > > > > > > > But I do prefer to put the variable on the left. The truth is th= at some > > > > > Smatch checks just ignore code which is backwards written because > > > > > otherwise you have to write duplicate code and the most code is w= ritten > > > > > with the variable on the left. > > > > > > > > > > if (min > (s32)(map->max_apic_id - __fls(ipi_bitmap_low)) > > > > > > > > Wait, the (s32) cast doesn't make sense. We want negative min valu= es to > > > > be treated as invalid. > > > > > > In v2, how about: > > > > > > if (unlikely(min > map->max_apic_id || (min + __fls(ipi_bitmap_low)) = > > > > map->max_apic_id)) > > > goto out; > > > > That works, too. It still has the off by one and we should set > > "count =3D -KVM_EINVAL;". > > I'd prefer to ignore destinations that are not present and deliver the > rest, possibly nothing, instead of returning an error. > (It's closer to how the real hardware behaves and we already return the > number of notified VCPUs, so the caller can tell whether something went > wrong.) > > Either in the form that I have posted earlier, or as: > > if (min > map->max_apic_id) > goto out; > > for_each_set_bit(i, &ipi_bitmap_low, MIN(BITS_PER_LONG, map->max_= apic_id - min + 1)) Do it in v2. Regards, Wanpeng Li