Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp486499yba; Wed, 15 May 2019 05:01:41 -0700 (PDT) X-Google-Smtp-Source: APXvYqyyw6p704LF5xAL2BcR3ULNvUQdftR9REapUjhUUAN6DspXZWHGQsgCztiELWvejAFxDIDc X-Received: by 2002:a63:4ce:: with SMTP id 197mr43968470pge.309.1557921701273; Wed, 15 May 2019 05:01:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1557921701; cv=none; d=google.com; s=arc-20160816; b=dPL0mk4b7Uq5D4rANyhIdsUl3htongB8FjMZJnZ/qdFguKhCytVe2XmkZOYPw6U3EQ zoTnsJBkCLEaTfg+50fcDBv2B4mEAgRZM0WrURpxL1XtpdPBofIRI5xBC2lTVAHd8aRv hcGuaQaxjoeVwJ/GrzznwbBsamHjzkg98h+T1wVckYSSHPkCF/4Q6LucbT59rp1xbdpJ AFgJ+Txpy4pGOHyegpatLXRnu6t7VNjz90ZFnvXX4i41Ax28n0vTRf+rK9EvIujskBec T66qOMNQHTVlCtMxX/VUW5ScxVCAi6s0cRAsulPqYFEKDQ6Zqt9HnbWFTFL0KPCrbBH9 3xfg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=ZTanuFO8Fz16SkfBjMo/9F1jnbvlyIqtGEJZ2R598Zk=; b=ThopKltzcRbunnQydPruhSLhWcfD3xZz2c5u3L7CmD2tTs7PNSfuKddoF+im/Yuv08 +vU00HYf9z+4KpbI1sM9tUqn9AhJ5tPVsta21CuPWy3wWixuCNNOnSgI4TMAkzjdpXjD IS3Y1/Eef4WvaKvWXMjGRP99ZdekUDbnw7v4+Oj+NycuNn2sMQpYrSyLfs1evxOyFwjs SRuCYVK/IbWsTPTuDbww0LfWw3/bOhBjTqkQTEFJh0m65jIRcEV6f9tx9MNK7KnAWjzC BfMd2HnQ4JSe7x/b+rNY8TDKTmlHdEQcVsZz8Se4nqMPMKIwYQxILu5hMkBz1ULIz751 AvHA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=BDGprfq+; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d20si1113901pgv.102.2019.05.15.05.01.25; Wed, 15 May 2019 05:01:41 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=BDGprfq+; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730376AbfEOL6S (ORCPT + 99 others); Wed, 15 May 2019 07:58:18 -0400 Received: from mail.kernel.org ([198.145.29.99]:53152 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727222AbfEOLQW (ORCPT ); Wed, 15 May 2019 07:16:22 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id B50322084E; Wed, 15 May 2019 11:16:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1557918982; bh=LbQpxIztwr/8bF5oi72p2pDfyuGFhwEhoZpWbI683ug=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=BDGprfq+oSk24K1mHAQozDGSr4LoJ/ncBVC0lkpZTIfzLo/DivvpwGNJHVlnxuAAe pHmufL7m6F/IISNTCJJ7ms1bLbcXbDMbPgkskoJkkCq0u2JPEijECQYJLsJfJm0sHJ 6BodQDQrO7CXyjTJUhrpmJmDvORCkPtEN+/cVD0w= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Paolo Bonzini , Sasha Levin Subject: [PATCH 4.14 023/115] KVM: fix spectrev1 gadgets Date: Wed, 15 May 2019 12:55:03 +0200 Message-Id: <20190515090700.957801365@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190515090659.123121100@linuxfoundation.org> References: <20190515090659.123121100@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [ Upstream commit 1d487e9bf8ba66a7174c56a0029c54b1eca8f99c ] These were found with smatch, and then generalized when applicable. Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin --- arch/x86/kvm/lapic.c | 4 +++- include/linux/kvm_host.h | 10 ++++++---- virt/kvm/irqchip.c | 5 +++-- virt/kvm/kvm_main.c | 6 ++++-- 4 files changed, 16 insertions(+), 9 deletions(-) diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c index f7c34184342a5..053e4937af0cb 100644 --- a/arch/x86/kvm/lapic.c +++ b/arch/x86/kvm/lapic.c @@ -133,6 +133,7 @@ static inline bool kvm_apic_map_get_logical_dest(struct kvm_apic_map *map, if (offset <= max_apic_id) { u8 cluster_size = min(max_apic_id - offset + 1, 16U); + offset = array_index_nospec(offset, map->max_apic_id + 1); *cluster = &map->phys_map[offset]; *mask = dest_id & (0xffff >> (16 - cluster_size)); } else { @@ -829,7 +830,8 @@ static inline bool kvm_apic_map_get_dest_lapic(struct kvm *kvm, if (irq->dest_id > map->max_apic_id) { *bitmap = 0; } else { - *dst = &map->phys_map[irq->dest_id]; + u32 dest_id = array_index_nospec(irq->dest_id, map->max_apic_id + 1); + *dst = &map->phys_map[dest_id]; *bitmap = 1; } return true; diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h index 753c16633bac5..026615e242d8e 100644 --- a/include/linux/kvm_host.h +++ b/include/linux/kvm_host.h @@ -27,6 +27,7 @@ #include #include #include +#include #include #include @@ -483,10 +484,10 @@ static inline struct kvm_io_bus *kvm_get_bus(struct kvm *kvm, enum kvm_bus idx) static inline struct kvm_vcpu *kvm_get_vcpu(struct kvm *kvm, int i) { - /* Pairs with smp_wmb() in kvm_vm_ioctl_create_vcpu, in case - * the caller has read kvm->online_vcpus before (as is the case - * for kvm_for_each_vcpu, for example). - */ + int num_vcpus = atomic_read(&kvm->online_vcpus); + i = array_index_nospec(i, num_vcpus); + + /* Pairs with smp_wmb() in kvm_vm_ioctl_create_vcpu. */ smp_rmb(); return kvm->vcpus[i]; } @@ -570,6 +571,7 @@ void kvm_put_kvm(struct kvm *kvm); static inline struct kvm_memslots *__kvm_memslots(struct kvm *kvm, int as_id) { + as_id = array_index_nospec(as_id, KVM_ADDRESS_SPACE_NUM); return srcu_dereference_check(kvm->memslots[as_id], &kvm->srcu, lockdep_is_held(&kvm->slots_lock) || !refcount_read(&kvm->users_count)); diff --git a/virt/kvm/irqchip.c b/virt/kvm/irqchip.c index b1286c4e07122..0bd0683640bdf 100644 --- a/virt/kvm/irqchip.c +++ b/virt/kvm/irqchip.c @@ -144,18 +144,19 @@ static int setup_routing_entry(struct kvm *kvm, { struct kvm_kernel_irq_routing_entry *ei; int r; + u32 gsi = array_index_nospec(ue->gsi, KVM_MAX_IRQ_ROUTES); /* * Do not allow GSI to be mapped to the same irqchip more than once. * Allow only one to one mapping between GSI and non-irqchip routing. */ - hlist_for_each_entry(ei, &rt->map[ue->gsi], link) + hlist_for_each_entry(ei, &rt->map[gsi], link) if (ei->type != KVM_IRQ_ROUTING_IRQCHIP || ue->type != KVM_IRQ_ROUTING_IRQCHIP || ue->u.irqchip.irqchip == ei->irqchip.irqchip) return -EINVAL; - e->gsi = ue->gsi; + e->gsi = gsi; e->type = ue->type; r = kvm_set_routing_entry(kvm, e, ue); if (r) diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index a373c60ef1c06..b91716b1b428e 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -2886,12 +2886,14 @@ static int kvm_ioctl_create_device(struct kvm *kvm, struct kvm_device_ops *ops = NULL; struct kvm_device *dev; bool test = cd->flags & KVM_CREATE_DEVICE_TEST; + int type; int ret; if (cd->type >= ARRAY_SIZE(kvm_device_ops_table)) return -ENODEV; - ops = kvm_device_ops_table[cd->type]; + type = array_index_nospec(cd->type, ARRAY_SIZE(kvm_device_ops_table)); + ops = kvm_device_ops_table[type]; if (ops == NULL) return -ENODEV; @@ -2906,7 +2908,7 @@ static int kvm_ioctl_create_device(struct kvm *kvm, dev->kvm = kvm; mutex_lock(&kvm->lock); - ret = ops->create(dev, cd->type); + ret = ops->create(dev, type); if (ret < 0) { mutex_unlock(&kvm->lock); kfree(dev); -- 2.20.1