Received: by 2002:a05:7208:13ce:b0:7f:395a:35b6 with SMTP id r14csp1256rbe; Wed, 28 Feb 2024 10:08:28 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCXfs5ev81F7W8YaYzE0SP1//WQzGeIvaRcw/6kNDmUTowRFk4D0rHaSoZ3NeXxSQmUO2pEmUpuqX6iSpdVSEMNpEKCxybFZrlvYbO89dg== X-Google-Smtp-Source: AGHT+IGSYS6h4Eaua7fS/XHT/NS1wdDEK25/fqk/DYJHrmiumw4DWMHYnhSnD6qJVvKD1sQ4aSp0 X-Received: by 2002:a05:6a21:394c:b0:1a0:e4af:3c12 with SMTP id ac12-20020a056a21394c00b001a0e4af3c12mr7469025pzc.48.1709143708093; Wed, 28 Feb 2024 10:08:28 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1709143708; cv=pass; d=google.com; s=arc-20160816; b=M5+0uiFuU1v497Mw7p5zfF2+tm6fYzKb43XCTh5mcZedtWIW6HK381dFMAEVlyEu9q mWHcZc2Q7CMkisaXWRNsgLWdbXUo/U5RJzIyS5iyhIZ/LworrVAI/nDL8qcPiu+BszVb 1AykNbeRACYTfdqSk4LSrumsUUA1ShNg+qWLrvdNbl1i/b00yzRpzCSrdJWUg6LfZFXq uKz6Bvm23y0O7jk+bUWf/FwGD/CWJBy7oA/9bKAHHz6vFcJhx05DRH0UD9g7cnzFX/QA WoHJMU+pQXHq5yVMUjs24bcUctm14QaufAlTUecO8frKi7sbeHtt9/E/bfuwnW4ylIOS 368w== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :dkim-signature; bh=YTms7y6gBlfM5rqkqnuoQOJmNRtZZ8spMxgJ/p47Svk=; fh=M9BKAMtuDSLc7Lq0DDZ0hMtoOENO+rDf6CFgqrLx+wE=; b=uIT7rAWywGXeMomv846W6EPFlv0Mvlm6YwN2imhgPMMYVic/OLEOKSJIWsjRZxEQR+ NB/AbdasRRqnk+16D1szVIKzWqgQzf0O01NixSepATAShy5z8OE+czJ97BVJXCpI//1n ayN6nWhsJAA9AwwsH7fWa9qohjoTiuhNm7KbDTdKYpWUt4zrEOBtIfNO1/AynTGpcrz7 pi0x9hB+lV2m7wRDS3ImE51ZVDEUf8/Fy2CFNbnBBuPvp1DJhxJWgTwhZWVCxdDdjXlk IT9jSD6o99+YblIIMqzPNHBCEXXpsJo/9FobC7PUqYbOvW3nMY0ga/W72yQAjDvM6tqy vVFw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=WjrF+WcI; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-85469-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-85469-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1]) by mx.google.com with ESMTPS id d6-20020a637346000000b005dc8922fe5csi22419pgn.457.2024.02.28.10.08.27 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 28 Feb 2024 10:08:28 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-85469-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=WjrF+WcI; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-85469-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-85469-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 450EEB248E4 for ; Wed, 28 Feb 2024 17:53:53 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 8B0ED15E5C2; Wed, 28 Feb 2024 17:53:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="WjrF+WcI" Received: from mail-oo1-f43.google.com (mail-oo1-f43.google.com [209.85.161.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9C407208D2; Wed, 28 Feb 2024 17:53:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.161.43 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709142823; cv=none; b=hcXJq5vde6fpkHcjeLftzupt0EhFsDXu/TfNdIJ+ZCz/IwR9KEiujxa3ZBhtJg5HI0b8JLiIPY0yFFkCsTWlHl6U9SslMHLizChoEjbiVl0lq4+PiHUV1IhE3cTwTajGX6MQSjU+uF859fUQWfh2jmz1ayHN4mkmeDAJlb8NNOs= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709142823; c=relaxed/simple; bh=LXfHA3dCGDNxmUPr2jMG1cF0psgm9mzwYPfFa63rcSc=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=d5ifZ6BMpi7c46rjYjCT4K0BJJ7LBaqTAQTxmh01N7Bq+B7ZIJny/LhqnNGUbuPbj/MsCd+4f4ZZ4ttbKuGXy1l+V44n/DYaQhogVAgv5g3DMtADAfeVBS1Kq+j3CiZP4iifR7HoDJG4a6JTfd9JDsh2WsSJlF870981WsyFfQs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=WjrF+WcI; arc=none smtp.client-ip=209.85.161.43 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-oo1-f43.google.com with SMTP id 006d021491bc7-5a0919f2022so2707eaf.1; Wed, 28 Feb 2024 09:53:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1709142821; x=1709747621; darn=vger.kernel.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=YTms7y6gBlfM5rqkqnuoQOJmNRtZZ8spMxgJ/p47Svk=; b=WjrF+WcIXhu5oQhpTDaOBjDQJItvDQPzu9NfUIKRsx73ifJp8lVdauRya235Cw7MQg gWuD6vgEhobMwzmXrZthR9flcVd4+91xSN5G1OTfiF1SEooKPLNQrS0SvWuLS/TQS+v4 Ppw8/PLZLA4RwlqoiHp43+BiqnOPTQC5oHQ6z0dX0RenbZ84CjKHIofEFOLn9zLMosBT d5+wSgOXECDlcOTZjg/JUNlXhiRPDWB3P8l8C5UMTHSeKwE/X97xbVxwr5odFWc3/3fp y/MQD7GLUYPw766FGpOxUgmKqHngRDZKJt8X+sqWTDAqqzeV7si8uU7hGEEBZVIFGSsQ +kXg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709142821; x=1709747621; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=YTms7y6gBlfM5rqkqnuoQOJmNRtZZ8spMxgJ/p47Svk=; b=L5HXMQSR0/T53EmApYW+yZtQsKz8ZjxSRTxT706MFLcsngRPYcK5qJG4Bden02BBWv oCKpv4r6Ki3HrAnU3NTyeZxGlyWSak5GysKcuDn3FhIWpKfkt69asefGeB7gn3Woo3pS um693uCHpEnPJhV2LhupcV2sj90FC/pq+xDNyhmVNI/ZXspIPKgU1rx04sKCKVq32FMe 00HxA7v6s7tMYm18Osw6PjXg58zz8gRGFwWknlb+pL4zZWSrYMFOWm3Wh27K9nTUQTAH D8iAsmdnMIVyrs/nm8zPZF7G/6tDqizUBpg3tnTmypjG6aPXVVTVLgmWuYVOcKy40ERh Vt6Q== X-Forwarded-Encrypted: i=1; AJvYcCW2a8az9JDYs6zMoUZF4MT+csu1hu8TLoCgi393tXS7AfChgQU/UhONsFNK+mNofZKw01mPJ8zF9Pm50YzX8Zzl4bwe6HuppsSHnwjVDjElD5gV71ALOplIMjjtcyx97AeYCEDLbc8TAn0IrBTE X-Gm-Message-State: AOJu0YxsFBxrT/RJPDl0LTdrPpqOfqx3TFIUigZOA/uleLyzG3psrUe0 yLIA502/VPTjQ7lqnfmFeoezczq+hV9k0cYjUhkMygcdDT/k1WmrfQMb36c/FuKNBTIXeGcsLuA c72eG2wv8teba1UZLO0MYKu9T14s= X-Received: by 2002:a05:6820:d8e:b0:5a0:e1c1:5014 with SMTP id ek14-20020a0568200d8e00b005a0e1c15014mr216278oob.0.1709142820730; Wed, 28 Feb 2024 09:53:40 -0800 (PST) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: In-Reply-To: From: Stefan Hajnoczi Date: Wed, 28 Feb 2024 12:53:28 -0500 Message-ID: Subject: Re: [PATCH v2] vduse: Fix off by one in vduse_dev_mmap() To: Dan Carpenter Cc: Cindy Lu , "Michael S. Tsirkin" , Jason Wang , Xuan Zhuo , Xie Yongji , Maxime Coquelin , Greg Kroah-Hartman , Christian Brauner , virtualization@lists.linux.dev, linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org Content-Type: text/plain; charset="UTF-8" On Wed, 28 Feb 2024 at 12:44, Dan Carpenter wrote: > > The dev->vqs[] array has "dev->vq_num" elements. It's allocated in > vduse_dev_init_vqs(). Thus, this > comparison needs to be >= to avoid > reading one element beyond the end of the array. > > Add an array_index_nospec() as well to prevent speculation issues. > > Fixes: 316ecd1346b0 ("vduse: Add file operation for mmap") > Signed-off-by: Dan Carpenter > --- > v2: add array_index_nospec(). Did you forget to update the patch, I don't see array_index_nospec()? > > drivers/vdpa/vdpa_user/vduse_dev.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c > index b7a1fb88c506..eb914084c650 100644 > --- a/drivers/vdpa/vdpa_user/vduse_dev.c > +++ b/drivers/vdpa/vdpa_user/vduse_dev.c > @@ -1532,9 +1532,10 @@ static int vduse_dev_mmap(struct file *file, struct vm_area_struct *vma) > if ((vma->vm_flags & VM_SHARED) == 0) > return -EINVAL; > > - if (index > dev->vq_num) > + if (index >= dev->vq_num) > return -EINVAL; > > vq = dev->vqs[index]; > vaddr = vq->vdpa_reconnect_vaddr; > if (vaddr == 0) > -- > 2.43.0 > >