From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752567AbcF3WQI (ORCPT <rfc822;w@1wt.eu>);
	Thu, 30 Jun 2016 18:16:08 -0400
Received: from mail-it0-f46.google.com ([209.85.214.46]:36807 "EHLO
	mail-it0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751487AbcF3WQG (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Thu, 30 Jun 2016 18:16:06 -0400
MIME-Version: 1.0
In-Reply-To: <20160630205429.16480-4-rkrcmar@redhat.com>
References: <20160630205429.16480-1-rkrcmar@redhat.com> <20160630205429.16480-4-rkrcmar@redhat.com>
From: Andrew Honig <ahonig@google.com>
Date: Thu, 30 Jun 2016 15:15:10 -0700
Message-ID: <CAKB9nXt0N8-asM46ERcRr5Q53LJfqyGa8jBSXoFo1dru-kjwEw@mail.gmail.com>
Subject: Re: [PATCH v1 03/11] KVM: x86: dynamic kvm_apic_map
To: =?UTF-8?B?UmFkaW0gS3LEjW3DocWZ?= <rkrcmar@redhat.com>
Cc: linux-kernel@vger.kernel.org, kvm <kvm@vger.kernel.org>,
        Paolo Bonzini <pbonzini@redhat.com>,
        "Lan, Tianyu" <tianyu.lan@intel.com>,
        Igor Mammedov <imammedo@redhat.com>, Jan Kiszka <jan.kiszka@web.de>,
        Peter Xu <peterx@redhat.com>
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

> -
> -       new = kzalloc(sizeof(struct kvm_apic_map), GFP_KERNEL);
> +       u32 size, max_id = 255;
>
>         mutex_lock(&kvm->arch.apic_map_lock);
>
> +       kvm_for_each_vcpu(i, vcpu, kvm)
> +               if (kvm_apic_present(vcpu))
> +                       max_id = max(max_id, kvm_apic_id(vcpu->arch.apic));
> +
> +       /* kvm_apic_map_get_logical_dest() expects multiples of 16 */
> +       size = round_up(max_id + 1, 16);

Now that you're using the full range of apic_id values, could this
calculation overflow?  Perhaps max_id could be u64?

> +       new = kzalloc(sizeof(struct kvm_apic_map) +
> +                     sizeof(struct kvm_lapic) * size, GFP_KERNEL);
> +
>         if (!new)
>                 goto out;
>