linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Paolo Bonzini <pbonzini@redhat.com>,
	Sasha Levin <sashal@kernel.org>,
	kvm@vger.kernel.org
Subject: [PATCH AUTOSEL 4.14 18/95] KVM: fix spectrev1 gadgets
Date: Tue,  7 May 2019 01:37:07 -0400	[thread overview]
Message-ID: <20190507053826.31622-18-sashal@kernel.org> (raw)
In-Reply-To: <20190507053826.31622-1-sashal@kernel.org>

From: Paolo Bonzini <pbonzini@redhat.com>

[ Upstream commit 1d487e9bf8ba66a7174c56a0029c54b1eca8f99c ]

These were found with smatch, and then generalized when applicable.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/x86/kvm/lapic.c     |  4 +++-
 include/linux/kvm_host.h | 10 ++++++----
 virt/kvm/irqchip.c       |  5 +++--
 virt/kvm/kvm_main.c      |  6 ++++--
 4 files changed, 16 insertions(+), 9 deletions(-)

diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
index f7c34184342a..053e4937af0c 100644
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -133,6 +133,7 @@ static inline bool kvm_apic_map_get_logical_dest(struct kvm_apic_map *map,
 		if (offset <= max_apic_id) {
 			u8 cluster_size = min(max_apic_id - offset + 1, 16U);
 
+			offset = array_index_nospec(offset, map->max_apic_id + 1);
 			*cluster = &map->phys_map[offset];
 			*mask = dest_id & (0xffff >> (16 - cluster_size));
 		} else {
@@ -829,7 +830,8 @@ static inline bool kvm_apic_map_get_dest_lapic(struct kvm *kvm,
 		if (irq->dest_id > map->max_apic_id) {
 			*bitmap = 0;
 		} else {
-			*dst = &map->phys_map[irq->dest_id];
+			u32 dest_id = array_index_nospec(irq->dest_id, map->max_apic_id + 1);
+			*dst = &map->phys_map[dest_id];
 			*bitmap = 1;
 		}
 		return true;
diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
index 753c16633bac..026615e242d8 100644
--- a/include/linux/kvm_host.h
+++ b/include/linux/kvm_host.h
@@ -27,6 +27,7 @@
 #include <linux/irqbypass.h>
 #include <linux/swait.h>
 #include <linux/refcount.h>
+#include <linux/nospec.h>
 #include <asm/signal.h>
 
 #include <linux/kvm.h>
@@ -483,10 +484,10 @@ static inline struct kvm_io_bus *kvm_get_bus(struct kvm *kvm, enum kvm_bus idx)
 
 static inline struct kvm_vcpu *kvm_get_vcpu(struct kvm *kvm, int i)
 {
-	/* Pairs with smp_wmb() in kvm_vm_ioctl_create_vcpu, in case
-	 * the caller has read kvm->online_vcpus before (as is the case
-	 * for kvm_for_each_vcpu, for example).
-	 */
+	int num_vcpus = atomic_read(&kvm->online_vcpus);
+	i = array_index_nospec(i, num_vcpus);
+
+	/* Pairs with smp_wmb() in kvm_vm_ioctl_create_vcpu.  */
 	smp_rmb();
 	return kvm->vcpus[i];
 }
@@ -570,6 +571,7 @@ void kvm_put_kvm(struct kvm *kvm);
 
 static inline struct kvm_memslots *__kvm_memslots(struct kvm *kvm, int as_id)
 {
+	as_id = array_index_nospec(as_id, KVM_ADDRESS_SPACE_NUM);
 	return srcu_dereference_check(kvm->memslots[as_id], &kvm->srcu,
 			lockdep_is_held(&kvm->slots_lock) ||
 			!refcount_read(&kvm->users_count));
diff --git a/virt/kvm/irqchip.c b/virt/kvm/irqchip.c
index b1286c4e0712..0bd0683640bd 100644
--- a/virt/kvm/irqchip.c
+++ b/virt/kvm/irqchip.c
@@ -144,18 +144,19 @@ static int setup_routing_entry(struct kvm *kvm,
 {
 	struct kvm_kernel_irq_routing_entry *ei;
 	int r;
+	u32 gsi = array_index_nospec(ue->gsi, KVM_MAX_IRQ_ROUTES);
 
 	/*
 	 * Do not allow GSI to be mapped to the same irqchip more than once.
 	 * Allow only one to one mapping between GSI and non-irqchip routing.
 	 */
-	hlist_for_each_entry(ei, &rt->map[ue->gsi], link)
+	hlist_for_each_entry(ei, &rt->map[gsi], link)
 		if (ei->type != KVM_IRQ_ROUTING_IRQCHIP ||
 		    ue->type != KVM_IRQ_ROUTING_IRQCHIP ||
 		    ue->u.irqchip.irqchip == ei->irqchip.irqchip)
 			return -EINVAL;
 
-	e->gsi = ue->gsi;
+	e->gsi = gsi;
 	e->type = ue->type;
 	r = kvm_set_routing_entry(kvm, e, ue);
 	if (r)
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index a373c60ef1c0..b91716b1b428 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -2886,12 +2886,14 @@ static int kvm_ioctl_create_device(struct kvm *kvm,
 	struct kvm_device_ops *ops = NULL;
 	struct kvm_device *dev;
 	bool test = cd->flags & KVM_CREATE_DEVICE_TEST;
+	int type;
 	int ret;
 
 	if (cd->type >= ARRAY_SIZE(kvm_device_ops_table))
 		return -ENODEV;
 
-	ops = kvm_device_ops_table[cd->type];
+	type = array_index_nospec(cd->type, ARRAY_SIZE(kvm_device_ops_table));
+	ops = kvm_device_ops_table[type];
 	if (ops == NULL)
 		return -ENODEV;
 
@@ -2906,7 +2908,7 @@ static int kvm_ioctl_create_device(struct kvm *kvm,
 	dev->kvm = kvm;
 
 	mutex_lock(&kvm->lock);
-	ret = ops->create(dev, cd->type);
+	ret = ops->create(dev, type);
 	if (ret < 0) {
 		mutex_unlock(&kvm->lock);
 		kfree(dev);
-- 
2.20.1


  parent reply	other threads:[~2019-05-07  5:53 UTC|newest]

Thread overview: 122+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-05-07  5:36 [PATCH AUTOSEL 4.14 01/95] iio: adc: xilinx: fix potential use-after-free on remove Sasha Levin
2019-05-07  5:36 ` [PATCH AUTOSEL 4.14 02/95] libnvdimm/namespace: Fix a potential NULL pointer dereference Sasha Levin
2019-05-07  5:36 ` [PATCH AUTOSEL 4.14 03/95] HID: input: add mapping for Expose/Overview key Sasha Levin
2019-05-07  5:36 ` [PATCH AUTOSEL 4.14 04/95] HID: input: add mapping for keyboard Brightness Up/Down/Toggle keys Sasha Levin
2019-05-07  5:36 ` [PATCH AUTOSEL 4.14 05/95] HID: input: add mapping for "Toggle Display" key Sasha Levin
2019-05-07  5:36 ` [PATCH AUTOSEL 4.14 06/95] libnvdimm/btt: Fix a kmemdup failure check Sasha Levin
2019-05-07  5:36 ` [PATCH AUTOSEL 4.14 07/95] s390/dasd: Fix capacity calculation for large volumes Sasha Levin
2019-05-07  5:36 ` [PATCH AUTOSEL 4.14 08/95] mac80211: fix unaligned access in mesh table hash function Sasha Levin
2019-05-07  5:36 ` [PATCH AUTOSEL 4.14 09/95] mac80211: Increase MAX_MSG_LEN Sasha Levin
2019-05-07  5:36 ` [PATCH AUTOSEL 4.14 10/95] mac80211: fix memory accounting with A-MSDU aggregation Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 11/95] nl80211: Add NL80211_FLAG_CLEAR_SKB flag for other NL commands Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 12/95] Input: snvs_pwrkey - initialize necessary driver data before enabling IRQ Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 13/95] s390/3270: fix lockdep false positive on view->lock Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 14/95] clocksource/drivers/oxnas: Fix OX820 compatible Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 15/95] mISDN: Check address length before reading address family Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 16/95] s390/pkey: add one more argument space for debug feature entry Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 17/95] x86/reboot, efi: Use EFI reboot for Acer TravelMate X514-51T Sasha Levin
2019-05-07  5:37 ` Sasha Levin [this message]
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 19/95] KVM: x86: avoid misreporting level-triggered irqs as edge-triggered in tracing Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 20/95] tools lib traceevent: Fix missing equality check for strcmp Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 21/95] mm: fix inactive list balancing between NUMA nodes and cgroups Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 22/95] init: initialize jump labels before command line option parsing Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 23/95] selftests: netfilter: check icmp pkttoobig errors are set as related Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 24/95] ipvs: do not schedule icmp errors from tunnels Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 25/95] netfilter: ctnetlink: don't use conntrack/expect object addresses as id Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 26/95] MIPS: perf: ath79: Fix perfcount IRQ assignment Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 27/95] s390: ctcm: fix ctcm_new_device error return code Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 28/95] drm/sun4i: Set device driver data at bind time for use in unbind Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 29/95] selftests/net: correct the return value for run_netsocktests Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 30/95] gpu: ipu-v3: dp: fix CSC handling Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 31/95] drm/imx: don't skip DP channel disable for background plane Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 32/95] spi: Micrel eth switch: declare missing of table Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 33/95] spi: ST ST95HF NFC: " Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 34/95] Input: synaptics-rmi4 - fix possible double free Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 35/95] sparc64: Export __node_distance Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 36/95] sparc64: Make corrupted user stacks more debuggable Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 37/95] MIPS: VDSO: Reduce VDSO_RANDOMIZE_SIZE to 64MB for 64bit Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 38/95] bcache: correct dirty data statistics Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 39/95] ACPICA: AML interpreter: add region addresses in global list during initialization Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 40/95] IB/rxe: Revise the ib_wr_opcode enum Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 41/95] ima: open a new file instance if no read permissions Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 42/95] KVM: arm/arm64: Ensure only THP is candidate for adjustment Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 43/95] media: cec: make cec_get_edid_spa_location() an inline function Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 44/95] media: cec: integrate cec_validate_phys_addr() in cec-api.c Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 45/95] media: adv7604: when the EDID is cleared, unconfigure CEC as well Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 46/95] media: adv7842: " Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 47/95] fuse: fix possibly missed wake-up after abort Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 48/95] i2c: omap: Enable for ARCH_K3 Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 49/95] drm/i915: Disable LP3 watermarks on all SNB machines Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 50/95] fsnotify: generalize handling of extra event flags Sasha Levin
2019-05-07 13:23   ` Jan Kara
2019-05-07 16:29     ` Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 51/95] media: ov5640: fix wrong binning value in exposure calculation Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 52/95] media: ov5640: fix auto controls values when switching to manual mode Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 53/95] net: don't keep lonely packets forever in the gro hash Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 54/95] tracing/fgraph: Fix set_graph_function from showing interrupts Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 55/95] drm/i915: Downgrade Gen9 Plane WM latency error Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 56/95] scsi: raid_attrs: fix unused variable warning Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 57/95] staging: olpc_dcon: add a missing dependency Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 58/95] net: stmmac: Move debugfs init/exit to ->probe()/->remove() Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 59/95] Btrfs: fix missing delayed iputs on unmount Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 60/95] x86/vdso: Pass --eh-frame-hdr to the linker Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 61/95] mm: introduce mm_[p4d|pud|pmd]_folded Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 62/95] mm, memory_hotplug: initialize struct pages for the full memory section Sasha Levin
2019-05-07 16:31   ` Alexander Duyck
2019-05-07 16:50     ` Linus Torvalds
2019-05-07 17:02       ` Sasha Levin
2019-05-07 17:13         ` Gerald Schaefer
2019-05-07 17:15         ` Linus Torvalds
2019-05-07 17:18           ` Sasha Levin
2019-05-07 17:32             ` Michal Hocko
2019-05-07 17:36               ` Matthew Wilcox
2019-05-07 17:43                 ` Linus Torvalds
2019-05-07 17:51                   ` Michal Hocko
2019-05-07 17:43                 ` Michal Hocko
2019-05-07 17:45                 ` Sasha Levin
2019-05-07 17:54                   ` Michal Hocko
2019-05-08 11:04             ` Gerald Schaefer
2019-05-07 17:31           ` Michal Hocko
2019-05-07 16:58     ` Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 63/95] arm64: KVM: Make VHE Stage-2 TLB invalidation operations non-interruptible Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 64/95] crypto: testmgr - add AES-CFB tests Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 65/95] powerpc: remove old GCC version checks Sasha Levin
2019-05-07  7:52   ` Christophe Leroy
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 66/95] leds: pwm: silently error out on EPROBE_DEFER Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 67/95] drm/rockchip: psr: do not dereference encoder before it is null checked Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 68/95] RDMA/vmw_pvrdma: Return the correct opcode when creating WR Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 69/95] arm64: dts: marvell: armada-ap806: reserve PSCI area Sasha Levin
2019-05-07  5:37 ` [PATCH AUTOSEL 4.14 70/95] vt: always call notifier with the console lock held Sasha Levin
2019-05-07  5:38 ` [PATCH AUTOSEL 4.14 71/95] Revert "mm, memory_hotplug: initialize struct pages for the full memory section" Sasha Levin
2019-05-07 17:25   ` Alexander Duyck
2019-05-07  5:38 ` [PATCH AUTOSEL 4.14 72/95] devres: Align data[] to ARCH_KMALLOC_MINALIGN Sasha Levin
2019-05-07  5:52   ` Greg Kroah-Hartman
2019-05-07  7:04     ` Alexey Brodkin
2019-05-07  7:49       ` Greg Kroah-Hartman
2019-05-07 14:15         ` Alexey Brodkin
2019-05-07  5:38 ` [PATCH AUTOSEL 4.14 73/95] xtensa: xtfpga.dtsi: fix dtc warnings about SPI Sasha Levin
2019-05-07  5:38 ` [PATCH AUTOSEL 4.14 74/95] btrfs: harden agaist duplicate fsid on scanned devices Sasha Levin
2019-05-07  5:38 ` [PATCH AUTOSEL 4.14 75/95] net_sched: fix two more memory leaks in cls_tcindex Sasha Levin
2019-05-07  5:38 ` [PATCH AUTOSEL 4.14 76/95] ext4: cleanup pagecache before swap i_data Sasha Levin
2019-05-07  5:38 ` [PATCH AUTOSEL 4.14 77/95] gtp: change NET_UDP_TUNNEL dependency to select Sasha Levin
2019-05-07  5:38 ` [PATCH AUTOSEL 4.14 78/95] ACPICA: Namespace: remove address node from global list after method termination Sasha Levin
2019-05-07  5:38 ` [PATCH AUTOSEL 4.14 79/95] x86/asm: Remove dead __GNUC__ conditionals Sasha Levin
2019-05-07  5:57   ` Rasmus Villemoes
2019-05-07  6:15     ` Greg KH
2019-05-13 14:36       ` Sasha Levin
2019-05-07  5:38 ` [PATCH AUTOSEL 4.14 80/95] Input: elan_i2c - add hardware ID for multiple Lenovo laptops Sasha Levin
2019-05-07  5:38 ` [PATCH AUTOSEL 4.14 81/95] netfilter: nf_tables: warn when expr implements only one of activate/deactivate Sasha Levin
2019-05-07  5:38 ` [PATCH AUTOSEL 4.14 82/95] drm/rockchip: fix for mailbox read validation Sasha Levin
2019-05-07  5:38 ` [PATCH AUTOSEL 4.14 83/95] cifs: fix memory leak in SMB2_read Sasha Levin
2019-05-07  5:38 ` [PATCH AUTOSEL 4.14 84/95] x86/fpu: Don't export __kernel_fpu_{begin,end}() Sasha Levin
2019-05-07  5:38 ` [PATCH AUTOSEL 4.14 85/95] net: hns: Fix WARNING when hns modules installed Sasha Levin
2019-05-07  5:38 ` [PATCH AUTOSEL 4.14 86/95] mm/memory.c: fix modifying of page protection by insert_pfn() Sasha Levin
2019-05-07  5:38 ` [PATCH AUTOSEL 4.14 87/95] f2fs: fix to data block override node segment by mistake Sasha Levin
2019-05-07  5:38 ` [PATCH AUTOSEL 4.14 88/95] net: fec: manage ahb clock in runtime pm Sasha Levin
2019-05-07  5:38 ` [PATCH AUTOSEL 4.14 89/95] mlxsw: spectrum_switchdev: Add MDB entries in prepare phase Sasha Levin
2019-05-07  5:38 ` [PATCH AUTOSEL 4.14 90/95] mlxsw: core: Do not use WQ_MEM_RECLAIM for EMAD workqueue Sasha Levin
2019-05-07  5:38 ` [PATCH AUTOSEL 4.14 91/95] mlxsw: core: Do not use WQ_MEM_RECLAIM for mlxsw ordered workqueue Sasha Levin
2019-05-07  5:38 ` [PATCH AUTOSEL 4.14 92/95] mlxsw: core: Do not use WQ_MEM_RECLAIM for mlxsw workqueue Sasha Levin
2019-05-07  5:38 ` [PATCH AUTOSEL 4.14 93/95] NFC: nci: Add some bounds checking in nci_hci_cmd_received() Sasha Levin
2019-05-07  5:38 ` [PATCH AUTOSEL 4.14 94/95] nfc: nci: Potential off by one in ->pipes[] array Sasha Levin
2019-05-07  5:38 ` [PATCH AUTOSEL 4.14 95/95] x86/kprobes: Avoid kretprobe recursion bug Sasha Levin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190507053826.31622-18-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=kvm@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=pbonzini@redhat.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).