[PULL v2 1/3] vfio: Fix CID 1458134 in vfio_register_ram_discard

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PULL v2 1/3] vfio: Fix CID 1458134 in vfio_register_ram_discard_listene

From:	Alex Williamson
Subject:	[PULL v2 1/3] vfio: Fix CID 1458134 in vfio_register_ram_discard_listener()
Date:	Wed, 14 Jul 2021 15:35:18 -0600
User-agent:	StGit/1.0-8-g6af9-dirty

From: David Hildenbrand <david@redhat.com>

  CID 1458134:  Integer handling issues  (BAD_SHIFT)
    In expression "1 << ctz64(container->pgsizes)", left shifting by more
    than 31 bits has undefined behavior.  The shift amount,
    "ctz64(container->pgsizes)", is 64.

Commit 5e3b981c330c ("vfio: Support for RamDiscardManager in the !vIOMMU
case") added an assertion that our granularity is at least as big as the
page size.

Although unlikely, we could have a page size that does not fit into
32 bit. In that case, we'd try shifting by more than 31 bit.

Let's use 1ULL instead and make sure we're not shifting by more than 63
bit by asserting that any bit in container->pgsizes is set.

Fixes: CID 1458134
Cc: Alex Williamson <alex.williamson@redhat.com>
Cc: Eduardo Habkost <ehabkost@redhat.com>
Cc: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Dr. David Alan Gilbert <dgilbert@redhat.com>
Cc: Igor Mammedov <imammedo@redhat.com>
Cc: Pankaj Gupta <pankaj.gupta.linux@gmail.com>
Cc: Peter Xu <peterx@redhat.com>
Cc: Auger Eric <eric.auger@redhat.com>
Cc: Wei Yang <richard.weiyang@linux.alibaba.com>
Cc: teawater <teawaterz@linux.alibaba.com>
Cc: Marek Kedzierski <mkedzier@redhat.com>
Signed-off-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Pankaj Gupta <pankaj.gupta@ionos.com>
Link: 20210712083135.15755-1-david@redhat.com">https://lore.kernel.org/r/20210712083135.15755-1-david@redhat.com
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
---
 hw/vfio/common.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hw/vfio/common.c b/hw/vfio/common.c
index 3f0d11136081..8728d4d5c2e2 100644
--- a/hw/vfio/common.c
+++ b/hw/vfio/common.c
@@ -783,7 +783,8 @@ static void 
vfio_register_ram_discard_listener(VFIOContainer *container,
                                                                 section->mr);
 
     g_assert(vrdl->granularity && is_power_of_2(vrdl->granularity));
-    g_assert(vrdl->granularity >= 1 << ctz64(container->pgsizes));
+    g_assert(container->pgsizes &&
+             vrdl->granularity >= 1ULL << ctz64(container->pgsizes));
 
     ram_discard_listener_init(&vrdl->listener,
                               vfio_ram_discard_notify_populate,

[Prev in Thread]

Current Thread

[Next in Thread]

[PULL v2 0/3] VFIO update 2021-07-14 (for v6.1), Alex Williamson, 2021/07/14
- [PULL v2 1/3] vfio: Fix CID 1458134 in vfio_register_ram_discard_listener(), Alex Williamson <=
- [PULL v2 2/3] vfio/pci: Change to use vfio_pci_is(), Alex Williamson, 2021/07/14
- [PULL v2 3/3] vfio/pci: Add pba_offset PCI quirk for BAIDU KUNLUN AI processor, Alex Williamson, 2021/07/14
- Re: [PULL v2 0/3] VFIO update 2021-07-14 (for v6.1), Peter Maydell, 2021/07/16

Prev by Date: [PULL v2 0/3] VFIO update 2021-07-14 (for v6.1)
Next by Date: [PULL v2 2/3] vfio/pci: Change to use vfio_pci_is()
Previous by thread: [PULL v2 0/3] VFIO update 2021-07-14 (for v6.1)
Next by thread: [PULL v2 2/3] vfio/pci: Change to use vfio_pci_is()
Index(es):
- Date
- Thread