Hi Alex,
Reviewed-by: Eric Auger <eric.auger@xxxxxxxxxx>
Tested-by: Eric Auger <eric.auger@xxxxxxxxxx>
Best Regards
Eric
On 02/02/2016 12:54 AM, Alex Williamson wrote:
> Signed versus unsigned comparisons are implicitly cast to unsigned,
> which result in a couple possible overflows. For instance (start +
> count) might overflow and wrap, getting through our validation test.
> Also when unwinding setup, -1 being compared as unsigned doesn't
> produce the intended stop condition. Fix both of these and also fix
> vfio_msi_set_vector_signal() to validate parameters before using the
> vector index, though none of the callers should pass bad indexes
> anymore.
>
> Reported-by: Eric Auger <eric.auger@xxxxxxxxxx>
> Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>
> ---
> drivers/vfio/pci/vfio_pci_intrs.c | 17 +++++++++--------
> 1 file changed, 9 insertions(+), 8 deletions(-)
>
> diff --git a/drivers/vfio/pci/vfio_pci_intrs.c b/drivers/vfio/pci/vfio_pci_intrs.c
> index 3b3ba15..e9ea3fe 100644
> --- a/drivers/vfio/pci/vfio_pci_intrs.c
> +++ b/drivers/vfio/pci/vfio_pci_intrs.c
> @@ -309,14 +309,14 @@ static int vfio_msi_set_vector_signal(struct vfio_pci_device *vdev,
> int vector, int fd, bool msix)
> {
> struct pci_dev *pdev = vdev->pdev;
> - int irq = msix ? vdev->msix[vector].vector : pdev->irq + vector;
> - char *name = msix ? "vfio-msix" : "vfio-msi";
> struct eventfd_ctx *trigger;
> - int ret;
> + int irq, ret;
>
> - if (vector >= vdev->num_ctx)
> + if (vector < 0 || vector >= vdev->num_ctx)
> return -EINVAL;
>
> + irq = msix ? vdev->msix[vector].vector : pdev->irq + vector;
> +
> if (vdev->ctx[vector].trigger) {
> free_irq(irq, vdev->ctx[vector].trigger);
> irq_bypass_unregister_producer(&vdev->ctx[vector].producer);
> @@ -328,8 +328,9 @@ static int vfio_msi_set_vector_signal(struct vfio_pci_device *vdev,
> if (fd < 0)
> return 0;
>
> - vdev->ctx[vector].name = kasprintf(GFP_KERNEL, "%s[%d](%s)",
> - name, vector, pci_name(pdev));
> + vdev->ctx[vector].name = kasprintf(GFP_KERNEL, "vfio-msi%s[%d](%s)",
> + msix ? "x" : "", vector,
> + pci_name(pdev));
> if (!vdev->ctx[vector].name)
> return -ENOMEM;
>
> @@ -379,7 +380,7 @@ static int vfio_msi_set_block(struct vfio_pci_device *vdev, unsigned start,
> {
> int i, j, ret = 0;
>
> - if (start + count > vdev->num_ctx)
> + if (start >= vdev->num_ctx || start + count > vdev->num_ctx)
> return -EINVAL;
>
> for (i = 0, j = start; i < count && !ret; i++, j++) {
> @@ -388,7 +389,7 @@ static int vfio_msi_set_block(struct vfio_pci_device *vdev, unsigned start,
> }
>
> if (ret) {
> - for (--j; j >= start; j--)
> + for (--j; j >= (int)start; j--)
> vfio_msi_set_vector_signal(vdev, j, -1, msix);
> }
>
>
--
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
