Hi, On 10/12/22 18:59, Eric Ren wrote: > Reproducer hints: > 1. Create ARM virt VM with pxb-pcie bus which adds > extra host bridges, with qemu command like: > > ``` > -device pxb-pcie,bus_nr=8,id=pci.x,numa_node=0,bus=pcie.0 \ > -device pcie-root-port,..,bus=pci.x \ > ... > -device pxb-pcie,bus_nr=37,id=pci.y,numa_node=1,bus=pcie.0 \ > -device pcie-root-port,..,bus=pci.y \ > ... > > ``` > 2. Perform VM migration which calls save/restore device tables. > > In that setup, we get a big "offset" between 2 device_ids ( > one is small, another is big), which makes unsigned "len" round > up a big positive number, causing loop to continue exceptionally. > > Signed-off-by: Eric Ren <renzhengeek@xxxxxxxxx> I fixed Marc's address and removed Christoffer's one. Please use the scripts/get_maintainer.pl to identify the right email addresses. Just to make sure I correctly understand, you mean len -= byte_offset becomes negative and that is not properly reflected due to the unsigned type. I agree we should be robust against that but doesn't it also mean that the saved table has an issue in the first place (the offset points to a location outside of the max size of the table)? Thanks Eric > --- > arch/arm64/kvm/vgic/vgic-its.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/arch/arm64/kvm/vgic/vgic-its.c b/arch/arm64/kvm/vgic/vgic-its.c > index 24d7778d1ce6..673554ef02f9 100644 > --- a/arch/arm64/kvm/vgic/vgic-its.c > +++ b/arch/arm64/kvm/vgic/vgic-its.c > @@ -2141,7 +2141,7 @@ static int scan_its_table(struct vgic_its *its, gpa_t base, int size, u32 esz, > int start_id, entry_fn_t fn, void *opaque) > { > struct kvm *kvm = its->dev->kvm; > - unsigned long len = size; > + ssize_t len = size; > int id = start_id; > gpa_t gpa = base; > char entry[ESZ_MAX];