[PATCH AUTOSEL for 4.15 007/102] KVM: PPC: Book3S HV: Avoid shifts by negative amounts

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Sasha Levin <Alexander.Levin@microsoft.com>
To: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	"stable@vger.kernel.org" <stable@vger.kernel.org>
Cc: Paul Mackerras <paulus@ozlabs.org>,
	Sasha Levin <Alexander.Levin@microsoft.com>
Subject: [PATCH AUTOSEL for 4.15 007/102] KVM: PPC: Book3S HV: Avoid shifts by negative amounts
Date: Sat, 3 Mar 2018 22:24:12 +0000	[thread overview]
Message-ID: <20180303222318.26006-7-alexander.levin@microsoft.com> (raw)
In-Reply-To: <20180303222318.26006-1-alexander.levin@microsoft.com>

From: Paul Mackerras <paulus@ozlabs.org>

[ Upstream commit cda2eaa35948893d70145490d5d6ded546fc3bc6 ]

The kvmppc_hpte_page_shifts function decodes the actual and base page
sizes for a HPTE, returning -1 if it doesn't recognize the page size
encoding.  This then gets used as a shift amount in various places,
which is undefined behaviour.  This was reported by Coverity.

In fact this should never occur, since we should only get HPTEs in the
HPT which have a recognized page size encoding.  The only place where
this might not be true is in the call to kvmppc_actual_pgsz() near the
beginning of kvmppc_do_h_enter(), where we are validating the HPTE
value passed in from the guest.

So to fix this and eliminate the undefined behaviour, we make
kvmppc_hpte_page_shifts return 0 for unrecognized page size encodings,
and make kvmppc_actual_pgsz() detect that case and return 0 for the
page size, which will then cause kvmppc_do_h_enter() to return an
error and refuse to insert any HPTE with an unrecognized page size
encoding.

To ensure that we don't get undefined behaviour in compute_tlbie_rb(),
we take the 4k page size path for any unrecognized page size encoding.
This should never be hit in practice because it is only used on HPTE
values which have previously been checked for having a recognized
page size encoding.

Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
---
 arch/powerpc/include/asm/kvm_book3s_64.h | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/arch/powerpc/include/asm/kvm_book3s_64.h b/arch/powerpc/include/asm/kvm_book3s_64.h
index 735cfa35298a..998f7b7aaa9e 100644
--- a/arch/powerpc/include/asm/kvm_book3s_64.h
+++ b/arch/powerpc/include/asm/kvm_book3s_64.h
@@ -122,13 +122,13 @@ static inline int kvmppc_hpte_page_shifts(unsigned long h, unsigned long l)
 	lphi = (l >> 16) & 0xf;
 	switch ((l >> 12) & 0xf) {
 	case 0:
-		return !lphi ? 24 : -1;		/* 16MB */
+		return !lphi ? 24 : 0;		/* 16MB */
 		break;
 	case 1:
 		return 16;			/* 64kB */
 		break;
 	case 3:
-		return !lphi ? 34 : -1;		/* 16GB */
+		return !lphi ? 34 : 0;		/* 16GB */
 		break;
 	case 7:
 		return (16 << 8) + 12;		/* 64kB in 4kB */
@@ -140,7 +140,7 @@ static inline int kvmppc_hpte_page_shifts(unsigned long h, unsigned long l)
 			return (24 << 8) + 12;	/* 16MB in 4kB */
 		break;
 	}
-	return -1;
+	return 0;
 }

 static inline int kvmppc_hpte_base_page_shift(unsigned long h, unsigned long l)
@@ -159,7 +159,11 @@ static inline int kvmppc_hpte_actual_page_shift(unsigned long h, unsigned long l

 static inline unsigned long kvmppc_actual_pgsz(unsigned long v, unsigned long r)
 {
-	return 1ul << kvmppc_hpte_actual_page_shift(v, r);
+	int shift = kvmppc_hpte_actual_page_shift(v, r);
+
+	if (shift)
+		return 1ul << shift;
+	return 0;
 }

 static inline int kvmppc_pgsize_lp_encoding(int base_shift, int actual_shift)
@@ -232,7 +236,7 @@ static inline unsigned long compute_tlbie_rb(unsigned long v, unsigned long r,
 		va_low ^= v >> (SID_SHIFT_1T - 16);
 	va_low &= 0x7ff;

-	if (b_pgshift == 12) {
+	if (b_pgshift <= 12) {
 		if (a_pgshift > 12) {
 			sllp = (a_pgshift == 16) ? 5 : 4;
 			rb |= sllp << 5;	/*  AP field */
-- 
2.14.1

next prev parent reply	other threads:[~2018-03-03 22:24 UTC|newest]

Thread overview: 106+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-03-03 22:24 [PATCH AUTOSEL for 4.15 001/102] drm/panel: rpi-touchscreen: propagate errors in rpi_touchscreen_i2c_read() Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 002/102] spi: imx: Fix failure path leak on GPIO request error correctly Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 003/102] drm/edid: set ELD connector type in drm_edid_to_eld() Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 005/102] video/hdmi: Allow "empty" HDMI infoframes Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 004/102] dma-buf/fence: Fix lock inversion within dma-fence-array Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 006/102] HID: multitouch: Only look at non touch fields in first packet of a frame Sasha Levin
2018-03-03 22:24 ` Sasha Levin [this message]
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 008/102] KVM: PPC: Book3S HV: Fix typo in kvmppc_hv_get_dirty_log_radix() Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 010/102] iwlwifi: mvm: rs: don't override the rate history in the search cycle Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 009/102] HID: elo: clear BTN_LEFT mapping Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 012/102] clk: meson: gxbb: fix wrong clock for SARADC/SANA Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 011/102] ARM: dts: koelsch: Move cec_clock to root node Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 013/102] ARM: dts: exynos: Correct Trats2 panel reset line Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 014/102] drm/amdgpu: fix get_max_engine_clock_in_mhz Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 015/102] staging: rtl8822be: fix missing null check on dev_alloc_skb return Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 016/102] typec: tcpm: fusb302: Resolve out of order messaging events Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 018/102] dt-bindings: serial: Add common rs485 binding for RTS polarity Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 017/102] USB: ledtrig-usbport: fix of-node leak Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 019/102] sched: Stop switched_to_rt() from sending IPIs to offline CPUs Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 021/102] crypto: chelsio - Fix an error code in chcr_hash_dma_map() Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 020/102] sched: Stop resched_cpu() from sending IPIs to offline CPUs Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 023/102] crypto: keywrap - Add missing ULL suffixes for 64-bit constants Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 022/102] crypto: ecc - Fix NULL pointer deref. on no default_rng Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 024/102] crypto: cavium - fix memory leak on info Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 025/102] test_firmware: fix setting old custom fw path back on exit Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 026/102] ASoC: fsl_ssi: only enable proper channel slots in AC'97 mode Sasha Levin
2018-03-05 10:20   ` Mark Brown
2018-03-05 20:25     ` Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 027/102] drm/vblank: Fix vblank timestamp debugs Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 028/102] net: ieee802154: adf7242: Fix bug if defined DEBUG Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 029/102] rtc: brcmstb-waketimer: fix error handling in brcmstb_waketmr_probe() Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 030/102] perf report: Fix -D output for user metadata events Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 031/102] net: xfrm: allow clearing socket xfrm policies Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 033/102] mtd: nand: fix interpretation of NAND_CMD_NONE in nand_command[_lp]() Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 032/102] gpiolib: don't allow OPEN_DRAIN & OPEN_SOURCE flags simultaneously Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 034/102] net: thunderx: Set max queue count taking XDP_TX into account Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 035/102] ARM: dts: am335x-pepper: Fix the audio CODEC's reset pin Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 036/102] ARM: dts: omap3-n900: " Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 037/102] mtd: nand: ifc: update bufnum mask for ver >= 2.0.0 Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 038/102] userns: Don't fail follow_automount based on s_user_ns Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 039/102] xfrm: Fix xfrm_replay_overflow_offload_esn Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 040/102] leds: pm8058: Silence pointer to integer size warning Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 041/102] bpf: fix stack state printing in verifier log Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 042/102] clk: ti: clkctrl: add support for retrying failed init Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 044/102] power: supply: sbs-message: double left shift bug in sbsm_select() Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 043/102] ASoC: tlv320aic31xx: Handle inverted BCLK in non-DSP modes Sasha Levin
2018-03-05 10:21   ` Mark Brown
2018-03-05 20:25     ` Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 046/102] power: supply: ab8500_charger: Bail out in case of error in 'ab8500_charger_init_hw_registers()' Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 045/102] power: supply: ab8500_charger: Fix an error handling path Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 047/102] drm/etnaviv: make THERMAL selectable Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 048/102] iio: adc: ina2xx: Shift bus voltage register to mask flag bits Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 049/102] iio: health: max30102: Add power enable parameter to get_temp function Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 051/102] cpufreq: Fix governor module removal race Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 050/102] ath10k: update tdls teardown state to target Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 053/102] dmaengine: amba-pl08x: Use vchan_terminate_vdesc() instead of desc_free Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 052/102] dmaengine: bcm2835-dma: " Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 054/102] KVM: X86: Restart the guest when insn_len is zero and SEV is enabled Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 056/102] scsi: lpfc: Fix crash during driver unload with running nvme traffic Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 055/102] drm/amdgpu:fix random missing of FLR NOTIFY Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 057/102] scsi: ses: don't ask for diagnostic pages repeatedly during probe Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 058/102] pwm: stmpe: Fix wrong register offset for hwpwm=2 case Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 059/102] drm/sun4i: Fix format mask in DE2 driver Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 060/102] pinctrl: sh-pfc: r8a7791: Add can_clk function Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 061/102] pinctrl: sh-pfc: r8a7795-es1: Fix MOD_SEL1 bit[25:24] to 0x3 when using STP_ISEN_1_D Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 063/102] perf annotate: Fix objdump comment parsing for Intel mov dissassembly Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 062/102] perf annotate: Fix unnecessary memory allocation for s390x Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 064/102] iwlwifi: mvm: avoid dumping assert log when device is stopped Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 065/102] drm/amdgpu:fix virtual dce bug Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 066/102] drm/amdgpu: fix amdgpu_sync_resv v2 Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 068/102] clk: qcom: msm8916: fix mnd_width for codec_digcodec Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 067/102] bnxt_en: Uninitialized variable in bnxt_tc_parse_actions() Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 069/102] mwifiex: cfg80211: do not change virtual interface during scan processing Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 070/102] ath10k: fix invalid STS_CAP_OFFSET_MASK Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 071/102] tools/usbip: fixes build with musl libc toolchain Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 073/102] bnxt_en: Don't print "Link speed -1 no longer supported" messages Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 072/102] spi: sun6i: disable/unprepare clocks on remove Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 074/102] scsi: core: scsi_get_device_flags_keyed(): Always return device flags Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 075/102] scsi: devinfo: apply to HP XP the same flags as Hitachi VSP Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 076/102] scsi: dh: add new rdac devices Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 077/102] clk: renesas: r8a77970: Add LVDS clock Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 078/102] staging: fsl-dpaa2/eth: Fix access to FAS field Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 079/102] media: vsp1: Prevent suspending and resuming DRM pipelines Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 081/102] media: cpia2: Fix a couple off by one bugs Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 080/102] dm raid: fix raid set size revalidation Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 082/102] media: davinci: vpif_capture: add NULL check on devm_kzalloc return value Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 084/102] net: sched: drop qdisc_reset from dev_graft_qdisc Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 083/102] virtio_net: Disable interrupts if napi_complete_done rescheduled napi Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 085/102] veth: set peer GSO values Sasha Levin
2018-03-03 22:24 ` [PATCH AUTOSEL for 4.15 086/102] drm/amdkfd: Fix memory leaks in kfd topology Sasha Levin
2018-03-03 22:25 ` [PATCH AUTOSEL for 4.15 088/102] powerpc/64: Don't trace irqs-off at interrupt return to soft-disabled context Sasha Levin
2018-03-03 22:25 ` [PATCH AUTOSEL for 4.15 087/102] powerpc/modules: Don't try to restore r2 after a sibling call Sasha Levin
2018-03-03 22:25 ` [PATCH AUTOSEL for 4.15 089/102] arm64: dts: renesas: salvator-common: Add EthernetAVB PHY reset Sasha Levin
2018-03-03 22:25 ` [PATCH AUTOSEL for 4.15 090/102] agp/intel: Flush all chipset writes after updating the GGTT Sasha Levin
2018-03-03 22:25 ` [PATCH AUTOSEL for 4.15 091/102] mac80211_hwsim: enforce PS_MANUAL_POLL to be set after PS_ENABLED Sasha Levin
2018-03-03 22:25 ` [PATCH AUTOSEL for 4.15 092/102] mac80211: remove BUG() when interface type is invalid Sasha Levin
2018-03-03 22:25 ` [PATCH AUTOSEL for 4.15 093/102] crypto: caam/qi - use correct print specifier for size_t Sasha Levin
2018-03-03 22:25 ` [PATCH AUTOSEL for 4.15 095/102] mmc: mmc_test: Ensure command queue is disabled for testing Sasha Levin
2018-03-03 22:25 ` [PATCH AUTOSEL for 4.15 094/102] ASoC: nuc900: Fix a loop timeout test Sasha Levin
2018-03-03 22:25 ` [PATCH AUTOSEL for 4.15 096/102] Fix misannotated out-of-line _copy_to_user() Sasha Levin
2018-03-03 22:25 ` [PATCH AUTOSEL for 4.15 097/102] ipvlan: add L2 check for packets arriving via virtual devices Sasha Levin
2018-03-03 22:25 ` [PATCH AUTOSEL for 4.15 098/102] rcutorture/configinit: Fix build directory error message Sasha Levin
2018-03-03 22:25 ` [PATCH AUTOSEL for 4.15 100/102] ima: relax requiring a file signature for new files with zero length Sasha Levin
2018-03-03 22:25 ` [PATCH AUTOSEL for 4.15 099/102] locking/locktorture: Fix num reader/writer corner cases Sasha Levin
2018-03-03 22:25 ` [PATCH AUTOSEL for 4.15 101/102] IB/mlx5: revisit -Wmaybe-uninitialized warning Sasha Levin
2018-03-03 22:25 ` [PATCH AUTOSEL for 4.15 102/102] dmaengine: qcom_hidma: check pending interrupts Sasha Levin

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:735cfa35298 dfblob:998f7b7aaa9 )
 OR (
bs:"[PATCH AUTOSEL for 4.15 007/102] KVM: PPC: Book3S HV: Avoid shifts by negative amounts" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180303222318.26006-7-alexander.levin@microsoft.com \
    --to=alexander.levin@microsoft.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=paulus@ozlabs.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox