From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 12E6529CB49 for ; Wed, 16 Jul 2025 20:20:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752697240; cv=none; b=kgjuRkJTIcJLga4esvA41xjXgxARmTwDqOPVDbdatmQyFn4JJZHHYn8IXxdldHyBvMK1d+Qy7ngXdTshstC5iqiE1K6ZkGE9icOdCAVpnfCVDd3MB219phLIKda0aNuUUi/5Ka6XWY9bWtLjU7a85g/0R/JWfXfeQMuY1Ty4bbU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1752697240; c=relaxed/simple; bh=mXtqp7gVbh7UOnOpdjoc9VIV6y3SLqfxSwopG8bMNAo=; h=Date:From:To:Cc:Subject:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=WW1IZ6aLtWkiJ4te0pLazfKRsGyaB4a3OYFq4E/zE59Vvoir8VIt0AHdcaaQkXNsbHAlnv6wZ55aFBS2OmhGeoDA/kJKEUkROptdoBPCXQwU/IbxazD9PB0HkeqUzncHKyXvuak+k3VNFQR22wftqgd93ECPNVB1h4PZq6Iu0TQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=S1qPnd74; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="S1qPnd74" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1752697235; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=f8+tomaBKqRUmD0o+5SGyJtwby38fqpQFOnf4/E8KGk=; b=S1qPnd74Eoibnv2SHunwh9Pqlw6mHgGIXwEjHP79NkMQrdNQp11aRiB6C9sUWqLk6eP+ac TkKuRXbp712qkB/+cPXOKzZliYpSky3L1MQKCHLHUglAXFwk1AamfDm4cc5DTeITHgujUw QHH1BxDZixsLxl/54sKKzBbq3oNrQ8M= Received: from mail-il1-f199.google.com (mail-il1-f199.google.com [209.85.166.199]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-139-JZ5HLWlwNNG0U4nucPvB9A-1; Wed, 16 Jul 2025 16:20:34 -0400 X-MC-Unique: JZ5HLWlwNNG0U4nucPvB9A-1 X-Mimecast-MFC-AGG-ID: JZ5HLWlwNNG0U4nucPvB9A_1752697234 Received: by mail-il1-f199.google.com with SMTP id e9e14a558f8ab-3ddbbfca782so534935ab.0 for ; Wed, 16 Jul 2025 13:20:34 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1752697233; x=1753302033; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:subject:cc:to:from:date:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=f8+tomaBKqRUmD0o+5SGyJtwby38fqpQFOnf4/E8KGk=; b=T8hLVfuA0hkLn2iQQDV+Yo+uoHuQPUwRT2B287ahqDxS4Kj6ngs2/5AEC8B7vTjTFT 0fmzDd5SP9U0d457+gZKdLT1+Rj2nwc7fqjVFjlGt2QeZK5D8vsjsk3nuzueQFE/t8uR QOUctvSjkti98wXZNIUP/c0+1B9OQ+0L6JEfUu848Rfsb+AQUo26yO9K/FdsH8mxixJU eNf+xfbx2l9kkWi1ea478K2rPcpC48D0ZIS9ZoLFNmBqFw0gifK3Yyy5uZLJFjONvlJZ KxHATowdQbLTkjSPWo4hgGwQmf8b62L70FZEfNtGRkdfa/BIlDrxft7CK++s3ntka6Ln Im+A== X-Forwarded-Encrypted: i=1; AJvYcCWrCwypagPuNTLugXvTf3PXywUGdYwZjABuEPnOs4kHr51uDL/EEpW9fgHPV+YhrbSRofxX18CV/TK/7zk=@vger.kernel.org X-Gm-Message-State: AOJu0YxDkoxdOZ24ab6uqKljSyEg8hnXfdr5yAgbcUkFkDK7TV4kUKbt iRag5MVy9btlzLJ4kq/D82sEBEZ57RzqCD2wz4FCg23D6+pg7GxcNyXWN1vMZRZ5OVJZvxHeobE elGJGqt0wONWzeDaAMxE7lurRjy680jD7KymxBat+09WVNHTwulN0pbDgWtycC080ODPwpG2n1w == X-Gm-Gg: ASbGncssbEV6CQ4Nlwo8t6PUN3mw4O2y1icLwttHXgfzxXHQYVA6FPONOQ1Nk2x8uIi ylxzhXAa8D3ZLFMIqheuVbca7AkabqWDwH62O/0b4j2CZ7++mCpMCoMqI/ZrzpIauteoSS0LHRK 8OSEK7J53Uh4lTPsHv11HrkTrNx/upZ9PvPwj5+X+ZJQd6Zdt5Sprt1O46+95sIuPa+OJtHRV1O ULp/y2CBxkCpPX9BPkUpoHaJF8AfjvplWPa01GORQQeVyL5cVqTqNoIGGt98rx2YeUt5aT56XBB NyyImpkvrwWgbZJchoVWd1GKEOPhChbMkyBjjMG7/RA= X-Received: by 2002:a05:6602:3423:b0:874:1065:e113 with SMTP id ca18e2360f4ac-879c093feebmr157418139f.3.1752697233070; Wed, 16 Jul 2025 13:20:33 -0700 (PDT) X-Google-Smtp-Source: AGHT+IF8vmh0mTjL9hY+CP9L7Voe14ifFhkxZegmPdPuPupOQowi/8t3ndRzwWpfK0IPOEktrMESpg== X-Received: by 2002:a05:6602:3423:b0:874:1065:e113 with SMTP id ca18e2360f4ac-879c093feebmr157417139f.3.1752697232585; Wed, 16 Jul 2025 13:20:32 -0700 (PDT) Received: from redhat.com ([38.15.36.11]) by smtp.gmail.com with ESMTPSA id 8926c6da1cb9f-505569cc0absm3200651173.97.2025.07.16.13.20.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 16 Jul 2025 13:20:30 -0700 (PDT) Date: Wed, 16 Jul 2025 14:20:29 -0600 From: Alex Williamson To: Artem Sadovnikov Cc: kvm@vger.kernel.org, Yishai Hadas , Jason Gunthorpe , Shameer Kolothum , Kevin Tian , linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org Subject: Re: [PATCH v2] vfio/mlx5: fix possible overflow in tracking max message size Message-ID: <20250716142029.36ee1475.alex.williamson@redhat.com> In-Reply-To: <20250701144017.2410-2-a.sadovnikov@ispras.ru> References: <20250701144017.2410-2-a.sadovnikov@ispras.ru> X-Mailer: Claws Mail 4.3.1 (GTK 3.24.43; x86_64-redhat-linux-gnu) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Tue, 1 Jul 2025 14:40:17 +0000 Artem Sadovnikov wrote: > MLX cap pg_track_log_max_msg_size consists of 5 bits, value of which is > used as power of 2 for max_msg_size. This can lead to multiplication > overflow between max_msg_size (u32) and integer constant, and afterwards > incorrect value is being written to rq_size. > > Fix this issue by extending integer constant to u64 type. > > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > Suggested-by: Alex Williamson > Signed-off-by: Artem Sadovnikov > --- > Changes from v1: > - The constant type was changed instead of variable type. > - The patch name was accidentally cut and is now fixed. > - LKML: https://lore.kernel.org/all/20250629095843.13349-1-a.sadovnikov@ispras.ru/ > --- > drivers/vfio/pci/mlx5/cmd.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/vfio/pci/mlx5/cmd.c b/drivers/vfio/pci/mlx5/cmd.c > index 5b919a0b2524..a92b095b90f6 100644 > --- a/drivers/vfio/pci/mlx5/cmd.c > +++ b/drivers/vfio/pci/mlx5/cmd.c > @@ -1523,8 +1523,8 @@ int mlx5vf_start_page_tracker(struct vfio_device *vdev, > log_max_msg_size = MLX5_CAP_ADV_VIRTUALIZATION(mdev, pg_track_log_max_msg_size); > max_msg_size = (1ULL << log_max_msg_size); > /* The RQ must hold at least 4 WQEs/messages for successful QP creation */ > - if (rq_size < 4 * max_msg_size) > - rq_size = 4 * max_msg_size; > + if (rq_size < 4ULL * max_msg_size) > + rq_size = 4ULL * max_msg_size; > > memset(tracker, 0, sizeof(*tracker)); > tracker->uar = mlx5_get_uars_page(mdev); Applied to vfio next branch for v6.17. Thanks, Alex