[PATCH 1/2] LoongArch: KVM: Make kvm_get_vcpu_by

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH 1/2] LoongArch: KVM: Make kvm_get_vcpu_by_cpuid() more robust
@ 2026-03-22 13:53 Huacai Chen
  2026-03-22 13:53 ` [PATCH 2/2] LoongArch: KVM: Handle the case that EIOINTC's coremap is empty Huacai Chen
  2026-03-23  3:13 ` [PATCH 1/2] LoongArch: KVM: Make kvm_get_vcpu_by_cpuid() more robust Bibo Mao
  0 siblings, 2 replies; 10+ messages in thread
From: Huacai Chen @ 2026-03-22 13:53 UTC (permalink / raw)
  To: Paolo Bonzini, Huacai Chen, Tianrui Zhao, Bibo Mao
  Cc: kvm, loongarch, linux-kernel, Xuerui Wang, Jiaxun Yang,
	Huacai Chen, stable, Aurelien Jarno

kvm_get_vcpu_by_cpuid() takes a cpuid parameter whose type is int, so
cpuid can be negative. Let kvm_get_vcpu_by_cpuid() return NULL for this
case so as to make it more robust.

This fix an out-of-bounds access to kvm_arch::phyid_map::phys_map[].

Cc: <stable@vger.kernel.org>
Fixes: 73516e9da512adc ("LoongArch: KVM: Add vcpu mapping from physical cpuid")
Reported-by: Aurelien Jarno <aurel32@debian.org>
Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131431
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
---
 arch/loongarch/kvm/vcpu.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/arch/loongarch/kvm/vcpu.c b/arch/loongarch/kvm/vcpu.c
index 8ffd50a470e6..831f381a8fd1 100644
--- a/arch/loongarch/kvm/vcpu.c
+++ b/arch/loongarch/kvm/vcpu.c
@@ -588,6 +588,9 @@ struct kvm_vcpu *kvm_get_vcpu_by_cpuid(struct kvm *kvm, int cpuid)
 {
 	struct kvm_phyid_map *map;
 
+	if (cpuid < 0)
+		return NULL;
+
 	if (cpuid >= KVM_MAX_PHYID)
 		return NULL;
 
-- 
2.52.0


^ permalink raw reply related	[flat|nested] 10+ messages in thread

* [PATCH 2/2] LoongArch: KVM: Handle the case that EIOINTC's coremap is empty
  2026-03-22 13:53 [PATCH 1/2] LoongArch: KVM: Make kvm_get_vcpu_by_cpuid() more robust Huacai Chen
@ 2026-03-22 13:53 ` Huacai Chen
  2026-03-23  3:14   ` Bibo Mao
  2026-03-23  3:13 ` [PATCH 1/2] LoongArch: KVM: Make kvm_get_vcpu_by_cpuid() more robust Bibo Mao
  1 sibling, 1 reply; 10+ messages in thread
From: Huacai Chen @ 2026-03-22 13:53 UTC (permalink / raw)
  To: Paolo Bonzini, Huacai Chen, Tianrui Zhao, Bibo Mao
  Cc: kvm, loongarch, linux-kernel, Xuerui Wang, Jiaxun Yang,
	Huacai Chen, stable, Aurelien Jarno

EIOINTC's coremap in eiointc_update_sw_coremap() can be empty, currently
we get a cpuid with -1 in this case, but we actually need 0 because it's
similar as the case that cpuid >= 4.

This fix an out-of-bounds access to kvm_arch::phyid_map::phys_map[].

Cc: <stable@vger.kernel.org>
Fixes: 3956a52bc05bd81 ("LoongArch: KVM: Add EIOINTC read and write functions")
Reported-by: Aurelien Jarno <aurel32@debian.org>
Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131431
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
---
 arch/loongarch/kvm/intc/eiointc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/loongarch/kvm/intc/eiointc.c b/arch/loongarch/kvm/intc/eiointc.c
index d2acb4d09e73..c7badc813923 100644
--- a/arch/loongarch/kvm/intc/eiointc.c
+++ b/arch/loongarch/kvm/intc/eiointc.c
@@ -83,7 +83,7 @@ static inline void eiointc_update_sw_coremap(struct loongarch_eiointc *s,
 
 		if (!(s->status & BIT(EIOINTC_ENABLE_CPU_ENCODE))) {
 			cpuid = ffs(cpuid) - 1;
-			cpuid = (cpuid >= 4) ? 0 : cpuid;
+			cpuid = ((cpuid < 0) || (cpuid >= 4)) ? 0 : cpuid;
 		}
 
 		vcpu = kvm_get_vcpu_by_cpuid(s->kvm, cpuid);
-- 
2.52.0


^ permalink raw reply related	[flat|nested] 10+ messages in thread

* Re: [PATCH 2/2] LoongArch: KVM: Handle the case that EIOINTC's coremap is empty
  2026-03-22 13:53 ` [PATCH 2/2] LoongArch: KVM: Handle the case that EIOINTC's coremap is empty Huacai Chen
@ 2026-03-23  3:14   ` Bibo Mao
  0 siblings, 0 replies; 10+ messages in thread
From: Bibo Mao @ 2026-03-23  3:14 UTC (permalink / raw)
  To: Huacai Chen, Paolo Bonzini, Huacai Chen, Tianrui Zhao
  Cc: kvm, loongarch, linux-kernel, Xuerui Wang, Jiaxun Yang, stable,
	Aurelien Jarno



On 2026/3/22 下午9:53, Huacai Chen wrote:
> EIOINTC's coremap in eiointc_update_sw_coremap() can be empty, currently
> we get a cpuid with -1 in this case, but we actually need 0 because it's
> similar as the case that cpuid >= 4.
> 
> This fix an out-of-bounds access to kvm_arch::phyid_map::phys_map[].
> 
> Cc: <stable@vger.kernel.org>
> Fixes: 3956a52bc05bd81 ("LoongArch: KVM: Add EIOINTC read and write functions")
> Reported-by: Aurelien Jarno <aurel32@debian.org>
> Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131431
> Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
> ---
>   arch/loongarch/kvm/intc/eiointc.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/arch/loongarch/kvm/intc/eiointc.c b/arch/loongarch/kvm/intc/eiointc.c
> index d2acb4d09e73..c7badc813923 100644
> --- a/arch/loongarch/kvm/intc/eiointc.c
> +++ b/arch/loongarch/kvm/intc/eiointc.c
> @@ -83,7 +83,7 @@ static inline void eiointc_update_sw_coremap(struct loongarch_eiointc *s,
>   
>   		if (!(s->status & BIT(EIOINTC_ENABLE_CPU_ENCODE))) {
>   			cpuid = ffs(cpuid) - 1;
> -			cpuid = (cpuid >= 4) ? 0 : cpuid;
> +			cpuid = ((cpuid < 0) || (cpuid >= 4)) ? 0 : cpuid;
>   		}
>   
>   		vcpu = kvm_get_vcpu_by_cpuid(s->kvm, cpuid);
> 
Reviewed-by: Bibo Mao <maobibo@loongson.cn>


^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH 1/2] LoongArch: KVM: Make kvm_get_vcpu_by_cpuid() more robust
  2026-03-22 13:53 [PATCH 1/2] LoongArch: KVM: Make kvm_get_vcpu_by_cpuid() more robust Huacai Chen
  2026-03-22 13:53 ` [PATCH 2/2] LoongArch: KVM: Handle the case that EIOINTC's coremap is empty Huacai Chen
@ 2026-03-23  3:13 ` Bibo Mao
  2026-03-23  7:08   ` Huacai Chen
  1 sibling, 1 reply; 10+ messages in thread
From: Bibo Mao @ 2026-03-23  3:13 UTC (permalink / raw)
  To: Huacai Chen, Paolo Bonzini, Huacai Chen, Tianrui Zhao
  Cc: kvm, loongarch, linux-kernel, Xuerui Wang, Jiaxun Yang, stable,
	Aurelien Jarno



On 2026/3/22 下午9:53, Huacai Chen wrote:
> kvm_get_vcpu_by_cpuid() takes a cpuid parameter whose type is int, so
> cpuid can be negative. Let kvm_get_vcpu_by_cpuid() return NULL for this
> case so as to make it more robust.
> 
> This fix an out-of-bounds access to kvm_arch::phyid_map::phys_map[].
> 
> Cc: <stable@vger.kernel.org>
> Fixes: 73516e9da512adc ("LoongArch: KVM: Add vcpu mapping from physical cpuid")
> Reported-by: Aurelien Jarno <aurel32@debian.org>
> Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131431
> Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
> ---
>   arch/loongarch/kvm/vcpu.c | 3 +++
>   1 file changed, 3 insertions(+)
> 
> diff --git a/arch/loongarch/kvm/vcpu.c b/arch/loongarch/kvm/vcpu.c
> index 8ffd50a470e6..831f381a8fd1 100644
> --- a/arch/loongarch/kvm/vcpu.c
> +++ b/arch/loongarch/kvm/vcpu.c
> @@ -588,6 +588,9 @@ struct kvm_vcpu *kvm_get_vcpu_by_cpuid(struct kvm *kvm, int cpuid)
>   {
>   	struct kvm_phyid_map *map;
>   
> +	if (cpuid < 0)
> +		return NULL;
> +
>   	if (cpuid >= KVM_MAX_PHYID)
>   		return NULL;
>   
> 

if (cpuid < 0 || cpuid >= KVM_MAX_PHYID)?
however both are OK for me.

Reviewed-by: Bibo Mao <maobibo@loongson.cn>


^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH 1/2] LoongArch: KVM: Make kvm_get_vcpu_by_cpuid() more robust
  2026-03-23  3:13 ` [PATCH 1/2] LoongArch: KVM: Make kvm_get_vcpu_by_cpuid() more robust Bibo Mao
@ 2026-03-23  7:08   ` Huacai Chen
  2026-03-23  7:56     ` Bibo Mao
  0 siblings, 1 reply; 10+ messages in thread
From: Huacai Chen @ 2026-03-23  7:08 UTC (permalink / raw)
  To: Bibo Mao
  Cc: Huacai Chen, Paolo Bonzini, Tianrui Zhao, kvm, loongarch,
	linux-kernel, Xuerui Wang, Jiaxun Yang, stable, Aurelien Jarno

On Mon, Mar 23, 2026 at 11:16 AM Bibo Mao <maobibo@loongson.cn> wrote:
>
>
>
> On 2026/3/22 下午9:53, Huacai Chen wrote:
> > kvm_get_vcpu_by_cpuid() takes a cpuid parameter whose type is int, so
> > cpuid can be negative. Let kvm_get_vcpu_by_cpuid() return NULL for this
> > case so as to make it more robust.
> >
> > This fix an out-of-bounds access to kvm_arch::phyid_map::phys_map[].
> >
> > Cc: <stable@vger.kernel.org>
> > Fixes: 73516e9da512adc ("LoongArch: KVM: Add vcpu mapping from physical cpuid")
> > Reported-by: Aurelien Jarno <aurel32@debian.org>
> > Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131431
> > Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
> > ---
> >   arch/loongarch/kvm/vcpu.c | 3 +++
> >   1 file changed, 3 insertions(+)
> >
> > diff --git a/arch/loongarch/kvm/vcpu.c b/arch/loongarch/kvm/vcpu.c
> > index 8ffd50a470e6..831f381a8fd1 100644
> > --- a/arch/loongarch/kvm/vcpu.c
> > +++ b/arch/loongarch/kvm/vcpu.c
> > @@ -588,6 +588,9 @@ struct kvm_vcpu *kvm_get_vcpu_by_cpuid(struct kvm *kvm, int cpuid)
> >   {
> >       struct kvm_phyid_map *map;
> >
> > +     if (cpuid < 0)
> > +             return NULL;
> > +
> >       if (cpuid >= KVM_MAX_PHYID)
> >               return NULL;
> >
> >
>
> if (cpuid < 0 || cpuid >= KVM_MAX_PHYID)?
> however both are OK for me.
I use a similar style as kvm_get_vcpu_by_id(). :)

But there is another warning which can't be solved by this series (and
I doubt whether it can be solved unless revert 01a8e68396a6d51f5b).
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131431

Huacai

>
> Reviewed-by: Bibo Mao <maobibo@loongson.cn>
>

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH 1/2] LoongArch: KVM: Make kvm_get_vcpu_by_cpuid() more robust
  2026-03-23  7:08   ` Huacai Chen
@ 2026-03-23  7:56     ` Bibo Mao
  2026-03-23  8:08       ` Bibo Mao
                         ` (2 more replies)
  0 siblings, 3 replies; 10+ messages in thread
From: Bibo Mao @ 2026-03-23  7:56 UTC (permalink / raw)
  To: Huacai Chen
  Cc: Huacai Chen, Paolo Bonzini, Tianrui Zhao, kvm, loongarch,
	linux-kernel, Xuerui Wang, Jiaxun Yang, stable, Aurelien Jarno



On 2026/3/23 下午3:08, Huacai Chen wrote:
> On Mon, Mar 23, 2026 at 11:16 AM Bibo Mao <maobibo@loongson.cn> wrote:
>>
>>
>>
>> On 2026/3/22 下午9:53, Huacai Chen wrote:
>>> kvm_get_vcpu_by_cpuid() takes a cpuid parameter whose type is int, so
>>> cpuid can be negative. Let kvm_get_vcpu_by_cpuid() return NULL for this
>>> case so as to make it more robust.
>>>
>>> This fix an out-of-bounds access to kvm_arch::phyid_map::phys_map[].
>>>
>>> Cc: <stable@vger.kernel.org>
>>> Fixes: 73516e9da512adc ("LoongArch: KVM: Add vcpu mapping from physical cpuid")
>>> Reported-by: Aurelien Jarno <aurel32@debian.org>
>>> Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131431
>>> Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
>>> ---
>>>    arch/loongarch/kvm/vcpu.c | 3 +++
>>>    1 file changed, 3 insertions(+)
>>>
>>> diff --git a/arch/loongarch/kvm/vcpu.c b/arch/loongarch/kvm/vcpu.c
>>> index 8ffd50a470e6..831f381a8fd1 100644
>>> --- a/arch/loongarch/kvm/vcpu.c
>>> +++ b/arch/loongarch/kvm/vcpu.c
>>> @@ -588,6 +588,9 @@ struct kvm_vcpu *kvm_get_vcpu_by_cpuid(struct kvm *kvm, int cpuid)
>>>    {
>>>        struct kvm_phyid_map *map;
>>>
>>> +     if (cpuid < 0)
>>> +             return NULL;
>>> +
>>>        if (cpuid >= KVM_MAX_PHYID)
>>>                return NULL;
>>>
>>>
>>
>> if (cpuid < 0 || cpuid >= KVM_MAX_PHYID)?
>> however both are OK for me.
> I use a similar style as kvm_get_vcpu_by_id(). :)
> 
> But there is another warning which can't be solved by this series (and
> I doubt whether it can be solved unless revert 01a8e68396a6d51f5b).
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131431

what is the kernel config file with bug
    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131431

kvm_eiointc_regs_access() seems has problem, it need convert to void * 
before arithmetic operation. I do not know whether this patch can solve 
this bug.

diff --git a/arch/loongarch/kvm/intc/eiointc.c 
b/arch/loongarch/kvm/intc/eiointc.c
index d2acb4d09e73..71bd67b57338 100644
--- a/arch/loongarch/kvm/intc/eiointc.c
+++ b/arch/loongarch/kvm/intc/eiointc.c
@@ -472,34 +472,34 @@ static int kvm_eiointc_regs_access(struct 
kvm_device *dev,
         switch (addr) {
         case EIOINTC_NODETYPE_START ... EIOINTC_NODETYPE_END:
                 offset = (addr - EIOINTC_NODETYPE_START) / 4;
-               p = s->nodetype + offset * 4;
+               p = (void *)s->nodetype + offset * 4;
                 break;
         case EIOINTC_IPMAP_START ... EIOINTC_IPMAP_END:
                 offset = (addr - EIOINTC_IPMAP_START) / 4;
-               p = &s->ipmap + offset * 4;
+               p = (void *)&s->ipmap + offset * 4;
                 break;
         case EIOINTC_ENABLE_START ... EIOINTC_ENABLE_END:
                 offset = (addr - EIOINTC_ENABLE_START) / 4;
-               p = s->enable + offset * 4;
+               p = (void *)s->enable + offset * 4;
                 break;
         case EIOINTC_BOUNCE_START ... EIOINTC_BOUNCE_END:
                 offset = (addr - EIOINTC_BOUNCE_START) / 4;
-               p = s->bounce + offset * 4;
+               p = (void *)s->bounce + offset * 4;
                 break;
         case EIOINTC_ISR_START ... EIOINTC_ISR_END:
                 offset = (addr - EIOINTC_ISR_START) / 4;
-               p = s->isr + offset * 4;
+               p = (void *)s->isr + offset * 4;
                 break;
         case EIOINTC_COREISR_START ... EIOINTC_COREISR_END:
                 if (cpu >= s->num_cpu)
                         return -EINVAL;

                 offset = (addr - EIOINTC_COREISR_START) / 4;
-               p = s->coreisr[cpu] + offset * 4;
+               p = (void *)s->coreisr[cpu] + offset * 4;
                 break;
         case EIOINTC_COREMAP_START ... EIOINTC_COREMAP_END:
                 offset = (addr - EIOINTC_COREMAP_START) / 4;
-               p = s->coremap + offset * 4;
+               p = (void *)s->coremap + offset * 4;
                 break;
         default:
                 kvm_err("%s: unknown eiointc register, addr = %d\n", 
__func__, addr);


Regards
Bibo Mao
> 
> Huacai
> 
>>
>> Reviewed-by: Bibo Mao <maobibo@loongson.cn>
>>


^ permalink raw reply related	[flat|nested] 10+ messages in thread

* Re: [PATCH 1/2] LoongArch: KVM: Make kvm_get_vcpu_by_cpuid() more robust
  2026-03-23  7:56     ` Bibo Mao
@ 2026-03-23  8:08       ` Bibo Mao
  2026-03-23  8:14       ` Huacai Chen
  2026-03-23 18:36       ` Aurelien Jarno
  2 siblings, 0 replies; 10+ messages in thread
From: Bibo Mao @ 2026-03-23  8:08 UTC (permalink / raw)
  To: Huacai Chen
  Cc: Huacai Chen, Paolo Bonzini, Tianrui Zhao, kvm, loongarch,
	linux-kernel, Xuerui Wang, Jiaxun Yang, stable, Aurelien Jarno



On 2026/3/23 下午3:56, Bibo Mao wrote:
> 
> 
> On 2026/3/23 下午3:08, Huacai Chen wrote:
>> On Mon, Mar 23, 2026 at 11:16 AM Bibo Mao <maobibo@loongson.cn> wrote:
>>>
>>>
>>>
>>> On 2026/3/22 下午9:53, Huacai Chen wrote:
>>>> kvm_get_vcpu_by_cpuid() takes a cpuid parameter whose type is int, so
>>>> cpuid can be negative. Let kvm_get_vcpu_by_cpuid() return NULL for this
>>>> case so as to make it more robust.
>>>>
>>>> This fix an out-of-bounds access to kvm_arch::phyid_map::phys_map[].
>>>>
>>>> Cc: <stable@vger.kernel.org>
>>>> Fixes: 73516e9da512adc ("LoongArch: KVM: Add vcpu mapping from 
>>>> physical cpuid")
>>>> Reported-by: Aurelien Jarno <aurel32@debian.org>
>>>> Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131431
>>>> Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
>>>> ---
>>>>    arch/loongarch/kvm/vcpu.c | 3 +++
>>>>    1 file changed, 3 insertions(+)
>>>>
>>>> diff --git a/arch/loongarch/kvm/vcpu.c b/arch/loongarch/kvm/vcpu.c
>>>> index 8ffd50a470e6..831f381a8fd1 100644
>>>> --- a/arch/loongarch/kvm/vcpu.c
>>>> +++ b/arch/loongarch/kvm/vcpu.c
>>>> @@ -588,6 +588,9 @@ struct kvm_vcpu *kvm_get_vcpu_by_cpuid(struct 
>>>> kvm *kvm, int cpuid)
>>>>    {
>>>>        struct kvm_phyid_map *map;
>>>>
>>>> +     if (cpuid < 0)
>>>> +             return NULL;
>>>> +
>>>>        if (cpuid >= KVM_MAX_PHYID)
>>>>                return NULL;
>>>>
>>>>
>>>
>>> if (cpuid < 0 || cpuid >= KVM_MAX_PHYID)?
>>> however both are OK for me.
>> I use a similar style as kvm_get_vcpu_by_id(). :)
>>
>> But there is another warning which can't be solved by this series (and
>> I doubt whether it can be solved unless revert 01a8e68396a6d51f5b).
>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131431
> 
> what is the kernel config file with bug
>     https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131431
> 
> kvm_eiointc_regs_access() seems has problem, it need convert to void * 
> before arithmetic operation. I do not know whether this patch can solve 
> this bug.
It is introduced by patch d3e43a1f34ac ("LoongArch: KVM: Use 64-bit 
register definition for EIOINTC").

Regards
Bibo Mao
> 
> diff --git a/arch/loongarch/kvm/intc/eiointc.c 
> b/arch/loongarch/kvm/intc/eiointc.c
> index d2acb4d09e73..71bd67b57338 100644
> --- a/arch/loongarch/kvm/intc/eiointc.c
> +++ b/arch/loongarch/kvm/intc/eiointc.c
> @@ -472,34 +472,34 @@ static int kvm_eiointc_regs_access(struct 
> kvm_device *dev,
>          switch (addr) {
>          case EIOINTC_NODETYPE_START ... EIOINTC_NODETYPE_END:
>                  offset = (addr - EIOINTC_NODETYPE_START) / 4;
> -               p = s->nodetype + offset * 4;
> +               p = (void *)s->nodetype + offset * 4;
>                  break;
>          case EIOINTC_IPMAP_START ... EIOINTC_IPMAP_END:
>                  offset = (addr - EIOINTC_IPMAP_START) / 4;
> -               p = &s->ipmap + offset * 4;
> +               p = (void *)&s->ipmap + offset * 4;
>                  break;
>          case EIOINTC_ENABLE_START ... EIOINTC_ENABLE_END:
>                  offset = (addr - EIOINTC_ENABLE_START) / 4;
> -               p = s->enable + offset * 4;
> +               p = (void *)s->enable + offset * 4;
>                  break;
>          case EIOINTC_BOUNCE_START ... EIOINTC_BOUNCE_END:
>                  offset = (addr - EIOINTC_BOUNCE_START) / 4;
> -               p = s->bounce + offset * 4;
> +               p = (void *)s->bounce + offset * 4;
>                  break;
>          case EIOINTC_ISR_START ... EIOINTC_ISR_END:
>                  offset = (addr - EIOINTC_ISR_START) / 4;
> -               p = s->isr + offset * 4;
> +               p = (void *)s->isr + offset * 4;
>                  break;
>          case EIOINTC_COREISR_START ... EIOINTC_COREISR_END:
>                  if (cpu >= s->num_cpu)
>                          return -EINVAL;
> 
>                  offset = (addr - EIOINTC_COREISR_START) / 4;
> -               p = s->coreisr[cpu] + offset * 4;
> +               p = (void *)s->coreisr[cpu] + offset * 4;
>                  break;
>          case EIOINTC_COREMAP_START ... EIOINTC_COREMAP_END:
>                  offset = (addr - EIOINTC_COREMAP_START) / 4;
> -               p = s->coremap + offset * 4;
> +               p = (void *)s->coremap + offset * 4;
>                  break;
>          default:
>                  kvm_err("%s: unknown eiointc register, addr = %d\n", 
> __func__, addr);
> 
> 
> Regards
> Bibo Mao
>>
>> Huacai
>>
>>>
>>> Reviewed-by: Bibo Mao <maobibo@loongson.cn>
>>>


^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH 1/2] LoongArch: KVM: Make kvm_get_vcpu_by_cpuid() more robust
  2026-03-23  7:56     ` Bibo Mao
  2026-03-23  8:08       ` Bibo Mao
@ 2026-03-23  8:14       ` Huacai Chen
  2026-03-23  9:40         ` Bibo Mao
  2026-03-23 18:36       ` Aurelien Jarno
  2 siblings, 1 reply; 10+ messages in thread
From: Huacai Chen @ 2026-03-23  8:14 UTC (permalink / raw)
  To: Bibo Mao
  Cc: Huacai Chen, Paolo Bonzini, Tianrui Zhao, kvm, loongarch,
	linux-kernel, Xuerui Wang, Jiaxun Yang, stable, Aurelien Jarno

On Mon, Mar 23, 2026 at 3:59 PM Bibo Mao <maobibo@loongson.cn> wrote:
>
>
>
> On 2026/3/23 下午3:08, Huacai Chen wrote:
> > On Mon, Mar 23, 2026 at 11:16 AM Bibo Mao <maobibo@loongson.cn> wrote:
> >>
> >>
> >>
> >> On 2026/3/22 下午9:53, Huacai Chen wrote:
> >>> kvm_get_vcpu_by_cpuid() takes a cpuid parameter whose type is int, so
> >>> cpuid can be negative. Let kvm_get_vcpu_by_cpuid() return NULL for this
> >>> case so as to make it more robust.
> >>>
> >>> This fix an out-of-bounds access to kvm_arch::phyid_map::phys_map[].
> >>>
> >>> Cc: <stable@vger.kernel.org>
> >>> Fixes: 73516e9da512adc ("LoongArch: KVM: Add vcpu mapping from physical cpuid")
> >>> Reported-by: Aurelien Jarno <aurel32@debian.org>
> >>> Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131431
> >>> Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
> >>> ---
> >>>    arch/loongarch/kvm/vcpu.c | 3 +++
> >>>    1 file changed, 3 insertions(+)
> >>>
> >>> diff --git a/arch/loongarch/kvm/vcpu.c b/arch/loongarch/kvm/vcpu.c
> >>> index 8ffd50a470e6..831f381a8fd1 100644
> >>> --- a/arch/loongarch/kvm/vcpu.c
> >>> +++ b/arch/loongarch/kvm/vcpu.c
> >>> @@ -588,6 +588,9 @@ struct kvm_vcpu *kvm_get_vcpu_by_cpuid(struct kvm *kvm, int cpuid)
> >>>    {
> >>>        struct kvm_phyid_map *map;
> >>>
> >>> +     if (cpuid < 0)
> >>> +             return NULL;
> >>> +
> >>>        if (cpuid >= KVM_MAX_PHYID)
> >>>                return NULL;
> >>>
> >>>
> >>
> >> if (cpuid < 0 || cpuid >= KVM_MAX_PHYID)?
> >> however both are OK for me.
> > I use a similar style as kvm_get_vcpu_by_id(). :)
> >
> > But there is another warning which can't be solved by this series (and
> > I doubt whether it can be solved unless revert 01a8e68396a6d51f5b).
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131431
>
> what is the kernel config file with bug
>     https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131431
I don't know exactly, but it needs CONFIG_FORTIFY_SOURCE.

Huacai

>
> kvm_eiointc_regs_access() seems has problem, it need convert to void *
> before arithmetic operation. I do not know whether this patch can solve
> this bug.
>
> diff --git a/arch/loongarch/kvm/intc/eiointc.c
> b/arch/loongarch/kvm/intc/eiointc.c
> index d2acb4d09e73..71bd67b57338 100644
> --- a/arch/loongarch/kvm/intc/eiointc.c
> +++ b/arch/loongarch/kvm/intc/eiointc.c
> @@ -472,34 +472,34 @@ static int kvm_eiointc_regs_access(struct
> kvm_device *dev,
>          switch (addr) {
>          case EIOINTC_NODETYPE_START ... EIOINTC_NODETYPE_END:
>                  offset = (addr - EIOINTC_NODETYPE_START) / 4;
> -               p = s->nodetype + offset * 4;
> +               p = (void *)s->nodetype + offset * 4;
>                  break;
>          case EIOINTC_IPMAP_START ... EIOINTC_IPMAP_END:
>                  offset = (addr - EIOINTC_IPMAP_START) / 4;
> -               p = &s->ipmap + offset * 4;
> +               p = (void *)&s->ipmap + offset * 4;
>                  break;
>          case EIOINTC_ENABLE_START ... EIOINTC_ENABLE_END:
>                  offset = (addr - EIOINTC_ENABLE_START) / 4;
> -               p = s->enable + offset * 4;
> +               p = (void *)s->enable + offset * 4;
>                  break;
>          case EIOINTC_BOUNCE_START ... EIOINTC_BOUNCE_END:
>                  offset = (addr - EIOINTC_BOUNCE_START) / 4;
> -               p = s->bounce + offset * 4;
> +               p = (void *)s->bounce + offset * 4;
>                  break;
>          case EIOINTC_ISR_START ... EIOINTC_ISR_END:
>                  offset = (addr - EIOINTC_ISR_START) / 4;
> -               p = s->isr + offset * 4;
> +               p = (void *)s->isr + offset * 4;
>                  break;
>          case EIOINTC_COREISR_START ... EIOINTC_COREISR_END:
>                  if (cpu >= s->num_cpu)
>                          return -EINVAL;
>
>                  offset = (addr - EIOINTC_COREISR_START) / 4;
> -               p = s->coreisr[cpu] + offset * 4;
> +               p = (void *)s->coreisr[cpu] + offset * 4;
>                  break;
>          case EIOINTC_COREMAP_START ... EIOINTC_COREMAP_END:
>                  offset = (addr - EIOINTC_COREMAP_START) / 4;
> -               p = s->coremap + offset * 4;
> +               p = (void *)s->coremap + offset * 4;
>                  break;
>          default:
>                  kvm_err("%s: unknown eiointc register, addr = %d\n",
> __func__, addr);
>
>
> Regards
> Bibo Mao
> >
> > Huacai
> >
> >>
> >> Reviewed-by: Bibo Mao <maobibo@loongson.cn>
> >>
>
>

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH 1/2] LoongArch: KVM: Make kvm_get_vcpu_by_cpuid() more robust
  2026-03-23  8:14       ` Huacai Chen
@ 2026-03-23  9:40         ` Bibo Mao
  0 siblings, 0 replies; 10+ messages in thread
From: Bibo Mao @ 2026-03-23  9:40 UTC (permalink / raw)
  To: Huacai Chen
  Cc: Huacai Chen, Paolo Bonzini, Tianrui Zhao, kvm, loongarch,
	linux-kernel, Xuerui Wang, Jiaxun Yang, stable, Aurelien Jarno



On 2026/3/23 下午4:14, Huacai Chen wrote:
> On Mon, Mar 23, 2026 at 3:59 PM Bibo Mao <maobibo@loongson.cn> wrote:
>>
>>
>>
>> On 2026/3/23 下午3:08, Huacai Chen wrote:
>>> On Mon, Mar 23, 2026 at 11:16 AM Bibo Mao <maobibo@loongson.cn> wrote:
>>>>
>>>>
>>>>
>>>> On 2026/3/22 下午9:53, Huacai Chen wrote:
>>>>> kvm_get_vcpu_by_cpuid() takes a cpuid parameter whose type is int, so
>>>>> cpuid can be negative. Let kvm_get_vcpu_by_cpuid() return NULL for this
>>>>> case so as to make it more robust.
>>>>>
>>>>> This fix an out-of-bounds access to kvm_arch::phyid_map::phys_map[].
>>>>>
>>>>> Cc: <stable@vger.kernel.org>
>>>>> Fixes: 73516e9da512adc ("LoongArch: KVM: Add vcpu mapping from physical cpuid")
>>>>> Reported-by: Aurelien Jarno <aurel32@debian.org>
>>>>> Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131431
>>>>> Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
>>>>> ---
>>>>>     arch/loongarch/kvm/vcpu.c | 3 +++
>>>>>     1 file changed, 3 insertions(+)
>>>>>
>>>>> diff --git a/arch/loongarch/kvm/vcpu.c b/arch/loongarch/kvm/vcpu.c
>>>>> index 8ffd50a470e6..831f381a8fd1 100644
>>>>> --- a/arch/loongarch/kvm/vcpu.c
>>>>> +++ b/arch/loongarch/kvm/vcpu.c
>>>>> @@ -588,6 +588,9 @@ struct kvm_vcpu *kvm_get_vcpu_by_cpuid(struct kvm *kvm, int cpuid)
>>>>>     {
>>>>>         struct kvm_phyid_map *map;
>>>>>
>>>>> +     if (cpuid < 0)
>>>>> +             return NULL;
>>>>> +
>>>>>         if (cpuid >= KVM_MAX_PHYID)
>>>>>                 return NULL;
>>>>>
>>>>>
>>>>
>>>> if (cpuid < 0 || cpuid >= KVM_MAX_PHYID)?
>>>> however both are OK for me.
>>> I use a similar style as kvm_get_vcpu_by_id(). :)
>>>
>>> But there is another warning which can't be solved by this series (and
>>> I doubt whether it can be solved unless revert 01a8e68396a6d51f5b).
>>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131431
>>
>> what is the kernel config file with bug
>>      https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131431
> I don't know exactly, but it needs CONFIG_FORTIFY_SOURCE.
With CONFIG_FORTIFY_SOURCE enabled, this bug can be reproduced. It seems 
that it actually need be converted to void * before arithmetic operation.

Regards
Bibo Mao
> 
> Huacai
> 
>>
>> kvm_eiointc_regs_access() seems has problem, it need convert to void *
>> before arithmetic operation. I do not know whether this patch can solve
>> this bug.
>>
>> diff --git a/arch/loongarch/kvm/intc/eiointc.c
>> b/arch/loongarch/kvm/intc/eiointc.c
>> index d2acb4d09e73..71bd67b57338 100644
>> --- a/arch/loongarch/kvm/intc/eiointc.c
>> +++ b/arch/loongarch/kvm/intc/eiointc.c
>> @@ -472,34 +472,34 @@ static int kvm_eiointc_regs_access(struct
>> kvm_device *dev,
>>           switch (addr) {
>>           case EIOINTC_NODETYPE_START ... EIOINTC_NODETYPE_END:
>>                   offset = (addr - EIOINTC_NODETYPE_START) / 4;
>> -               p = s->nodetype + offset * 4;
>> +               p = (void *)s->nodetype + offset * 4;
>>                   break;
>>           case EIOINTC_IPMAP_START ... EIOINTC_IPMAP_END:
>>                   offset = (addr - EIOINTC_IPMAP_START) / 4;
>> -               p = &s->ipmap + offset * 4;
>> +               p = (void *)&s->ipmap + offset * 4;
>>                   break;
>>           case EIOINTC_ENABLE_START ... EIOINTC_ENABLE_END:
>>                   offset = (addr - EIOINTC_ENABLE_START) / 4;
>> -               p = s->enable + offset * 4;
>> +               p = (void *)s->enable + offset * 4;
>>                   break;
>>           case EIOINTC_BOUNCE_START ... EIOINTC_BOUNCE_END:
>>                   offset = (addr - EIOINTC_BOUNCE_START) / 4;
>> -               p = s->bounce + offset * 4;
>> +               p = (void *)s->bounce + offset * 4;
>>                   break;
>>           case EIOINTC_ISR_START ... EIOINTC_ISR_END:
>>                   offset = (addr - EIOINTC_ISR_START) / 4;
>> -               p = s->isr + offset * 4;
>> +               p = (void *)s->isr + offset * 4;
>>                   break;
>>           case EIOINTC_COREISR_START ... EIOINTC_COREISR_END:
>>                   if (cpu >= s->num_cpu)
>>                           return -EINVAL;
>>
>>                   offset = (addr - EIOINTC_COREISR_START) / 4;
>> -               p = s->coreisr[cpu] + offset * 4;
>> +               p = (void *)s->coreisr[cpu] + offset * 4;
>>                   break;
>>           case EIOINTC_COREMAP_START ... EIOINTC_COREMAP_END:
>>                   offset = (addr - EIOINTC_COREMAP_START) / 4;
>> -               p = s->coremap + offset * 4;
>> +               p = (void *)s->coremap + offset * 4;
>>                   break;
>>           default:
>>                   kvm_err("%s: unknown eiointc register, addr = %d\n",
>> __func__, addr);
>>
>>
>> Regards
>> Bibo Mao
>>>
>>> Huacai
>>>
>>>>
>>>> Reviewed-by: Bibo Mao <maobibo@loongson.cn>
>>>>
>>
>>


^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH 1/2] LoongArch: KVM: Make kvm_get_vcpu_by_cpuid() more robust
  2026-03-23  7:56     ` Bibo Mao
  2026-03-23  8:08       ` Bibo Mao
  2026-03-23  8:14       ` Huacai Chen
@ 2026-03-23 18:36       ` Aurelien Jarno
  2 siblings, 0 replies; 10+ messages in thread
From: Aurelien Jarno @ 2026-03-23 18:36 UTC (permalink / raw)
  To: Bibo Mao
  Cc: Huacai Chen, Huacai Chen, Paolo Bonzini, Tianrui Zhao, kvm,
	loongarch, linux-kernel, Xuerui Wang, Jiaxun Yang, stable

Hi,

On 2026-03-23 15:56, Bibo Mao wrote:
> 
> 
> On 2026/3/23 下午3:08, Huacai Chen wrote:
> > On Mon, Mar 23, 2026 at 11:16 AM Bibo Mao <maobibo@loongson.cn> wrote:
> > > 
> > > 
> > > 
> > > On 2026/3/22 下午9:53, Huacai Chen wrote:
> > > > kvm_get_vcpu_by_cpuid() takes a cpuid parameter whose type is int, so
> > > > cpuid can be negative. Let kvm_get_vcpu_by_cpuid() return NULL for this
> > > > case so as to make it more robust.
> > > > 
> > > > This fix an out-of-bounds access to kvm_arch::phyid_map::phys_map[].
> > > > 
> > > > Cc: <stable@vger.kernel.org>
> > > > Fixes: 73516e9da512adc ("LoongArch: KVM: Add vcpu mapping from physical cpuid")
> > > > Reported-by: Aurelien Jarno <aurel32@debian.org>
> > > > Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131431
> > > > Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
> > > > ---
> > > >    arch/loongarch/kvm/vcpu.c | 3 +++
> > > >    1 file changed, 3 insertions(+)
> > > > 
> > > > diff --git a/arch/loongarch/kvm/vcpu.c b/arch/loongarch/kvm/vcpu.c
> > > > index 8ffd50a470e6..831f381a8fd1 100644
> > > > --- a/arch/loongarch/kvm/vcpu.c
> > > > +++ b/arch/loongarch/kvm/vcpu.c
> > > > @@ -588,6 +588,9 @@ struct kvm_vcpu *kvm_get_vcpu_by_cpuid(struct kvm *kvm, int cpuid)
> > > >    {
> > > >        struct kvm_phyid_map *map;
> > > > 
> > > > +     if (cpuid < 0)
> > > > +             return NULL;
> > > > +
> > > >        if (cpuid >= KVM_MAX_PHYID)
> > > >                return NULL;
> > > > 
> > > > 
> > > 
> > > if (cpuid < 0 || cpuid >= KVM_MAX_PHYID)?
> > > however both are OK for me.
> > I use a similar style as kvm_get_vcpu_by_id(). :)
> > 
> > But there is another warning which can't be solved by this series (and
> > I doubt whether it can be solved unless revert 01a8e68396a6d51f5b).
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131431
> 
> what is the kernel config file with bug
>    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131431
> 

I have just sent the kernel config to the bug report.

Regards
Aurelien

-- 
Aurelien Jarno                          GPG: 4096R/1DDD8C9B
aurelien@aurel32.net                     http://aurel32.net

^ permalink raw reply	[flat|nested] 10+ messages in thread

end of thread, other threads:[~2026-03-23 18:36 UTC | newest]

Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-22 13:53 [PATCH 1/2] LoongArch: KVM: Make kvm_get_vcpu_by_cpuid() more robust Huacai Chen
2026-03-22 13:53 ` [PATCH 2/2] LoongArch: KVM: Handle the case that EIOINTC's coremap is empty Huacai Chen
2026-03-23  3:14   ` Bibo Mao
2026-03-23  3:13 ` [PATCH 1/2] LoongArch: KVM: Make kvm_get_vcpu_by_cpuid() more robust Bibo Mao
2026-03-23  7:08   ` Huacai Chen
2026-03-23  7:56     ` Bibo Mao
2026-03-23  8:08       ` Bibo Mao
2026-03-23  8:14       ` Huacai Chen
2026-03-23  9:40         ` Bibo Mao
2026-03-23 18:36       ` Aurelien Jarno

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox