From nobody Sat Oct 11 12:10:17 2025 Received: from mail.loongson.cn (mail.loongson.cn [114.242.206.163]) by smtp.subspace.kernel.org (Postfix) with ESMTP id CDFA61B81DC; Wed, 11 Jun 2025 01:47:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=114.242.206.163 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1749606435; cv=none; b=iaKMiZTYa9Sw0EnMVGqV4qTWprB0kH1npR6kBL4LuGyJint+BD+HeywDLUXYFLYHHInH9c/yQ/HsLRXlyJ4rzfO43u/NpPfvIsQzbw6azkFoc3sVexwcriRliRZzyGZOspPEZsjpoKxZoGDXS+G5Agl6TTtLfKBLo1B0LFqTlfs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1749606435; c=relaxed/simple; bh=HOHcURIPteDflYVHmtZS9DkZpLOo2uCpk98aZBpsWxk=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=JnGlU/o8fj7CutEYFQrGBv/L2a4ujt8BtruhswELmd2wZN0Q3U8IYzXAYEDkvz3gXG42pGYPjVXKzryHw387CFetzzlIcmaeOY+UI+tcSSzaMvk7pnvWea4t/o2KMU4x8MLyHNxHp4FRyl2gj3KDhj+31yYrJWOCKiPjgSSypDE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=loongson.cn; spf=pass smtp.mailfrom=loongson.cn; arc=none smtp.client-ip=114.242.206.163 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=loongson.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=loongson.cn Received: from loongson.cn (unknown [10.2.5.213]) by gateway (Coremail) with SMTP id _____8DxC3Ie4EhosEITAQ--.47015S3; Wed, 11 Jun 2025 09:47:10 +0800 (CST) Received: from localhost.localdomain (unknown [10.2.5.213]) by front1 (Coremail) with SMTP id qMiowMCx7MQL4Eho0EoVAQ--.65102S7; Wed, 11 Jun 2025 09:47:10 +0800 (CST) From: Bibo Mao To: Tianrui Zhao , Huacai Chen , Xianglai Li Cc: kvm@vger.kernel.org, loongarch@lists.linux.dev, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH v3 5/9] LoongArch: KVM: INTC: Avoid overflow with array index Date: Wed, 11 Jun 2025 09:46:47 +0800 Message-Id: <20250611014651.3042734-6-maobibo@loongson.cn> X-Mailer: git-send-email 2.39.3 In-Reply-To: <20250611014651.3042734-1-maobibo@loongson.cn> References: <20250611014651.3042734-1-maobibo@loongson.cn> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: qMiowMCx7MQL4Eho0EoVAQ--.65102S7 X-CM-SenderInfo: xpdruxter6z05rqj20fqof0/ X-Coremail-Antispam: 1Uk129KBjDUn29KB7ZKAUJUUUUU529EdanIXcx71UUUUU7KY7 ZEXasCq-sGcSsGvfJ3UbIjqfuFe4nvWSU5nxnvy29KBjDU0xBIdaVrnUUvcSsGvfC2Kfnx nUUI43ZEXa7xR_UUUUUUUUU== Content-Type: text/plain; charset="utf-8" Variable index is modified and reused as array index when modify register EIOINTC_ENABLE. There will be array index overflow problem. Cc: stable@vger.kernel.org Fixes: 3956a52bc05b ("LoongArch: KVM: Add EIOINTC read and write functions") Signed-off-by: Bibo Mao --- arch/loongarch/kvm/intc/eiointc.c | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/arch/loongarch/kvm/intc/eiointc.c b/arch/loongarch/kvm/intc/ei= ointc.c index ed80bf290755..0bc870796f56 100644 --- a/arch/loongarch/kvm/intc/eiointc.c +++ b/arch/loongarch/kvm/intc/eiointc.c @@ -447,17 +447,16 @@ static int loongarch_eiointc_writew(struct kvm_vcpu *= vcpu, break; case EIOINTC_ENABLE_START ... EIOINTC_ENABLE_END: index =3D (offset - EIOINTC_ENABLE_START) >> 1; - old_data =3D s->enable.reg_u32[index]; + old_data =3D s->enable.reg_u16[index]; s->enable.reg_u16[index] =3D data; /* * 1: enable irq. * update irq when isr is set. */ data =3D s->enable.reg_u16[index] & ~old_data & s->isr.reg_u16[index]; - index =3D index << 1; for (i =3D 0; i < sizeof(data); i++) { u8 mask =3D (data >> (i * 8)) & 0xff; - eiointc_enable_irq(vcpu, s, index + i, mask, 1); + eiointc_enable_irq(vcpu, s, index * 2 + i, mask, 1); } /* * 0: disable irq. @@ -466,7 +465,7 @@ static int loongarch_eiointc_writew(struct kvm_vcpu *vc= pu, data =3D ~s->enable.reg_u16[index] & old_data & s->isr.reg_u16[index]; for (i =3D 0; i < sizeof(data); i++) { u8 mask =3D (data >> (i * 8)) & 0xff; - eiointc_enable_irq(vcpu, s, index, mask, 0); + eiointc_enable_irq(vcpu, s, index * 2 + i, mask, 0); } break; case EIOINTC_BOUNCE_START ... EIOINTC_BOUNCE_END: @@ -540,10 +539,9 @@ static int loongarch_eiointc_writel(struct kvm_vcpu *v= cpu, * update irq when isr is set. */ data =3D s->enable.reg_u32[index] & ~old_data & s->isr.reg_u32[index]; - index =3D index << 2; for (i =3D 0; i < sizeof(data); i++) { u8 mask =3D (data >> (i * 8)) & 0xff; - eiointc_enable_irq(vcpu, s, index + i, mask, 1); + eiointc_enable_irq(vcpu, s, index * 4 + i, mask, 1); } /* * 0: disable irq. @@ -552,7 +550,7 @@ static int loongarch_eiointc_writel(struct kvm_vcpu *vc= pu, data =3D ~s->enable.reg_u32[index] & old_data & s->isr.reg_u32[index]; for (i =3D 0; i < sizeof(data); i++) { u8 mask =3D (data >> (i * 8)) & 0xff; - eiointc_enable_irq(vcpu, s, index, mask, 0); + eiointc_enable_irq(vcpu, s, index * 4 + i, mask, 0); } break; case EIOINTC_BOUNCE_START ... EIOINTC_BOUNCE_END: @@ -626,10 +624,9 @@ static int loongarch_eiointc_writeq(struct kvm_vcpu *v= cpu, * update irq when isr is set. */ data =3D s->enable.reg_u64[index] & ~old_data & s->isr.reg_u64[index]; - index =3D index << 3; for (i =3D 0; i < sizeof(data); i++) { u8 mask =3D (data >> (i * 8)) & 0xff; - eiointc_enable_irq(vcpu, s, index + i, mask, 1); + eiointc_enable_irq(vcpu, s, index * 8 + i, mask, 1); } /* * 0: disable irq. @@ -638,7 +635,7 @@ static int loongarch_eiointc_writeq(struct kvm_vcpu *vc= pu, data =3D ~s->enable.reg_u64[index] & old_data & s->isr.reg_u64[index]; for (i =3D 0; i < sizeof(data); i++) { u8 mask =3D (data >> (i * 8)) & 0xff; - eiointc_enable_irq(vcpu, s, index, mask, 0); + eiointc_enable_irq(vcpu, s, index * 8 + i, mask, 0); } break; case EIOINTC_BOUNCE_START ... EIOINTC_BOUNCE_END: --=20 2.39.3