From nobody Wed Oct 8 14:20:31 2025 Received: from mail.loongson.cn (mail.loongson.cn [114.242.206.163]) by smtp.subspace.kernel.org (Postfix) with ESMTP id BA7082980C2; Fri, 27 Jun 2025 09:05:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=114.242.206.163 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1751015119; cv=none; b=BmzG+eCTaX8vbc0tBX3dt22QzzdGoYB2taW9NHruDE1jeLv5m5Q9cRn3a8KbMgAGK2kqFMEi8HFl1wn7Cwrh+qcqHISzNVdAU/la+N7pU3jMsNzseYC0d91o5CHPq03pu+/jMWOpgLed02uDjHzhVy3siiIdLq26CFaJ1Urd4Ao= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1751015119; c=relaxed/simple; bh=JYTWJ4bzufmG4/W3c+dyWMhzf9Zd60/BveoZVPfRXoo=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=NCIzXunqrsfwYgOIry9uhF4WOYsrFx/2Gon3pyrRC5JCUGs09yuhVnUqf4iDGDz39T6ySNEHaboddCIosgI5gbMXsMf6ykoWXgJ9b0qqOdKM/DA/ogqt6L+CzCZUx2xKfR6quLYYzfQqLdHhdOPWRuPl8N8UQqQhaagrBpZKjTE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=loongson.cn; spf=pass smtp.mailfrom=loongson.cn; arc=none smtp.client-ip=114.242.206.163 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=loongson.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=loongson.cn Received: from loongson.cn (unknown [10.2.5.213]) by gateway (Coremail) with SMTP id _____8BxJHDIXl5oRzIeAQ--.25960S3; Fri, 27 Jun 2025 17:05:12 +0800 (CST) Received: from localhost.localdomain (unknown [10.2.5.213]) by front1 (Coremail) with SMTP id qMiowJCxM+TEXl5ovCsAAA--.1247S3; Fri, 27 Jun 2025 17:05:11 +0800 (CST) From: Bibo Mao To: Tianrui Zhao , Huacai Chen , Xianglai Li Cc: kvm@vger.kernel.org, loongarch@lists.linux.dev, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH v4 1/6] LoongArch: KVM: Fix interrupt route update with eiointc Date: Fri, 27 Jun 2025 17:05:02 +0800 Message-Id: <20250627090507.808319-2-maobibo@loongson.cn> X-Mailer: git-send-email 2.39.3 In-Reply-To: <20250627090507.808319-1-maobibo@loongson.cn> References: <20250627090507.808319-1-maobibo@loongson.cn> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: qMiowJCxM+TEXl5ovCsAAA--.1247S3 X-CM-SenderInfo: xpdruxter6z05rqj20fqof0/ X-Coremail-Antispam: 1Uk129KBjDUn29KB7ZKAUJUUUUU529EdanIXcx71UUUUU7KY7 ZEXasCq-sGcSsGvfJ3UbIjqfuFe4nvWSU5nxnvy29KBjDU0xBIdaVrnUUvcSsGvfC2Kfnx nUUI43ZEXa7xR_UUUUUUUUU== Content-Type: text/plain; charset="utf-8" With function eiointc_update_sw_coremap(), there is forced assignment like val =3D *(u64 *)pvalue. Parameter pvalue may be pointer to char type or others, there is problem with forced assignment with u64 type. Here the detailed value is passed rather address pointer. Cc: stable@vger.kernel.org Fixes: 3956a52bc05b ("LoongArch: KVM: Add EIOINTC read and write functions") Signed-off-by: Bibo Mao --- arch/loongarch/kvm/intc/eiointc.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/arch/loongarch/kvm/intc/eiointc.c b/arch/loongarch/kvm/intc/ei= ointc.c index f39929d7bf8a..d2c521b0e923 100644 --- a/arch/loongarch/kvm/intc/eiointc.c +++ b/arch/loongarch/kvm/intc/eiointc.c @@ -66,10 +66,9 @@ static void eiointc_update_irq(struct loongarch_eiointc = *s, int irq, int level) } =20 static inline void eiointc_update_sw_coremap(struct loongarch_eiointc *s, - int irq, void *pvalue, u32 len, bool notify) + int irq, u64 val, u32 len, bool notify) { int i, cpu; - u64 val =3D *(u64 *)pvalue; =20 for (i =3D 0; i < len; i++) { cpu =3D val & 0xff; @@ -398,7 +397,7 @@ static int loongarch_eiointc_writeb(struct kvm_vcpu *vc= pu, irq =3D offset - EIOINTC_COREMAP_START; index =3D irq; s->coremap.reg_u8[index] =3D data; - eiointc_update_sw_coremap(s, irq, (void *)&data, sizeof(data), true); + eiointc_update_sw_coremap(s, irq, data, sizeof(data), true); break; default: ret =3D -EINVAL; @@ -484,7 +483,7 @@ static int loongarch_eiointc_writew(struct kvm_vcpu *vc= pu, irq =3D offset - EIOINTC_COREMAP_START; index =3D irq >> 1; s->coremap.reg_u16[index] =3D data; - eiointc_update_sw_coremap(s, irq, (void *)&data, sizeof(data), true); + eiointc_update_sw_coremap(s, irq, data, sizeof(data), true); break; default: ret =3D -EINVAL; @@ -570,7 +569,7 @@ static int loongarch_eiointc_writel(struct kvm_vcpu *vc= pu, irq =3D offset - EIOINTC_COREMAP_START; index =3D irq >> 2; s->coremap.reg_u32[index] =3D data; - eiointc_update_sw_coremap(s, irq, (void *)&data, sizeof(data), true); + eiointc_update_sw_coremap(s, irq, data, sizeof(data), true); break; default: ret =3D -EINVAL; @@ -656,7 +655,7 @@ static int loongarch_eiointc_writeq(struct kvm_vcpu *vc= pu, irq =3D offset - EIOINTC_COREMAP_START; index =3D irq >> 3; s->coremap.reg_u64[index] =3D data; - eiointc_update_sw_coremap(s, irq, (void *)&data, sizeof(data), true); + eiointc_update_sw_coremap(s, irq, data, sizeof(data), true); break; default: ret =3D -EINVAL; @@ -809,7 +808,7 @@ static int kvm_eiointc_ctrl_access(struct kvm_device *d= ev, for (i =3D 0; i < (EIOINTC_IRQS / 4); i++) { start_irq =3D i * 4; eiointc_update_sw_coremap(s, start_irq, - (void *)&s->coremap.reg_u32[i], sizeof(u32), false); + s->coremap.reg_u32[i], sizeof(u32), false); } break; default: --=20 2.39.3 From nobody Wed Oct 8 14:20:31 2025 Received: from mail.loongson.cn (mail.loongson.cn [114.242.206.163]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 33756293B63; Fri, 27 Jun 2025 09:05:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=114.242.206.163 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1751015116; cv=none; b=aYviW5seWzlMpy2Q17v74nKCOLBHQ8PEHAg4r9cCRTY3KEH0MUuSbOwmPBVugahl73s9j0QNvokGlQPfRdBOa6DTnvlTxMVJkbbqSIonJm9bwvq9+o6TKXCmW+dHHmlgOYGXsXRjorAs7CBL4pBrF/FfFWW68si3e025M7TRt+8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1751015116; c=relaxed/simple; bh=lsSQXQJCZUyyRujFjdyDewDv8eRT7lULwGOQ1CdN5hM=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=S+460z/SwheGR33n8anNqfp3FJ2DryKFUJKtdOdQQBU6MQWUSSV3k+1k2fqLyrZAFywO6tGn56qx7sbxOM5mtdkFH3J/6m4i3ZB4Raz1z9dRD7qttrv7Is8O4nIIPsIXxJERFWjNpJpsy/evs5j56XzV0wdOk+eHdh/+BzIXz6k= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=loongson.cn; spf=pass smtp.mailfrom=loongson.cn; arc=none smtp.client-ip=114.242.206.163 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=loongson.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=loongson.cn Received: from loongson.cn (unknown [10.2.5.213]) by gateway (Coremail) with SMTP id _____8AxlnDIXl5oSjIeAQ--.901S3; Fri, 27 Jun 2025 17:05:12 +0800 (CST) Received: from localhost.localdomain (unknown [10.2.5.213]) by front1 (Coremail) with SMTP id qMiowJCxM+TEXl5ovCsAAA--.1247S4; Fri, 27 Jun 2025 17:05:12 +0800 (CST) From: Bibo Mao To: Tianrui Zhao , Huacai Chen , Xianglai Li Cc: kvm@vger.kernel.org, loongarch@lists.linux.dev, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH v4 2/6] LoongArch: KVM: Check interrupt route from physical cpu Date: Fri, 27 Jun 2025 17:05:03 +0800 Message-Id: <20250627090507.808319-3-maobibo@loongson.cn> X-Mailer: git-send-email 2.39.3 In-Reply-To: <20250627090507.808319-1-maobibo@loongson.cn> References: <20250627090507.808319-1-maobibo@loongson.cn> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: qMiowJCxM+TEXl5ovCsAAA--.1247S4 X-CM-SenderInfo: xpdruxter6z05rqj20fqof0/ X-Coremail-Antispam: 1Uk129KBjDUn29KB7ZKAUJUUUUU529EdanIXcx71UUUUU7KY7 ZEXasCq-sGcSsGvfJ3UbIjqfuFe4nvWSU5nxnvy29KBjDU0xBIdaVrnUUvcSsGvfC2Kfnx nUUI43ZEXa7xR_UUUUUUUUU== Content-Type: text/plain; charset="utf-8" With eiointc interrupt controller, physical cpu id is set for irq route. However function kvm_get_vcpu() is used to get destination vCPU when delivering irq. With API kvm_get_vcpu(), logical cpu is used. With API kvm_get_vcpu_by_cpuid(), vCPU can be searched from physical cpu id. Cc: stable@vger.kernel.org Fixes: 3956a52bc05b ("LoongArch: KVM: Add EIOINTC read and write functions") Signed-off-by: Bibo Mao --- arch/loongarch/kvm/intc/eiointc.c | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/arch/loongarch/kvm/intc/eiointc.c b/arch/loongarch/kvm/intc/ei= ointc.c index d2c521b0e923..0b648c56b0c3 100644 --- a/arch/loongarch/kvm/intc/eiointc.c +++ b/arch/loongarch/kvm/intc/eiointc.c @@ -9,7 +9,8 @@ =20 static void eiointc_set_sw_coreisr(struct loongarch_eiointc *s) { - int ipnum, cpu, irq_index, irq_mask, irq; + int ipnum, cpu, irq_index, irq_mask, irq, cpuid; + struct kvm_vcpu *vcpu; =20 for (irq =3D 0; irq < EIOINTC_IRQS; irq++) { ipnum =3D s->ipmap.reg_u8[irq / 32]; @@ -20,7 +21,12 @@ static void eiointc_set_sw_coreisr(struct loongarch_eioi= ntc *s) irq_index =3D irq / 32; irq_mask =3D BIT(irq & 0x1f); =20 - cpu =3D s->coremap.reg_u8[irq]; + cpuid =3D s->coremap.reg_u8[irq]; + vcpu =3D kvm_get_vcpu_by_cpuid(s->kvm, cpuid); + if (vcpu =3D=3D NULL) + continue; + + cpu =3D vcpu->vcpu_id; if (!!(s->coreisr.reg_u32[cpu][irq_index] & irq_mask)) set_bit(irq, s->sw_coreisr[cpu][ipnum]); else @@ -68,17 +74,23 @@ static void eiointc_update_irq(struct loongarch_eiointc= *s, int irq, int level) static inline void eiointc_update_sw_coremap(struct loongarch_eiointc *s, int irq, u64 val, u32 len, bool notify) { - int i, cpu; + int i, cpu, cpuid; + struct kvm_vcpu *vcpu; =20 for (i =3D 0; i < len; i++) { - cpu =3D val & 0xff; + cpuid =3D val & 0xff; val =3D val >> 8; =20 if (!(s->status & BIT(EIOINTC_ENABLE_CPU_ENCODE))) { - cpu =3D ffs(cpu) - 1; - cpu =3D (cpu >=3D 4) ? 0 : cpu; + cpuid =3D ffs(cpuid) - 1; + cpuid =3D (cpuid >=3D 4) ? 0 : cpuid; } =20 + vcpu =3D kvm_get_vcpu_by_cpuid(s->kvm, cpuid); + if (vcpu =3D=3D NULL) + continue; + + cpu =3D vcpu->vcpu_id; if (s->sw_coremap[irq + i] =3D=3D cpu) continue; =20 --=20 2.39.3 From nobody Wed Oct 8 14:20:31 2025 Received: from mail.loongson.cn (mail.loongson.cn [114.242.206.163]) by smtp.subspace.kernel.org (Postfix) with ESMTP id C36DA294A12; Fri, 27 Jun 2025 09:05:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=114.242.206.163 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1751015117; cv=none; b=TAdhC/k0D2s3LZH9diFSUTLHqqgs2fXfKbh95B248dPWr1WfwKONEPbkRmde5DdfM1p2kPUywTB+h3akQuNw1YXC+YK3h8AsyIf6nwtdAqPPkk9Klklih5Nee8TZbHC3BiaGX/ndIkVlxrldYUOSoYvgw2RVDw0uY59ytmBoYdA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1751015117; c=relaxed/simple; bh=uD27TLOkmLE97SKX+m1nAjFPEUD7oQ+EyEzUgNGPZHs=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=IG5dSbCqDAQ09PfebAm1bdrptBYPyKGFaJH7ck0cFmVLMbS4nacIp9JVa+Wb5/NCV4JijtypQhrGS407yRFna3PEk32jHtoa8lCK35Hy4byV7lF3lMZqs/6IVfm5zGLxCS9RdV+JYYBgO6y71lZoEOiBRocQqLdDuQvBvnLKT7U= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=loongson.cn; spf=pass smtp.mailfrom=loongson.cn; arc=none smtp.client-ip=114.242.206.163 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=loongson.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=loongson.cn Received: from loongson.cn (unknown [10.2.5.213]) by gateway (Coremail) with SMTP id _____8DxOGrJXl5oTTIeAQ--.5091S3; Fri, 27 Jun 2025 17:05:13 +0800 (CST) Received: from localhost.localdomain (unknown [10.2.5.213]) by front1 (Coremail) with SMTP id qMiowJCxM+TEXl5ovCsAAA--.1247S5; Fri, 27 Jun 2025 17:05:12 +0800 (CST) From: Bibo Mao To: Tianrui Zhao , Huacai Chen , Xianglai Li Cc: kvm@vger.kernel.org, loongarch@lists.linux.dev, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH v4 3/6] LoongArch: KVM: Disable update property num_cpu and feature Date: Fri, 27 Jun 2025 17:05:04 +0800 Message-Id: <20250627090507.808319-4-maobibo@loongson.cn> X-Mailer: git-send-email 2.39.3 In-Reply-To: <20250627090507.808319-1-maobibo@loongson.cn> References: <20250627090507.808319-1-maobibo@loongson.cn> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: qMiowJCxM+TEXl5ovCsAAA--.1247S5 X-CM-SenderInfo: xpdruxter6z05rqj20fqof0/ X-Coremail-Antispam: 1Uk129KBjDUn29KB7ZKAUJUUUUU529EdanIXcx71UUUUU7KY7 ZEXasCq-sGcSsGvfJ3UbIjqfuFe4nvWSU5nxnvy29KBjDU0xBIdaVrnUUvcSsGvfC2Kfnx nUUI43ZEXa7xR_UUUUUUUUU== Content-Type: text/plain; charset="utf-8" Property num_cpu and feature is read-only once eiointc is created, which is set with KVM_DEV_LOONGARCH_EXTIOI_GRP_CTRL attr group before device creation. Attr group KVM_DEV_LOONGARCH_EXTIOI_GRP_SW_STATUS is to update register and software state for migration and reset usage, property num_cpu and feature can not be update again if it is created already. Here discard write operation with property num_cpu and feature in attr group KVM_DEV_LOONGARCH_EXTIOI_GRP_CTRL. Cc: stable@vger.kernel.org Fixes: 1ad7efa552fd ("LoongArch: KVM: Add EIOINTC user mode read and write = functions") Signed-off-by: Bibo Mao --- arch/loongarch/kvm/intc/eiointc.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/arch/loongarch/kvm/intc/eiointc.c b/arch/loongarch/kvm/intc/ei= ointc.c index 0b648c56b0c3..b48511f903b5 100644 --- a/arch/loongarch/kvm/intc/eiointc.c +++ b/arch/loongarch/kvm/intc/eiointc.c @@ -910,9 +910,22 @@ static int kvm_eiointc_sw_status_access(struct kvm_dev= ice *dev, data =3D (void __user *)attr->addr; switch (addr) { case KVM_DEV_LOONGARCH_EXTIOI_SW_STATUS_NUM_CPU: + /* + * Property num_cpu and feature is read-only once eiointc is + * created with KVM_DEV_LOONGARCH_EXTIOI_GRP_CTRL group API + * + * Disable writing with KVM_DEV_LOONGARCH_EXTIOI_GRP_SW_STATUS + * group API + */ + if (is_write) + return ret; + p =3D &s->num_cpu; break; case KVM_DEV_LOONGARCH_EXTIOI_SW_STATUS_FEATURE: + if (is_write) + return ret; + p =3D &s->features; break; case KVM_DEV_LOONGARCH_EXTIOI_SW_STATUS_STATE: --=20 2.39.3 From nobody Wed Oct 8 14:20:31 2025 Received: from mail.loongson.cn (mail.loongson.cn [114.242.206.163]) by smtp.subspace.kernel.org (Postfix) with ESMTP id BD2F429A9CB; Fri, 27 Jun 2025 09:05:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=114.242.206.163 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1751015123; cv=none; b=Rokrx3+geMUHF+uuEy7/iqubqaCI1W4k8jxEPE72DmsCabkxwjxZDVB22HI0OYoo7Peuf6BHK28cZxxHHjT7nHel8KMjY7M6DNA9RIvsJX/6qATpWELL6LSMJwXgxuS8Mz2Rykhky1OuTOuJn5VU57EjkaGhL8uGztrZWx3DMrY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1751015123; c=relaxed/simple; bh=Yumj2jjL7iMEr2PCocQWVhhCzYR+wpPVl0HIRFGclQY=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=oS7LTaZB/AMCGtsx7jgDW0MXGJedDuBkcFkbBva8I4zjzkodM8DSwORuRvZYiY0a/dvlVaH3773l9s2OA6K6qW3PYMX2H22SCfAwAcgTQFrFH2yvYOsGdIG++HNoeHQS7fMVn0cGmLM/OuCeYGVZwmyAsBxW4x78cT8flipA6s0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=loongson.cn; spf=pass smtp.mailfrom=loongson.cn; arc=none smtp.client-ip=114.242.206.163 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=loongson.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=loongson.cn Received: from loongson.cn (unknown [10.2.5.213]) by gateway (Coremail) with SMTP id _____8Ax3eLJXl5oUDIeAQ--.28658S3; Fri, 27 Jun 2025 17:05:13 +0800 (CST) Received: from localhost.localdomain (unknown [10.2.5.213]) by front1 (Coremail) with SMTP id qMiowJCxM+TEXl5ovCsAAA--.1247S6; Fri, 27 Jun 2025 17:05:13 +0800 (CST) From: Bibo Mao To: Tianrui Zhao , Huacai Chen , Xianglai Li Cc: kvm@vger.kernel.org, loongarch@lists.linux.dev, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH v4 4/6] LoongArch: KVM: Check validation of num_cpu from user space Date: Fri, 27 Jun 2025 17:05:05 +0800 Message-Id: <20250627090507.808319-5-maobibo@loongson.cn> X-Mailer: git-send-email 2.39.3 In-Reply-To: <20250627090507.808319-1-maobibo@loongson.cn> References: <20250627090507.808319-1-maobibo@loongson.cn> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: qMiowJCxM+TEXl5ovCsAAA--.1247S6 X-CM-SenderInfo: xpdruxter6z05rqj20fqof0/ X-Coremail-Antispam: 1Uk129KBjDUn29KB7ZKAUJUUUUU529EdanIXcx71UUUUU7KY7 ZEXasCq-sGcSsGvfJ3UbIjqfuFe4nvWSU5nxnvy29KBjDU0xBIdaVrnUUvcSsGvfC2Kfnx nUUI43ZEXa7xR_UUUUUUUUU== Content-Type: text/plain; charset="utf-8" The maximum supported cpu number is EIOINTC_ROUTE_MAX_VCPUS about irqchip eiointc, here add validation about cpu number to avoid array pointer overflow. Cc: stable@vger.kernel.org Fixes: 1ad7efa552fd ("LoongArch: KVM: Add EIOINTC user mode read and write = functions") Signed-off-by: Bibo Mao --- arch/loongarch/kvm/intc/eiointc.c | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/arch/loongarch/kvm/intc/eiointc.c b/arch/loongarch/kvm/intc/ei= ointc.c index b48511f903b5..169fe1de2c92 100644 --- a/arch/loongarch/kvm/intc/eiointc.c +++ b/arch/loongarch/kvm/intc/eiointc.c @@ -798,7 +798,7 @@ static int kvm_eiointc_ctrl_access(struct kvm_device *d= ev, int ret =3D 0; unsigned long flags; unsigned long type =3D (unsigned long)attr->attr; - u32 i, start_irq; + u32 i, start_irq, val; void __user *data; struct loongarch_eiointc *s =3D dev->kvm->arch.eiointc; =20 @@ -806,8 +806,14 @@ static int kvm_eiointc_ctrl_access(struct kvm_device *= dev, spin_lock_irqsave(&s->lock, flags); switch (type) { case KVM_DEV_LOONGARCH_EXTIOI_CTRL_INIT_NUM_CPU: - if (copy_from_user(&s->num_cpu, data, 4)) + if (copy_from_user(&val, data, 4)) ret =3D -EFAULT; + else { + if (val < EIOINTC_ROUTE_MAX_VCPUS) + s->num_cpu =3D val; + else + ret =3D -EINVAL; + } break; case KVM_DEV_LOONGARCH_EXTIOI_CTRL_INIT_FEATURE: if (copy_from_user(&s->features, data, 4)) @@ -835,7 +841,7 @@ static int kvm_eiointc_regs_access(struct kvm_device *d= ev, struct kvm_device_attr *attr, bool is_write) { - int addr, cpuid, offset, ret =3D 0; + int addr, cpu, offset, ret =3D 0; unsigned long flags; void *p =3D NULL; void __user *data; @@ -843,7 +849,7 @@ static int kvm_eiointc_regs_access(struct kvm_device *d= ev, =20 s =3D dev->kvm->arch.eiointc; addr =3D attr->attr; - cpuid =3D addr >> 16; + cpu =3D addr >> 16; addr &=3D 0xffff; data =3D (void __user *)attr->addr; switch (addr) { @@ -868,8 +874,11 @@ static int kvm_eiointc_regs_access(struct kvm_device *= dev, p =3D &s->isr.reg_u32[offset]; break; case EIOINTC_COREISR_START ... EIOINTC_COREISR_END: + if (cpu >=3D s->num_cpu) + return -EINVAL; + offset =3D (addr - EIOINTC_COREISR_START) / 4; - p =3D &s->coreisr.reg_u32[cpuid][offset]; + p =3D &s->coreisr.reg_u32[cpu][offset]; break; case EIOINTC_COREMAP_START ... EIOINTC_COREMAP_END: offset =3D (addr - EIOINTC_COREMAP_START) / 4; --=20 2.39.3 From nobody Wed Oct 8 14:20:31 2025 Received: from mail.loongson.cn (mail.loongson.cn [114.242.206.163]) by smtp.subspace.kernel.org (Postfix) with ESMTP id B9E992980C2; Fri, 27 Jun 2025 09:05:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=114.242.206.163 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1751015125; cv=none; b=cAdboa5G1t4ZJzCx4fPc0Ab5SBkB9Z45QAmhvNCT29vvX5QSr0cHXCe+aLcfVqwSrnzV0XeTcB6upyis/A1IVd+PtpAT2zUI1hNVo0F1SbWcTJQGBBQ0oSF9k0KKZUTxXVxu005QAzq7Vd5ADepEy+AN5IDdnykv5JnF5finGtc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1751015125; c=relaxed/simple; bh=xyVf9CWWHcTGBMCFN+IDt8jOwxiRzV0z7AM6mbKFZwg=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=FGWEzNMvNRRQM3XkE198tbPfhxgMqWTmdTJ07Xcr7Ci8DsKwd3CrALM+cb0v/qGlF7otRbbrbE03Vz7FOzS/tydaUHGLS9LMxH1EDSYLELY0jGItNcUAPy0M6oaObI0J1I1lJJvaJrifq0NSGxWYt45EuvYsaUsW9GTB4FiWJOA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=loongson.cn; spf=pass smtp.mailfrom=loongson.cn; arc=none smtp.client-ip=114.242.206.163 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=loongson.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=loongson.cn Received: from loongson.cn (unknown [10.2.5.213]) by gateway (Coremail) with SMTP id _____8CxqmrKXl5oUzIeAQ--.26295S3; Fri, 27 Jun 2025 17:05:14 +0800 (CST) Received: from localhost.localdomain (unknown [10.2.5.213]) by front1 (Coremail) with SMTP id qMiowJCxM+TEXl5ovCsAAA--.1247S7; Fri, 27 Jun 2025 17:05:13 +0800 (CST) From: Bibo Mao To: Tianrui Zhao , Huacai Chen , Xianglai Li Cc: kvm@vger.kernel.org, loongarch@lists.linux.dev, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH v4 5/6] LoongArch: KVM: Avoid overflow with array index Date: Fri, 27 Jun 2025 17:05:06 +0800 Message-Id: <20250627090507.808319-6-maobibo@loongson.cn> X-Mailer: git-send-email 2.39.3 In-Reply-To: <20250627090507.808319-1-maobibo@loongson.cn> References: <20250627090507.808319-1-maobibo@loongson.cn> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: qMiowJCxM+TEXl5ovCsAAA--.1247S7 X-CM-SenderInfo: xpdruxter6z05rqj20fqof0/ X-Coremail-Antispam: 1Uk129KBjDUn29KB7ZKAUJUUUUU529EdanIXcx71UUUUU7KY7 ZEXasCq-sGcSsGvfJ3UbIjqfuFe4nvWSU5nxnvy29KBjDU0xBIdaVrnUUvcSsGvfC2Kfnx nUUI43ZEXa7xR_UUUUUUUUU== Content-Type: text/plain; charset="utf-8" Variable index is modified and reused as array index when modify register EIOINTC_ENABLE. There will be array index overflow problem. Cc: stable@vger.kernel.org Fixes: 3956a52bc05b ("LoongArch: KVM: Add EIOINTC read and write functions") Signed-off-by: Bibo Mao --- arch/loongarch/kvm/intc/eiointc.c | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/arch/loongarch/kvm/intc/eiointc.c b/arch/loongarch/kvm/intc/ei= ointc.c index 169fe1de2c92..d54fe805bf6e 100644 --- a/arch/loongarch/kvm/intc/eiointc.c +++ b/arch/loongarch/kvm/intc/eiointc.c @@ -447,17 +447,16 @@ static int loongarch_eiointc_writew(struct kvm_vcpu *= vcpu, break; case EIOINTC_ENABLE_START ... EIOINTC_ENABLE_END: index =3D (offset - EIOINTC_ENABLE_START) >> 1; - old_data =3D s->enable.reg_u32[index]; + old_data =3D s->enable.reg_u16[index]; s->enable.reg_u16[index] =3D data; /* * 1: enable irq. * update irq when isr is set. */ data =3D s->enable.reg_u16[index] & ~old_data & s->isr.reg_u16[index]; - index =3D index << 1; for (i =3D 0; i < sizeof(data); i++) { u8 mask =3D (data >> (i * 8)) & 0xff; - eiointc_enable_irq(vcpu, s, index + i, mask, 1); + eiointc_enable_irq(vcpu, s, index * 2 + i, mask, 1); } /* * 0: disable irq. @@ -466,7 +465,7 @@ static int loongarch_eiointc_writew(struct kvm_vcpu *vc= pu, data =3D ~s->enable.reg_u16[index] & old_data & s->isr.reg_u16[index]; for (i =3D 0; i < sizeof(data); i++) { u8 mask =3D (data >> (i * 8)) & 0xff; - eiointc_enable_irq(vcpu, s, index, mask, 0); + eiointc_enable_irq(vcpu, s, index * 2 + i, mask, 0); } break; case EIOINTC_BOUNCE_START ... EIOINTC_BOUNCE_END: @@ -540,10 +539,9 @@ static int loongarch_eiointc_writel(struct kvm_vcpu *v= cpu, * update irq when isr is set. */ data =3D s->enable.reg_u32[index] & ~old_data & s->isr.reg_u32[index]; - index =3D index << 2; for (i =3D 0; i < sizeof(data); i++) { u8 mask =3D (data >> (i * 8)) & 0xff; - eiointc_enable_irq(vcpu, s, index + i, mask, 1); + eiointc_enable_irq(vcpu, s, index * 4 + i, mask, 1); } /* * 0: disable irq. @@ -552,7 +550,7 @@ static int loongarch_eiointc_writel(struct kvm_vcpu *vc= pu, data =3D ~s->enable.reg_u32[index] & old_data & s->isr.reg_u32[index]; for (i =3D 0; i < sizeof(data); i++) { u8 mask =3D (data >> (i * 8)) & 0xff; - eiointc_enable_irq(vcpu, s, index, mask, 0); + eiointc_enable_irq(vcpu, s, index * 4 + i, mask, 0); } break; case EIOINTC_BOUNCE_START ... EIOINTC_BOUNCE_END: @@ -626,10 +624,9 @@ static int loongarch_eiointc_writeq(struct kvm_vcpu *v= cpu, * update irq when isr is set. */ data =3D s->enable.reg_u64[index] & ~old_data & s->isr.reg_u64[index]; - index =3D index << 3; for (i =3D 0; i < sizeof(data); i++) { u8 mask =3D (data >> (i * 8)) & 0xff; - eiointc_enable_irq(vcpu, s, index + i, mask, 1); + eiointc_enable_irq(vcpu, s, index * 8 + i, mask, 1); } /* * 0: disable irq. @@ -638,7 +635,7 @@ static int loongarch_eiointc_writeq(struct kvm_vcpu *vc= pu, data =3D ~s->enable.reg_u64[index] & old_data & s->isr.reg_u64[index]; for (i =3D 0; i < sizeof(data); i++) { u8 mask =3D (data >> (i * 8)) & 0xff; - eiointc_enable_irq(vcpu, s, index, mask, 0); + eiointc_enable_irq(vcpu, s, index * 8 + i, mask, 0); } break; case EIOINTC_BOUNCE_START ... EIOINTC_BOUNCE_END: --=20 2.39.3 From nobody Wed Oct 8 14:20:31 2025 Received: from mail.loongson.cn (mail.loongson.cn [114.242.206.163]) by smtp.subspace.kernel.org (Postfix) with ESMTP id C88BF2951BA; Fri, 27 Jun 2025 09:05:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=114.242.206.163 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1751015118; cv=none; b=snC9yqaBTLm8LhkAHYWqP7cVDGDdVq/HF/5zPJjI6KG8NRtnT8vSCsdA97domepNu1LHbntbE2G9b0HLceVeTitVBW677DLgAVIwc4poDXB2044lGH0cijCmMvJExL2EA9a24VHlu1WPDgPAYi4TAaRNERRv1jzRMrCRHx5x1ws= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1751015118; c=relaxed/simple; bh=9DFt5yBIByc8A5fTofoeJFiaxrEmzDqhpsfJB8V5+8g=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=tDOGNhUbHQcqTlwnZUWK4e4uVGScmQpTOmkj8O58FetyEes08W4ahH+weKTgyiLEx4TqimzlDzit97aJ6x+/qCji0UcZ8bwecPOcoUIqD3Tp4b2pH12Jte9iUTlWuvLCp2UtAKp5Lb8oERJkd3grjs5UoukCQq+ZvwO+y8cjRbo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=loongson.cn; spf=pass smtp.mailfrom=loongson.cn; arc=none smtp.client-ip=114.242.206.163 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=loongson.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=loongson.cn Received: from loongson.cn (unknown [10.2.5.213]) by gateway (Coremail) with SMTP id _____8AxnOLKXl5oVjIeAQ--.31464S3; Fri, 27 Jun 2025 17:05:14 +0800 (CST) Received: from localhost.localdomain (unknown [10.2.5.213]) by front1 (Coremail) with SMTP id qMiowJCxM+TEXl5ovCsAAA--.1247S8; Fri, 27 Jun 2025 17:05:14 +0800 (CST) From: Bibo Mao To: Tianrui Zhao , Huacai Chen , Xianglai Li Cc: kvm@vger.kernel.org, loongarch@lists.linux.dev, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH v4 6/6] LoongArch: KVM: Add address alignment check Date: Fri, 27 Jun 2025 17:05:07 +0800 Message-Id: <20250627090507.808319-7-maobibo@loongson.cn> X-Mailer: git-send-email 2.39.3 In-Reply-To: <20250627090507.808319-1-maobibo@loongson.cn> References: <20250627090507.808319-1-maobibo@loongson.cn> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: qMiowJCxM+TEXl5ovCsAAA--.1247S8 X-CM-SenderInfo: xpdruxter6z05rqj20fqof0/ X-Coremail-Antispam: 1Uk129KBjDUn29KB7ZKAUJUUUUU529EdanIXcx71UUUUU7KY7 ZEXasCq-sGcSsGvfJ3UbIjqfuFe4nvWSU5nxnvy29KBjDU0xBIdaVrnUUvcSsGvfC2Kfnx nUUI43ZEXa7xR_UUUUUUUUU== Content-Type: text/plain; charset="utf-8" IOCSR instruction supports 1/2/4/8 bytes access, the address should be naturally aligned with its access size. Here address alignment checking is added in eiointc kernel emulation. Cc: stable@vger.kernel.org Fixes: 3956a52bc05b ("LoongArch: KVM: Add EIOINTC read and write functions") Signed-off-by: Bibo Mao --- arch/loongarch/kvm/intc/eiointc.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/arch/loongarch/kvm/intc/eiointc.c b/arch/loongarch/kvm/intc/ei= ointc.c index d54fe805bf6e..fab5cf52779c 100644 --- a/arch/loongarch/kvm/intc/eiointc.c +++ b/arch/loongarch/kvm/intc/eiointc.c @@ -316,6 +316,11 @@ static int kvm_eiointc_read(struct kvm_vcpu *vcpu, return -EINVAL; } =20 + if (addr & (len - 1)) { + kvm_err("%s: eiointc not aligned addr %llx len %d\n", __func__, addr, le= n); + return -EINVAL; + } + vcpu->kvm->stat.eiointc_read_exits++; spin_lock_irqsave(&eiointc->lock, flags); switch (len) { @@ -687,6 +692,11 @@ static int kvm_eiointc_write(struct kvm_vcpu *vcpu, return -EINVAL; } =20 + if (addr & (len - 1)) { + kvm_err("%s: eiointc not aligned addr %llx len %d\n", __func__, addr, le= n); + return -EINVAL; + } + vcpu->kvm->stat.eiointc_write_exits++; spin_lock_irqsave(&eiointc->lock, flags); switch (len) { --=20 2.39.3