From patchwork Mon Aug 21 19:45:07 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Michael S. Tsirkin" X-Patchwork-Id: 9913579 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id DF673603FA for ; Mon, 21 Aug 2017 19:45:25 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D18951FF13 for ; Mon, 21 Aug 2017 19:45:25 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id C373627FA1; Mon, 21 Aug 2017 19:45:25 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7E4591FF13 for ; Mon, 21 Aug 2017 19:45:25 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753620AbdHUTpK (ORCPT ); Mon, 21 Aug 2017 15:45:10 -0400 Received: from mx1.redhat.com ([209.132.183.28]:36592 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753479AbdHUTpJ (ORCPT ); Mon, 21 Aug 2017 15:45:09 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id B972481E0E; Mon, 21 Aug 2017 19:45:08 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com B972481E0E Authentication-Results: ext-mx01.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx01.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=mst@redhat.com Received: from redhat.com (ovpn-120-34.rdu2.redhat.com [10.10.120.34]) by smtp.corp.redhat.com (Postfix) with SMTP id 27116627DE; Mon, 21 Aug 2017 19:45:07 +0000 (UTC) Date: Mon, 21 Aug 2017 22:45:07 +0300 From: "Michael S. Tsirkin" To: linux-kernel@vger.kernel.org Cc: Koichiro Den , Jason Wang , kvm@vger.kernel.org, virtualization@lists.linux-foundation.org, netdev@vger.kernel.org, David Miller Subject: [PATCH] vhost: fix end of range for access_ok Message-ID: <1503344576-8141-1-git-send-email-mst@redhat.com> MIME-Version: 1.0 Content-Disposition: inline X-Mutt-Fcc: =sent X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Mon, 21 Aug 2017 19:45:09 +0000 (UTC) Sender: kvm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP During access_ok checks, addr increases as we iterate over the data structure, thus addr + len - 1 will point beyond the end of region we are translating. Harmless since we then verify that the region covers addr, but let's not waste cpu cycles. Reported-by: Koichiro Den Signed-off-by: Michael S. Tsirkin Acked-by: Koichiro Den --- Lightly tested, would appreciate an ack from reporter. drivers/vhost/vhost.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c index e4613a3..ecd70e4 100644 --- a/drivers/vhost/vhost.c +++ b/drivers/vhost/vhost.c @@ -1176,7 +1176,7 @@ static int iotlb_access_ok(struct vhost_virtqueue *vq, { const struct vhost_umem_node *node; struct vhost_umem *umem = vq->iotlb; - u64 s = 0, size, orig_addr = addr; + u64 s = 0, size, orig_addr = addr, last = addr + len - 1; if (vhost_vq_meta_fetch(vq, addr, len, type)) return true; @@ -1184,7 +1184,7 @@ static int iotlb_access_ok(struct vhost_virtqueue *vq, while (len > s) { node = vhost_umem_interval_tree_iter_first(&umem->umem_tree, addr, - addr + len - 1); + last); if (node == NULL || node->start > addr) { vhost_iotlb_miss(vq, addr, access); return false;