Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/2219505/?format=api
{ "id": 2219505, "url": "http://patchwork.ozlabs.org/api/patches/2219505/?format=api", "web_url": "http://patchwork.ozlabs.org/project/kvm-riscv/patch/20260403061302.2203179-1-xujiakai2025@iscas.ac.cn/", "project": { "id": 70, "url": "http://patchwork.ozlabs.org/api/projects/70/?format=api", "name": "Linux KVM RISC-V", "link_name": "kvm-riscv", "list_id": "kvm-riscv.lists.infradead.org", "list_email": "kvm-riscv@lists.infradead.org", "web_url": "", "scm_url": "", "webscm_url": "", "list_archive_url": "http://lists.infradead.org/pipermail/kvm-riscv/", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260403061302.2203179-1-xujiakai2025@iscas.ac.cn>", "list_archive_url": null, "date": "2026-04-03T06:13:02", "name": "RISC-V: KVM: Fix shift-out-of-bounds in make_xfence_request()", "commit_ref": null, "pull_url": null, "state": "superseded", "archived": false, "hash": "e3e50f047f85c2574db4d1e50dd37d705db85cee", "submitter": { "id": 92543, "url": "http://patchwork.ozlabs.org/api/people/92543/?format=api", "name": "Jiakai Xu", "email": "xujiakai2025@iscas.ac.cn" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/kvm-riscv/patch/20260403061302.2203179-1-xujiakai2025@iscas.ac.cn/mbox/", "series": [ { "id": 498595, "url": "http://patchwork.ozlabs.org/api/series/498595/?format=api", "web_url": "http://patchwork.ozlabs.org/project/kvm-riscv/list/?series=498595", "date": "2026-04-03T06:13:02", "name": "RISC-V: KVM: Fix shift-out-of-bounds in make_xfence_request()", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/498595/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2219505/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2219505/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "\n <kvm-riscv-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n secure) header.d=lists.infradead.org header.i=@lists.infradead.org\n header.a=rsa-sha256 header.s=bombadil.20210309 header.b=ONrycCFc;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=none (no SPF record) smtp.mailfrom=lists.infradead.org\n (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org;\n envelope-from=kvm-riscv-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;\n receiver=patchwork.ozlabs.org)" ], "Received": [ "from bombadil.infradead.org (bombadil.infradead.org\n [IPv6:2607:7c80:54:3::133])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fn7h24CRWz1yD3\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 03 Apr 2026 17:13:22 +1100 (AEDT)", "from localhost ([::1] helo=bombadil.infradead.org)\n\tby bombadil.infradead.org with esmtp (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1w8XmS-00000001Naw-3fzv;\n\tFri, 03 Apr 2026 06:13:20 +0000", "from smtp21.cstnet.cn ([159.226.251.21] helo=cstnet.cn)\n\tby bombadil.infradead.org with esmtps (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1w8XmQ-00000001NZz-2wNA;\n\tFri, 03 Apr 2026 06:13:20 +0000", "from fric.. (unknown [210.73.43.101])\n\tby APP-01 (Coremail) with SMTP id qwCowAAn0m1wWs9pxNMLDA--.32889S2;\n\tFri, 03 Apr 2026 14:13:05 +0800 (CST)" ], "DKIM-Signature": "v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;\n\td=lists.infradead.org; s=bombadil.20210309; h=Sender:\n\tContent-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:\n\tList-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc\n\t:To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:\n\tResent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:\n\tList-Owner; bh=9COgNhjQw7hQho8sd2Rjf24AUiSBvtcEfFQ7TH+Lgy8=; b=ONrycCFcH7g2Du\n\tUy0Fnf2swuylU1R0wvvDShSRn1E0HlmLR8vXSKT6mEG2Em5d8DZIlmfMEyREsz5ioxYL67GDsDe4t\n\tDSKvfTIM8IjLzFT5Uvw6VuIiaM5mdbbS43e7hGLZH6RXMHDhwXznB+/5Rkh/vnwjZsuzD69l9/5A0\n\tzY25NvVFWm2vq0R8AOYH/GlUiaON8Ub0XooY+bminpq1E6BE+a1wLKc1xDFEGSSSZNpauEfChInW0\n\tDNjlwhnDUerKu8G5E0Egr2uxElSDUJoRRflY8dBN2GULG6h+3vCgFio7+bp3t8HgiZp2tb7d1XXu9\n\tSZ3tY8IlnwR6q+YQNwGQ==;", "From": "Jiakai Xu <xujiakai2025@iscas.ac.cn>", "To": "kvm-riscv@lists.infradead.org,\n\tkvm@vger.kernel.org,\n\tlinux-kernel@vger.kernel.org,\n\tlinux-riscv@lists.infradead.org", "Cc": "Albert Ou <aou@eecs.berkeley.edu>,\n\tAlexandre Ghiti <alex@ghiti.fr>,\n\tAnup Patel <anup@brainfault.org>,\n\tAtish Patra <atish.patra@linux.dev>,\n\tPalmer Dabbelt <palmer@dabbelt.com>,\n\tPaul Walmsley <pjw@kernel.org>,\n\tJiakai Xu <xujiakai2025@iscas.ac.cn>,\n\tJiakai Xu <jiakaiPeanut@gmail.com>", "Subject": "[PATCH] RISC-V: KVM: Fix shift-out-of-bounds in make_xfence_request()", "Date": "Fri, 3 Apr 2026 06:13:02 +0000", "Message-Id": "<20260403061302.2203179-1-xujiakai2025@iscas.ac.cn>", "X-Mailer": "git-send-email 2.34.1", "MIME-Version": "1.0", "X-CM-TRANSID": "qwCowAAn0m1wWs9pxNMLDA--.32889S2", "X-Coremail-Antispam": "1UD129KBjvJXoW7tFy7try3tw1UXF4rWr45Jrb_yoW8XFWfpF\n\t4kCanY9FZ5GF1aya4ftrZ5WF1Fkrs7Cw1DZrWa9FyrKrn0qF10yrsYg3sxWry3JFsYqry0\n\tkFnxtFy5ua1DAaUanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2\n\t9KBjDU0xBIdaVrnRJUUUBY14x267AKxVW8JVW5JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0\n\trVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02\n\t1l84ACjcxK6xIIjxv20xvE14v26ryj6F1UM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26r4j\n\t6F4UM28EF7xvwVC2z280aVAFwI0_GcCE3s1l84ACjcxK6I8E87Iv6xkF7I0E14v26rxl6s\n\t0DM2vYz4IE04k24VAvwVAKI4IrM2AIxVAIcxkEcVAq07x20xvEncxIr21l5I8CrVACY4xI\n\t64kE6c02F40Ex7xfMcIj6xIIjxv20xvE14v26r1j6r18McIj6I8E87Iv67AKxVW8JVWxJw\n\tAm72CE4IkC6x0Yz7v_Jr0_Gr1lF7xvr2IYc2Ij64vIr41lF7I21c0EjII2zVCS5cI20VAG\n\tYxC7M4IIrI8v6xkF7I0E8cxan2IY04v7MxkF7I0En4kS14v26r1q6r43MxAIw28IcxkI7V\n\tAKI48JMxC20s026xCaFVCjc4AY6r1j6r4UMI8I3I0E5I8CrVAFwI0_Jr0_Jr4lx2IqxVCj\n\tr7xvwVAFwI0_JrI_JrWlx4CE17CEb7AF67AKxVWUtVW8ZwCIc40Y0x0EwIxGrwCI42IY6x\n\tIIjxv20xvE14v26r1j6r1xMIIF0xvE2Ix0cI8IcVCY1x0267AKxVW8JVWxJwCI42IY6xAI\n\tw20EY4v20xvaj40_Jr0_JF4lIxAIcVC2z280aVAFwI0_Jr0_Gr1lIxAIcVC2z280aVCY1x\n\t0267AKxVW8JVW8JrUvcSsGvfC2KfnxnUUI43ZEXa7VUjEoGDUUUUU==", "X-Originating-IP": "[210.73.43.101]", "X-CM-SenderInfo": "50xmxthndljiysv6x2xfdvhtffof0/1tbiDAgGCWnPFcPwogAAsp", "X-CRM114-Version": "20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 ", "X-CRM114-CacheID": "sfid-20260402_231319_129630_16EC0D07 ", "X-CRM114-Status": "UNSURE ( 9.15 )", "X-CRM114-Notice": "Please train this message.", "X-Spam-Score": "-4.2 (----)", "X-Spam-Report": "Spam detection software,\n running on the system \"bombadil.infradead.org\",\n has NOT identified this incoming email as spam. The original\n message has been attached to this so you can view it or label\n similar future email. If you have any questions, see\n the administrator of that system for details.\n Content preview: The make_xfence_request() function uses a shift operation\n to check if a vCPU is in the hart mask: if (!(hmask & (1UL <<\n (vcpu->vcpu_id\n - hbase)))) However, when the difference between vcpu_id and hbase is >=\n BITS_PER_LONG, the shift operation causes undefined behavior.\n Content analysis details: (-4.2 points, 5.0 required)\n pts rule name description\n ---- ----------------------\n --------------------------------------------------\n -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/,\n medium trust\n [159.226.251.21 listed in list.dnswl.org]\n 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The\n query to Validity was blocked. See\n https://knowledge.validity.com/hc/en-us/articles/20961730681243\n for more information.\n [159.226.251.21 listed in\n sa-trusted.bondedsender.org]\n 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to\n Validity was blocked. See\n https://knowledge.validity.com/hc/en-us/articles/20961730681243\n for more information.\n [159.226.251.21 listed in sa-accredit.habeas.com]\n -0.0 SPF_PASS SPF: sender matches SPF record\n -0.0 SPF_HELO_PASS SPF: HELO matches SPF record\n -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%\n [score: 0.0000]\n 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to\n Validity was blocked. See\n https://knowledge.validity.com/hc/en-us/articles/20961730681243\n for more information.\n [159.226.251.21 listed in\n bl.score.senderscore.com]", "X-BeenThere": "kvm-riscv@lists.infradead.org", "X-Mailman-Version": "2.1.34", "Precedence": "list", "List-Id": "<kvm-riscv.lists.infradead.org>", "List-Unsubscribe": "<http://lists.infradead.org/mailman/options/kvm-riscv>,\n <mailto:kvm-riscv-request@lists.infradead.org?subject=unsubscribe>", "List-Archive": "<http://lists.infradead.org/pipermail/kvm-riscv/>", "List-Post": "<mailto:kvm-riscv@lists.infradead.org>", "List-Help": "<mailto:kvm-riscv-request@lists.infradead.org?subject=help>", "List-Subscribe": "<http://lists.infradead.org/mailman/listinfo/kvm-riscv>,\n <mailto:kvm-riscv-request@lists.infradead.org?subject=subscribe>", "Content-Type": "text/plain; charset=\"us-ascii\"", "Content-Transfer-Encoding": "7bit", "Sender": "\"kvm-riscv\" <kvm-riscv-bounces@lists.infradead.org>", "Errors-To": "kvm-riscv-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org" }, "content": "The make_xfence_request() function uses a shift operation to check if a\nvCPU is in the hart mask:\n\n if (!(hmask & (1UL << (vcpu->vcpu_id - hbase))))\n\nHowever, when the difference between vcpu_id and hbase\nis >= BITS_PER_LONG, the shift operation causes undefined behavior.\n\nThis was detected by UBSAN:\n UBSAN: shift-out-of-bounds in arch/riscv/kvm/tlb.c:343:23\n shift exponent 256 is too large for 64-bit type 'long unsigned int'\n\nFix this by adding a bounds check before the shift operation.\n\nThis bug was found by fuzzing the KVM RISC-V interface.\n\nFixes: 13acfec2dbcc (\"RISC-V: KVM: Add remote HFENCE functions based on VCPU requests\")\nSigned-off-by: Jiakai Xu <jiakaiPeanut@gmail.com>\nSigned-off-by: Jiakai Xu <xujiakai2025@iscas.ac.cn>\n---\n arch/riscv/kvm/tlb.c | 7 +++++--\n 1 file changed, 5 insertions(+), 2 deletions(-)", "diff": "diff --git a/arch/riscv/kvm/tlb.c b/arch/riscv/kvm/tlb.c\nindex ff1aeac4eb8eb..500e001513a11 100644\n--- a/arch/riscv/kvm/tlb.c\n+++ b/arch/riscv/kvm/tlb.c\n@@ -333,14 +333,17 @@ static void make_xfence_request(struct kvm *kvm,\n \tunsigned long i;\n \tstruct kvm_vcpu *vcpu;\n \tunsigned int actual_req = req;\n+\tunsigned int idx;\n \tDECLARE_BITMAP(vcpu_mask, KVM_MAX_VCPUS);\n \n \tbitmap_zero(vcpu_mask, KVM_MAX_VCPUS);\n \tkvm_for_each_vcpu(i, vcpu, kvm) {\n \t\tif (hbase != -1UL) {\n-\t\t\tif (vcpu->vcpu_id < hbase)\n+\t\t\tidx = vcpu->vcpu_id - hbase;\n+\n+\t\t\tif (idx < 0 || idx >= BITS_PER_LONG)\n \t\t\t\tcontinue;\n-\t\t\tif (!(hmask & (1UL << (vcpu->vcpu_id - hbase))))\n+\t\t\tif (!(hmask & (1UL << idx)))\n \t\t\t\tcontinue;\n \t\t}\n \n", "prefixes": [] }