{"id":2219712,"url":"http://patchwork.ozlabs.org/api/patches/2219712/?format=json","web_url":"http://patchwork.ozlabs.org/project/kvm-riscv/patch/20260403232011.2394966-1-xujiakai2025@iscas.ac.cn/","project":{"id":70,"url":"http://patchwork.ozlabs.org/api/projects/70/?format=json","name":"Linux KVM RISC-V","link_name":"kvm-riscv","list_id":"kvm-riscv.lists.infradead.org","list_email":"kvm-riscv@lists.infradead.org","web_url":"","scm_url":"","webscm_url":"","list_archive_url":"http://lists.infradead.org/pipermail/kvm-riscv/","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260403232011.2394966-1-xujiakai2025@iscas.ac.cn>","list_archive_url":null,"date":"2026-04-03T23:20:11","name":"[v2] RISC-V: KVM: Fix shift-out-of-bounds in make_xfence_request()","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"b92573be6fa192cd4cfab4f21e364c7e1fbf9e8d","submitter":{"id":92543,"url":"http://patchwork.ozlabs.org/api/people/92543/?format=json","name":"Jiakai Xu","email":"xujiakai2025@iscas.ac.cn"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/kvm-riscv/patch/20260403232011.2394966-1-xujiakai2025@iscas.ac.cn/mbox/","series":[{"id":498684,"url":"http://patchwork.ozlabs.org/api/series/498684/?format=json","web_url":"http://patchwork.ozlabs.org/project/kvm-riscv/list/?series=498684","date":"2026-04-03T23:20:11","name":"[v2] RISC-V: KVM: Fix shift-out-of-bounds in make_xfence_request()","version":2,"mbox":"http://patchwork.ozlabs.org/series/498684/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2219712/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2219712/checks/","tags":{},"related":[],"headers":{"Return-Path":"\n ","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n secure) header.d=lists.infradead.org header.i=@lists.infradead.org\n header.a=rsa-sha256 header.s=bombadil.20210309 header.b=gI1+oNaw;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=none (no SPF record) smtp.mailfrom=lists.infradead.org\n (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org;\n envelope-from=kvm-riscv-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from bombadil.infradead.org (bombadil.infradead.org\n [IPv6:2607:7c80:54:3::133])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fnZT71r0nz1yD3\n\tfor ; Sat, 04 Apr 2026 10:20:27 +1100 (AEDT)","from localhost ([::1] helo=bombadil.infradead.org)\n\tby bombadil.infradead.org with esmtp (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1w8noP-00000002j0v-2bBo;\n\tFri, 03 Apr 2026 23:20:25 +0000","from smtp21.cstnet.cn ([159.226.251.21] helo=cstnet.cn)\n\tby bombadil.infradead.org with esmtps (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1w8noM-00000002j0W-1zlp;\n\tFri, 03 Apr 2026 23:20:24 +0000","from fric.. (unknown [210.73.43.101])\n\tby APP-01 (Coremail) with SMTP id qwCowADHb2ssS9BpDqMbDA--.3154S2;\n\tSat, 04 Apr 2026 07:20:12 +0800 (CST)"],"DKIM-Signature":"v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;\n\td=lists.infradead.org; s=bombadil.20210309; h=Sender:\n\tContent-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:\n\tList-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc\n\t:To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:\n\tResent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:\n\tList-Owner; bh=sLbsgQgJIHc+HXoJOGhWep80CmoCcm9akXNs1GW/Vn4=; b=gI1+oNawwTgCae\n\t7BS3PoCMUpWcrzmZTVqRVfi2cu3W1zyjfTj0Q4kU+DUBGoHDqMFZdq/uMWal1r7XewOOHBO3p7sgS\n\tQwx28mzfbDIQiw3p/4quQHUENmKBrS86ou2b3Hdt63752qD2k1dMAFBq+wgJvilPkEZymmCZH+Jpf\n\tbjiOwPOMLkV8qjbOWrNhDm7fplZhpgw6Pn57eKNnt4rht8Tmx0ivecyuNmWrIVCerav8WOgou2lbe\n\t4jh37oIj3ObpxzIiQrJxfcg9j+SeiZcR3WR88n8E2pMyth29I/dP197w7xLM73Ud1ww5SJ3oNS0Z+\n\tIqOejGdf/6KIbqIv9zyQ==;","From":"Jiakai Xu ","To":"kvm-riscv@lists.infradead.org,\n\tkvm@vger.kernel.org,\n\tlinux-kernel@vger.kernel.org,\n\tlinux-riscv@lists.infradead.org","Cc":"Albert Ou ,\n\tAlexandre Ghiti ,\n\tAnup Patel ,\n\tAtish Patra ,\n\tPalmer Dabbelt ,\n\tPaul Walmsley ,\n\tJiakai Xu ,\n\tJiakai Xu ","Subject":"[PATCH v2] RISC-V: KVM: Fix shift-out-of-bounds in\n make_xfence_request()","Date":"Fri, 3 Apr 2026 23:20:11 +0000","Message-Id":"<20260403232011.2394966-1-xujiakai2025@iscas.ac.cn>","X-Mailer":"git-send-email 2.34.1","MIME-Version":"1.0","X-CM-TRANSID":"qwCowADHb2ssS9BpDqMbDA--.3154S2","X-Coremail-Antispam":"1UD129KBjvJXoW7tFy7try3tw1UXF4rWr45Jrb_yoW8XryDpr\n\t4kuFsa9Fs5GFnFya47ArZ5WF18Ar1kK34jvrW3uF48Jr4qqry8ArsY93s8Wry3JFsYqryF\n\tkrnIqFyfua1DAaUanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2\n\t9KBjDU0xBIdaVrnRJUUUPj14x267AKxVW8JVW5JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0\n\trVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02\n\t1l84ACjcxK6xIIjxv20xvE14v26ryj6F1UM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26r4j\n\t6F4UM28EF7xvwVC2z280aVAFwI0_Cr1j6rxdM28EF7xvwVC2z280aVCY1x0267AKxVWxJr\n\t0_GcWlnxkEFVAIw20F6cxK64vIFxWle2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xv\n\tF2IEw4CE5I8CrVC2j2WlYx0E2Ix0cI8IcVAFwI0_JrI_JrylYx0Ex4A2jsIE14v26r1j6r\n\t4UMcvjeVCFs4IE7xkEbVWUJVW8JwACjcxG0xvY0x0EwIxGrwACjI8F5VA0II8E6IAqYI8I\n\t648v4I1lFIxGxcIEc7CjxVA2Y2ka0xkIwI1lc7CjxVAaw2AFwI0_Jw0_GFylc2xSY4AK67\n\tAK6FWl42xK82IYc2Ij64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr1lx2IqxVAqx4xG67AK\n\txVWUJVWUGwC20s026x8GjcxK67AKxVWUGVWUWwC2zVAF1VAY17CE14v26r1q6r43MIIYrx\n\tkI7VAKI48JMIIF0xvE2Ix0cI8IcVAFwI0_Jr0_JF4lIxAIcVC0I7IYx2IY6xkF7I0E14v2\n\t6r4j6F4UMIIF0xvE42xK8VAvwI8IcIk0rVWUJVWUCwCI42IY6I8E87Iv67AKxVWUJVW8Jw\n\tCI42IY6I8E87Iv6xkF7I0E14v26r4j6r4UJbIYCTnIWIevJa73UjIFyTuYvjfU0sqXDUUU\n\tU","X-Originating-IP":"[210.73.43.101]","X-CM-SenderInfo":"50xmxthndljiysv6x2xfdvhtffof0/1tbiBwkGCWnP11+pggAAsE","X-CRM114-Version":"20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 ","X-CRM114-CacheID":"sfid-20260403_162022_893856_1265BF46 ","X-CRM114-Status":"UNSURE ( 8.91 )","X-CRM114-Notice":"Please train this message.","X-Spam-Score":"-4.2 (----)","X-Spam-Report":"Spam detection software,\n running on the system \"bombadil.infradead.org\",\n has NOT identified this incoming email as spam. The original\n message has been attached to this so you can view it or label\n similar future email. If you have any questions, see\n the administrator of that system for details.\n Content preview: The make_xfence_request() function uses a shift operation\n to check if a vCPU is in the hart mask: if (!(hmask & (1UL <<\n (vcpu->vcpu_id\n - hbase)))) However, when the difference between vcpu_id and hbase is >=\n BITS_PER_LONG, the shift operation causes undefined behavior.\n Content analysis details: (-4.2 points, 5.0 required)\n pts rule name description\n ---- ----------------------\n --------------------------------------------------\n -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/,\n medium trust\n [159.226.251.21 listed in list.dnswl.org]\n 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to\n Validity was blocked. See\n https://knowledge.validity.com/hc/en-us/articles/20961730681243\n for more information.\n [159.226.251.21 listed in sa-accredit.habeas.com]\n 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The\n query to Validity was blocked. See\n https://knowledge.validity.com/hc/en-us/articles/20961730681243\n for more information.\n [159.226.251.21 listed in\n sa-trusted.bondedsender.org]\n -0.0 SPF_HELO_PASS SPF: HELO matches SPF record\n -0.0 SPF_PASS SPF: sender matches SPF record\n -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%\n [score: 0.0000]\n 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to\n Validity was blocked. See\n https://knowledge.validity.com/hc/en-us/articles/20961730681243\n for more information.\n [159.226.251.21 listed in\n bl.score.senderscore.com]","X-BeenThere":"kvm-riscv@lists.infradead.org","X-Mailman-Version":"2.1.34","Precedence":"list","List-Id":"","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Sender":"\"kvm-riscv\" ","Errors-To":"kvm-riscv-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org"},"content":"The make_xfence_request() function uses a shift operation to check if a\nvCPU is in the hart mask:\n\n if (!(hmask & (1UL << (vcpu->vcpu_id - hbase))))\n\nHowever, when the difference between vcpu_id and hbase\nis >= BITS_PER_LONG, the shift operation causes undefined behavior.\n\nThis was detected by UBSAN:\n UBSAN: shift-out-of-bounds in arch/riscv/kvm/tlb.c:343:23\n shift exponent 256 is too large for 64-bit type 'long unsigned int'\n\nFix this by adding a bounds check before the shift operation.\n\nThis bug was found by fuzzing the KVM RISC-V interface.\n\nFixes: 13acfec2dbcc (\"RISC-V: KVM: Add remote HFENCE functions based on VCPU requests\")\nSigned-off-by: Jiakai Xu \nSigned-off-by: Jiakai Xu \n---\nV1 -> V2:\n- Dropped 'idx' variable and compared vcpu_id against hbase directly,\n as suggested by Andrew Jones.\n---\n arch/riscv/kvm/tlb.c | 3 ++-\n 1 file changed, 2 insertions(+), 1 deletion(-)","diff":"diff --git a/arch/riscv/kvm/tlb.c b/arch/riscv/kvm/tlb.c\nindex ff1aeac4eb8eb..439c20c2775ab 100644\n--- a/arch/riscv/kvm/tlb.c\n+++ b/arch/riscv/kvm/tlb.c\n@@ -338,7 +338,8 @@ static void make_xfence_request(struct kvm *kvm,\n \tbitmap_zero(vcpu_mask, KVM_MAX_VCPUS);\n \tkvm_for_each_vcpu(i, vcpu, kvm) {\n \t\tif (hbase != -1UL) {\n-\t\t\tif (vcpu->vcpu_id < hbase)\n+\t\t\tif (vcpu->vcpu_id < hbase ||\n+\t\t\t\tvcpu->vcpu_id >= hbase + BITS_PER_LONG)\n \t\t\t\tcontinue;\n \t\t\tif (!(hmask & (1UL << (vcpu->vcpu_id - hbase))))\n \t\t\t\tcontinue;\n","prefixes":["v2"]}