diff mbox series

[55/97] i386/acpi: fix gint overflow in crs_range_compare

Message ID	20191001234616.7825-56-mdroth@linux.vnet.ibm.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=rCvs=X3=nongnu.org=qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@kernel.org> DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org D907F2070B From: Michael Roth <mdroth@linux.vnet.ibm.com> To: qemu-devel@nongnu.org Subject: [PATCH 55/97] i386/acpi: fix gint overflow in crs_range_compare Date: Tue, 1 Oct 2019 18:45:34 -0500 Message-Id: <20191001234616.7825-56-mdroth@linux.vnet.ibm.com> In-Reply-To: <20191001234616.7825-1-mdroth@linux.vnet.ibm.com> References: <20191001234616.7825-1-mdroth@linux.vnet.ibm.com> Precedence: list Cc: qemu-stable@nongnu.org, Evgeny Yakovlev <wrfsh@yandex-team.ru> Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" <qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org>
Series	Patch Round-up for stable 4.0.1, freeze on 2019-10-10 \| expand [00/97] Patch Round-up for stable 4.0.1, freeze on 2019-10-10 [01/97] qcow2: Avoid COW during metadata preallocation [02/97] qcow2: Add errp to preallocate_co() [03/97] qcow2: Fix full preallocation with external data file [04/97] megasas: fix mapped frame size [05/97] qcow2: Fix qcow2_make_empty() with external data file [06/97] block: Fix AioContext switch for bs->drv == NULL [07/97] cutils: Fix size_to_str() on 32-bit platforms [08/97] Makefile: add nit-picky mode to sphinx-build [09/97] docs/interop/bitmaps: rewrite and modernize doc [10/97] spapr/xive: fix EQ page addresses above 64GB [11/97] kbd-state: fix autorepeat handling [12/97] usb-tablet: fix serial compat property [13/97] block/file-posix: Unaligned O_DIRECT block-status [14/97] iotests: Test unaligned raw images with O_DIRECT [15/97] s390x/cpumodel: ignore csske for expansion [16/97] blockdev-backup: don't check aio_context too early [17/97] block: Drain source node in bdrv_replace_node() [18/97] iotests: Test commit job start with concurrent I/O [19/97] iotests.py: do not use infinite waits [20/97] QEMUMachine: add events_wait method [21/97] iotests.py: Fix VM.run_job [22/97] iotests.py: rewrite run_job to be pickier [23/97] iotests: add iotest 256 for testing blockdev-backup across iothread contexts [24/97] migration/dirty-bitmaps: change bitmap enumeration method [25/97] vhost: fix vhost_log size overflow during migration [26/97] target/ppc: Fix xvabs[sd]p, xvnabs[sd]p, xvneg[sd]p, xvcpsgn[sd]p [27/97] target/ppc: Fix xvxsigdp [28/97] target/ppc: Fix xxbrq, xxbrw [29/97] target/ppc: Fix vsum2sws [30/97] target/ppc: Fix lxvw4x, lxvh8x and lxvb16x [31/97] q35: Revert to kernel irqchip [32/97] vl: Fix -drive / -blockdev persistent reservation management [33/97] target/i386: add MDS-NO feature [34/97] target/i386: define md-clear bit [35/97] docs: recommend use of md-clear feature on all Intel CPUs [36/97] virtio-pci: fix missing device properties [37/97] usbredir: fix buffer-overflow on vmload [38/97] virtio-balloon: fix QEMU 4.0 config size migration incompatibility [39/97] docs/interop/bitmaps.rst: Fix typos [40/97] sphinx: add qmp_lexer [41/97] docs/bitmaps: use QMP lexer instead of json [42/97] hw/ssi/xilinx_spips: Convert lqspi_read() to read_with_attrs [43/97] hw/ssi/xilinx_spips: Avoid AXI writes to the LQSPI linear memory [44/97] hw/ssi/xilinx_spips: Avoid out-of-bound access to lqspi_buf[] [45/97] ioapic: kvm: Skip route updates for masked pins [46/97] i386/acpi: show PCI Express bus on pxb-pcie expanders [47/97] virtio-balloon: Fix wrong sign extension of PFNs [48/97] virtio-balloon: Fix QEMU crashes on pagesize > BALLOON_PAGE_SIZE [49/97] virtio-balloon: Simplify deflate with pbp [50/97] virtio-balloon: Better names for offset variables in inflate/deflate code [51/97] virtio-balloon: Rework pbp tracking data [52/97] virtio-balloon: Use temporary PBP only [53/97] virtio-balloon: don't track subpages for the PBP [54/97] virtio-balloon: free pbp more aggressively [55/97] i386/acpi: fix gint overflow in crs_range_compare [56/97] tpm: Exit in reset when backend indicates failure [57/97] tpm_emulator: Translate TPM error codes to strings [58/97] block/backup: simplify backup_incremental_init_copy_bitmap [59/97] block/backup: move to copy_bitmap with granularity [60/97] block/backup: refactor and tolerate unallocated cluster skipping [61/97] block/backup: unify different modes code path [62/97] block/backup: refactor: split out backup_calculate_cluster_size [63/97] backup: Copy only dirty areas [64/97] iotests: Test backup job with two guest writes [65/97] util/hbitmap: update orig_size on truncate [66/97] iotests: Test incremental backup after truncation [67/97] mirror: Only mirror granularity-aligned chunks [68/97] iotests: Test unaligned blocking mirror write [69/97] block/backup: disable copy_range for compressed backup [70/97] Revert "ide/ahci: Check for -ECANCELED in aio callbacks" [71/97] qcow2: Fix the calculation of the maximum L2 cache size [72/97] dma-helpers: ensure AIO callback is invoked after cancellation [73/97] target/arm: Don't abort on M-profile exception return in linux-user mode [74/97] xen-bus: Fix backend state transition on device reset [75/97] pr-manager: Fix invalid g_free() crash bug [76/97] iotests: add testing shim for script-style python tests [77/97] vpc: Return 0 from vpc_co_create() on success [78/97] iotests: Add supported protocols to execute_test() [79/97] iotests: Restrict file Python tests to file [80/97] iotests: Restrict nbd Python tests to nbd [81/97] iotests: Test blockdev-create for vpc [82/97] libvhost-user: fix SLAVE_SEND_FD handling [83/97] block/create: Do not abort if a block driver is not available [84/97] block/nfs: tear down aio before nfs_close [85/97] blockjob: update nodes head while removing all bdrv [86/97] curl: Keep pointer to the CURLState in CURLSocket [87/97] curl: Keep *socket until the end of curl_sock_cb() [88/97] curl: Check completion in curl_multi_do() [89/97] curl: Pass CURLSocket to curl_multi_do() [90/97] curl: Report only ready sockets [91/97] curl: Handle success in multi_check_completion [92/97] curl: Check curl_multi_add_handle()'s return code [93/97] slirp: Fix heap overflow in ip_reass on big packet input [94/97] slirp: ip_reass: Fix use after free [95/97] s390: PCI: fix IOMMU region init [96/97] hw/core/loader: Fix possible crash in rom_copy() [97/97] scsi: lsi: exit infinite loop while executing script (CVE-2019-12068)

Commit Message

Michael Roth Oct. 1, 2019, 11:45 p.m. UTC

From: Evgeny Yakovlev <wrfsh@yandex-team.ru>

When very large regions (32GB sized in our case, PCI pass-through of GPUs)
are compared substraction result does not fit into gint.

As a result crs_replace_with_free_ranges does not get sorted ranges and
incorrectly computes PCI64 free space regions. Which then makes linux
guest complain about device and PCI64 hole intersection and device
becomes unusable.

Fix that by returning exactly fitting ranges.

Also fix indentation of an entire crs_replace_with_free_ranges to make
checkpatch happy.

Cc: qemu-stable@nongnu.org
Signed-off-by: Evgeny Yakovlev <wrfsh@yandex-team.ru>
Message-Id: <1563466463-26012-1-git-send-email-wrfsh@yandex-team.ru>
Signed-off-by: Evgeny Yakovlev <wrfsh@yandex-team.ru>
(cherry picked from commit 21e2acd583126db94f6d881005cd58e835160582)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 hw/i386/acpi-build.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff mbox series

Patch

diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
index ede27ab3c4..bf59c475be 100644
--- a/hw/i386/acpi-build.c
+++ b/hw/i386/acpi-build.c
@@ -743,10 +743,16 @@  static void crs_range_set_free(CrsRangeSet *range_set)
 
 static gint crs_range_compare(gconstpointer a, gconstpointer b)
 {
-     CrsRangeEntry *entry_a = *(CrsRangeEntry **)a;
-     CrsRangeEntry *entry_b = *(CrsRangeEntry **)b;
+    CrsRangeEntry *entry_a = *(CrsRangeEntry **)a;
+    CrsRangeEntry *entry_b = *(CrsRangeEntry **)b;
 
-     return (int64_t)entry_a->base - (int64_t)entry_b->base;
+    if (entry_a->base < entry_b->base) {
+        return -1;
+    } else if (entry_a->base > entry_b->base) {
+        return 1;
+    } else {
+        return 0;
+    }
 }
 
 /*