Hi Paolo, kernel test robot noticed the following build warnings: url: https://github.com/intel-lab-lkp/linux/commits/Paolo-Abeni/scripts-kernel_doc-py-properly-handle-VIRTIO_DECLARE_FEATURES/20250621-014409 base: net-next/main patch link: https://lore.kernel.org/r/e195567cf1f705143477f6eee7b528ee15918873.1750436464.git.pabeni%40redhat.com patch subject: [PATCH v5 net-next 4/9] vhost-net: allow configuring extended features config: i386-randconfig-141-20250623 (https://download.01.org/0day-ci/archive/20250624/202506241710.pvHQGmeZ-lkp@xxxxxxxxx/config) compiler: gcc-12 (Debian 12.2.0-14) 12.2.0 If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp@xxxxxxxxx> | Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> | Closes: https://lore.kernel.org/r/202506241710.pvHQGmeZ-lkp@xxxxxxxxx/ New smatch warnings: drivers/vhost/net.c:1724 vhost_net_ioctl() warn: check for integer overflow 'count' vim +/count +1724 drivers/vhost/net.c 3a4d5c94e95935 Michael S. Tsirkin 2010-01-14 1683 static long vhost_net_ioctl(struct file *f, unsigned int ioctl, 3a4d5c94e95935 Michael S. Tsirkin 2010-01-14 1684 unsigned long arg) 3a4d5c94e95935 Michael S. Tsirkin 2010-01-14 1685 { 059c23697448c5 Paolo Abeni 2025-06-20 1686 u64 all_features[VIRTIO_FEATURES_DWORDS]; 3a4d5c94e95935 Michael S. Tsirkin 2010-01-14 1687 struct vhost_net *n = f->private_data; 3a4d5c94e95935 Michael S. Tsirkin 2010-01-14 1688 void __user *argp = (void __user *)arg; 3a4d5c94e95935 Michael S. Tsirkin 2010-01-14 1689 u64 __user *featurep = argp; 3a4d5c94e95935 Michael S. Tsirkin 2010-01-14 1690 struct vhost_vring_file backend; 059c23697448c5 Paolo Abeni 2025-06-20 1691 u64 features, count, copied; 059c23697448c5 Paolo Abeni 2025-06-20 1692 int r, i; d47effe1be0c4f Krishna Kumar 2011-03-01 1693 3a4d5c94e95935 Michael S. Tsirkin 2010-01-14 1694 switch (ioctl) { 3a4d5c94e95935 Michael S. Tsirkin 2010-01-14 1695 case VHOST_NET_SET_BACKEND: d3553a52490dca Takuya Yoshikawa 2010-05-27 1696 if (copy_from_user(&backend, argp, sizeof backend)) d3553a52490dca Takuya Yoshikawa 2010-05-27 1697 return -EFAULT; 3a4d5c94e95935 Michael S. Tsirkin 2010-01-14 1698 return vhost_net_set_backend(n, backend.index, backend.fd); 3a4d5c94e95935 Michael S. Tsirkin 2010-01-14 1699 case VHOST_GET_FEATURES: 059c23697448c5 Paolo Abeni 2025-06-20 1700 features = vhost_net_features[0]; d3553a52490dca Takuya Yoshikawa 2010-05-27 1701 if (copy_to_user(featurep, &features, sizeof features)) d3553a52490dca Takuya Yoshikawa 2010-05-27 1702 return -EFAULT; d3553a52490dca Takuya Yoshikawa 2010-05-27 1703 return 0; 3a4d5c94e95935 Michael S. Tsirkin 2010-01-14 1704 case VHOST_SET_FEATURES: d3553a52490dca Takuya Yoshikawa 2010-05-27 1705 if (copy_from_user(&features, featurep, sizeof features)) d3553a52490dca Takuya Yoshikawa 2010-05-27 1706 return -EFAULT; 059c23697448c5 Paolo Abeni 2025-06-20 1707 if (features & ~vhost_net_features[0]) 059c23697448c5 Paolo Abeni 2025-06-20 1708 return -EOPNOTSUPP; 059c23697448c5 Paolo Abeni 2025-06-20 1709 059c23697448c5 Paolo Abeni 2025-06-20 1710 virtio_features_from_u64(all_features, features); 059c23697448c5 Paolo Abeni 2025-06-20 1711 return vhost_net_set_features(n, all_features); 059c23697448c5 Paolo Abeni 2025-06-20 1712 case VHOST_GET_FEATURES_ARRAY: 059c23697448c5 Paolo Abeni 2025-06-20 1713 if (get_user(count, featurep)) 059c23697448c5 Paolo Abeni 2025-06-20 1714 return -EFAULT; 059c23697448c5 Paolo Abeni 2025-06-20 1715 059c23697448c5 Paolo Abeni 2025-06-20 1716 /* Copy the net features, up to the user-provided buffer size */ 059c23697448c5 Paolo Abeni 2025-06-20 1717 argp += sizeof(u64); 059c23697448c5 Paolo Abeni 2025-06-20 1718 copied = min(count, VIRTIO_FEATURES_DWORDS); 059c23697448c5 Paolo Abeni 2025-06-20 1719 if (copy_to_user(argp, vhost_net_features, 059c23697448c5 Paolo Abeni 2025-06-20 1720 copied * sizeof(u64))) 059c23697448c5 Paolo Abeni 2025-06-20 1721 return -EFAULT; 059c23697448c5 Paolo Abeni 2025-06-20 1722 059c23697448c5 Paolo Abeni 2025-06-20 1723 /* Zero the trailing space provided by user-space, if any */ 059c23697448c5 Paolo Abeni 2025-06-20 @1724 if (clear_user(argp, (count - copied) * sizeof(u64))) This can have an integer overflow. Which is fine. Except that we're eventually going to add tooling to complain when there is math like this where a sizeof() or any size_t multiplication leads to an integer overflow. (Unless it's part of an integer overflow check or it's annotated. There are several different ways where an integer overlow is idiomatic and those are allowed). 059c23697448c5 Paolo Abeni 2025-06-20 1725 return -EFAULT; 059c23697448c5 Paolo Abeni 2025-06-20 1726 return 0; 059c23697448c5 Paolo Abeni 2025-06-20 1727 case VHOST_SET_FEATURES_ARRAY: 059c23697448c5 Paolo Abeni 2025-06-20 1728 if (get_user(count, featurep)) 059c23697448c5 Paolo Abeni 2025-06-20 1729 return -EFAULT; 059c23697448c5 Paolo Abeni 2025-06-20 1730 059c23697448c5 Paolo Abeni 2025-06-20 1731 virtio_features_zero(all_features); 059c23697448c5 Paolo Abeni 2025-06-20 1732 argp += sizeof(u64); 059c23697448c5 Paolo Abeni 2025-06-20 1733 copied = min(count, VIRTIO_FEATURES_DWORDS); 059c23697448c5 Paolo Abeni 2025-06-20 1734 if (copy_from_user(all_features, argp, copied * sizeof(u64))) 059c23697448c5 Paolo Abeni 2025-06-20 1735 return -EFAULT; 059c23697448c5 Paolo Abeni 2025-06-20 1736 059c23697448c5 Paolo Abeni 2025-06-20 1737 /* 059c23697448c5 Paolo Abeni 2025-06-20 1738 * Any feature specified by user-space above 059c23697448c5 Paolo Abeni 2025-06-20 1739 * VIRTIO_FEATURES_MAX is not supported by definition. 059c23697448c5 Paolo Abeni 2025-06-20 1740 */ 059c23697448c5 Paolo Abeni 2025-06-20 1741 for (i = copied; i < count; ++i) { 059c23697448c5 Paolo Abeni 2025-06-20 1742 if (get_user(features, featurep + 1 + i)) 059c23697448c5 Paolo Abeni 2025-06-20 1743 return -EFAULT; 059c23697448c5 Paolo Abeni 2025-06-20 1744 if (features) 3a4d5c94e95935 Michael S. Tsirkin 2010-01-14 1745 return -EOPNOTSUPP; 059c23697448c5 Paolo Abeni 2025-06-20 1746 } 059c23697448c5 Paolo Abeni 2025-06-20 1747 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki
