{"id":819526,"url":"http://patchwork.ozlabs.org/api/patches/819526/?format=json","web_url":"http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/20170928102928.14992-2-shrirang.bagul@canonical.com/","project":{"id":15,"url":"http://patchwork.ozlabs.org/api/projects/15/?format=json","name":"Ubuntu Kernel","link_name":"ubuntu-kernel","list_id":"kernel-team.lists.ubuntu.com","list_email":"kernel-team@lists.ubuntu.com","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20170928102928.14992-2-shrirang.bagul@canonical.com>","list_archive_url":null,"date":"2017-09-28T10:29:27","name":"[X/Z,SRU,1/2] KVM: VMX: Do not BUG() on out-of-bounds guest IRQ","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"ef1f816f64aea465476155f0f768a1346e6cef8e","submitter":{"id":69376,"url":"http://patchwork.ozlabs.org/api/people/69376/?format=json","name":"Shrirang Bagul","email":"shrirang.bagul@canonical.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/20170928102928.14992-2-shrirang.bagul@canonical.com/mbox/","series":[{"id":5533,"url":"http://patchwork.ozlabs.org/api/series/5533/?format=json","web_url":"http://patchwork.ozlabs.org/project/ubuntu-kernel/list/?series=5533","date":"2017-09-28T10:29:26","name":"Fix CVE-2017-1000252","version":1,"mbox":"http://patchwork.ozlabs.org/series/5533/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/819526/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/819526/checks/","tags":{},"related":[],"headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com\n\t(client-ip=91.189.94.19; helo=huckleberry.canonical.com;\n\tenvelope-from=kernel-team-bounces@lists.ubuntu.com;\n\treceiver=)","Received":["from huckleberry.canonical.com (huckleberry.canonical.com\n\t[91.189.94.19])\n\tby ozlabs.org (Postfix) with ESMTP id 3y2rXm5Mt7z9tXv;\n\tThu, 28 Sep 2017 20:29:44 +1000 (AEST)","from localhost ([127.0.0.1] helo=huckleberry.canonical.com)\n\tby huckleberry.canonical.com with esmtp (Exim 4.86_2)\n\t(envelope-from )\n\tid 1dxW4a-0008MB-8R; Thu, 28 Sep 2017 10:29:40 +0000","from youngberry.canonical.com ([91.189.89.112])\n\tby huckleberry.canonical.com with esmtps\n\t(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)\n\t(Exim 4.86_2) (envelope-from )\n\tid 1dxW4W-0008KN-4d\n\tfor kernel-team@lists.ubuntu.com; Thu, 28 Sep 2017 10:29:36 +0000","from 1.general.shrirang--bagul.uk.vpn ([10.172.198.4]\n\thelo=snb-ubuntu.taipei) by youngberry.canonical.com with esmtpsa\n\t(TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)\n\t(Exim 4.76) (envelope-from )\n\tid 1dxW4V-0003g8-B2\n\tfor kernel-team@lists.ubuntu.com; Thu, 28 Sep 2017 10:29:35 +0000"],"From":"Shrirang Bagul ","To":"kernel-team@lists.ubuntu.com","Subject":"[X/Z SRU][PATCH 1/2] KVM: VMX: Do not BUG() on out-of-bounds guest\n\tIRQ","Date":"Thu, 28 Sep 2017 18:29:27 +0800","Message-Id":"<20170928102928.14992-2-shrirang.bagul@canonical.com>","X-Mailer":"git-send-email 2.11.0","In-Reply-To":"<20170928102928.14992-1-shrirang.bagul@canonical.com>","References":"<20170928102928.14992-1-shrirang.bagul@canonical.com>","MIME-Version":"1.0","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.20","Precedence":"list","List-Id":"Kernel team discussions ","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"base64","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"\"kernel-team\" "},"content":"From: Jan H. Schönherr \n\nThe value of the guest_irq argument to vmx_update_pi_irte() is\nultimately coming from a KVM_IRQFD API call. Do not BUG() in\nvmx_update_pi_irte() if the value is out-of bounds. (Especially,\nsince KVM as a whole seems to hang after that.)\n\nInstead, print a message only once if we find that we don't have a\nroute for a certain IRQ (which can be out-of-bounds or within the\narray).\n\nThis fixes CVE-2017-1000252.\n\nFixes: efc644048ecde54 (\"KVM: x86: Update IRTE for posted-interrupts\")\nSigned-off-by: Jan H. Schönherr \nSigned-off-by: Paolo Bonzini \n(cherry picked from commit 3a8b0677fc6180a467e26cc32ce6b0c09a32f9bb)\nSigned-off-by: Shrirang Bagul \n---\n arch/x86/kvm/vmx.c | 9 +++++++--\n 1 file changed, 7 insertions(+), 2 deletions(-)","diff":"diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c\nindex 37675b7a0abc..db8cb880971b 100644\n--- a/arch/x86/kvm/vmx.c\n+++ b/arch/x86/kvm/vmx.c\n@@ -10758,7 +10758,7 @@ static int vmx_update_pi_irte(struct kvm *kvm, unsigned int host_irq,\n \tstruct kvm_lapic_irq irq;\n \tstruct kvm_vcpu *vcpu;\n \tstruct vcpu_data vcpu_info;\n-\tint idx, ret = -EINVAL;\n+\tint idx, ret = 0;\n \n \tif (!kvm_arch_has_assigned_device(kvm) ||\n \t\t!irq_remapping_cap(IRQ_POSTING_CAP))\n@@ -10766,7 +10766,12 @@ static int vmx_update_pi_irte(struct kvm *kvm, unsigned int host_irq,\n \n \tidx = srcu_read_lock(&kvm->irq_srcu);\n \tirq_rt = srcu_dereference(kvm->irq_routing, &kvm->irq_srcu);\n-\tBUG_ON(guest_irq >= irq_rt->nr_rt_entries);\n+\tif (guest_irq >= irq_rt->nr_rt_entries ||\n+\t hlist_empty(&irq_rt->map[guest_irq])) {\n+\t\tpr_warn_once(\"no route for guest_irq %u/%u (broken user space?)\\n\",\n+\t\t\t guest_irq, irq_rt->nr_rt_entries);\n+\t\tgoto out;\n+\t}\n \n \thlist_for_each_entry(e, &irq_rt->map[guest_irq], link) {\n \t\tif (e->type != KVM_IRQ_ROUTING_MSI)\n","prefixes":["X/Z","SRU","1/2"]}