From: Sasha Levin Date: Sat, 27 Apr 2019 15:37:27 +0000 (-0400) Subject: patches for 4.4 X-Git-Tag: v4.9.172~53 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7cffc372c019fe0376ed00476490c3f3414205cd;p=thirdparty%2Fkernel%2Fstable-queue.git patches for 4.4 Signed-off-by: Sasha Levin --- diff --git a/queue-4.4/kvm-fail-kvm_set_vcpu_events-with-invalid-exception-.patch b/queue-4.4/kvm-fail-kvm_set_vcpu_events-with-invalid-exception-.patch new file mode 100644 index 00000000000..d4c164f7c46 --- /dev/null +++ b/queue-4.4/kvm-fail-kvm_set_vcpu_events-with-invalid-exception-.patch @@ -0,0 +1,86 @@ +From 530cf09088939c7c9464cb6b21039a1d0422855c Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Fri, 26 Apr 2019 09:34:01 -0700 +Subject: KVM: fail KVM_SET_VCPU_EVENTS with invalid exception number +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 78e546c824fa8f96d323b7edd6f5cad5b74af057 upstream + +This cannot be returned by KVM_GET_VCPU_EVENTS, so it is okay to return +EINVAL. It causes a WARN from exception_type: + + WARNING: CPU: 3 PID: 16732 at arch/x86/kvm/x86.c:345 exception_type+0x49/0x50 [kvm]() + CPU: 3 PID: 16732 Comm: a.out Tainted: G W 4.4.6-300.fc23.x86_64 #1 + Hardware name: LENOVO 2325F51/2325F51, BIOS G2ET32WW (1.12 ) 05/30/2012 + 0000000000000286 000000006308a48b ffff8800bec7fcf8 ffffffff813b542e + 0000000000000000 ffffffffa0966496 ffff8800bec7fd30 ffffffff810a40f2 + ffff8800552a8000 0000000000000000 00000000002c267c 0000000000000001 + Call Trace: + [] dump_stack+0x63/0x85 + [] warn_slowpath_common+0x82/0xc0 + [] warn_slowpath_null+0x1a/0x20 + [] exception_type+0x49/0x50 [kvm] + [] kvm_arch_vcpu_ioctl_run+0x10a2/0x14e0 [kvm] + [] kvm_vcpu_ioctl+0x33d/0x620 [kvm] + [] do_vfs_ioctl+0x298/0x480 + [] SyS_ioctl+0x79/0x90 + [] entry_SYSCALL_64_fastpath+0x12/0x71 + ---[ end trace b1a0391266848f50 ]--- + +Testcase (beautified/reduced from syzkaller output): + + #include + #include + #include + #include + #include + #include + #include + + long r[31]; + + int main() + { + memset(r, -1, sizeof(r)); + r[2] = open("/dev/kvm", O_RDONLY); + r[3] = ioctl(r[2], KVM_CREATE_VM, 0); + r[7] = ioctl(r[3], KVM_CREATE_VCPU, 0); + + struct kvm_vcpu_events ve = { + .exception.injected = 1, + .exception.nr = 0xd4 + }; + r[27] = ioctl(r[7], KVM_SET_VCPU_EVENTS, &ve); + r[30] = ioctl(r[7], KVM_RUN, 0); + return 0; + } + +Reported-by: Dmitry Vyukov +Signed-off-by: Paolo Bonzini +Signed-off-by: Radim Krčmář +Signed-off-by: Zubin Mithra +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/x86.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 706c5d63a53f..d830a0d60ba4 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -2972,6 +2972,10 @@ static int kvm_vcpu_ioctl_x86_set_vcpu_events(struct kvm_vcpu *vcpu, + | KVM_VCPUEVENT_VALID_SMM)) + return -EINVAL; + ++ if (events->exception.injected && ++ (events->exception.nr > 31 || events->exception.nr == NMI_VECTOR)) ++ return -EINVAL; ++ + /* INITs are latched while in SMM */ + if (events->flags & KVM_VCPUEVENT_VALID_SMM && + (events->smi.smm || events->smi.pending) && +-- +2.19.1 + diff --git a/queue-4.4/series b/queue-4.4/series index ec92ee65e6a..f6fe4983e6b 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -1 +1,2 @@ kbuild-simplify-ld-option-implementation.patch +kvm-fail-kvm_set_vcpu_events-with-invalid-exception-.patch