commit fc13ca191ee2ae5f379e2933cdff523c3b4fffc9 · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm

Pull KVM fixes from Radim Krčmář:
"Four fixes for bugs found by syzkaller on x86, all for stable"

* tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
KVM: x86: check for pic and ioapic presence before use
KVM: x86: fix out-of-bounds accesses of rtc_eoi map
KVM: x86: drop error recovery in em_jmp_far and em_ret_far
KVM: x86: fix out-of-bounds access in lapic

Linus Torvalds 9 years ago fc13ca19 39c15737

+28 -29

5 changed files

expand all

unified split

arch

x86

kvm

emulate.c

ioapic.c

ioapic.h

irq_comm.c

lapic.c

+11 -25

arch/x86/kvm/emulate.c

··· 2105 2105 static int em_jmp_far(struct x86_emulate_ctxt *ctxt) 2106 2106 { 2107 2107 int rc; 2108 - unsigned short sel, old_sel; 2109 - struct desc_struct old_desc, new_desc; 2110 - const struct x86_emulate_ops *ops = ctxt->ops; 2108 + unsigned short sel; 2109 + struct desc_struct new_desc; 2111 2110 u8 cpl = ctxt->ops->cpl(ctxt); 2112 - 2113 - /* Assignment of RIP may only fail in 64-bit mode */ 2114 - if (ctxt->mode == X86EMUL_MODE_PROT64) 2115 - ops->get_segment(ctxt, &old_sel, &old_desc, NULL, 2116 - VCPU_SREG_CS); 2117 2111 2118 2112 memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2); 2119 2113 ··· 2118 2124 return rc; 2119 2125 2120 2126 rc = assign_eip_far(ctxt, ctxt->src.val, &new_desc); 2121 - if (rc != X86EMUL_CONTINUE) { 2122 - WARN_ON(ctxt->mode != X86EMUL_MODE_PROT64); 2123 - /* assigning eip failed; restore the old cs */ 2124 - ops->set_segment(ctxt, old_sel, &old_desc, 0, VCPU_SREG_CS); 2125 - return rc; 2126 - } 2127 + /* Error handling is not implemented. */ 2128 + if (rc != X86EMUL_CONTINUE) 2129 + return X86EMUL_UNHANDLEABLE; 2130 + 2127 2131 return rc; 2128 2132 } 2129 2133 ··· 2181 2189 { 2182 2190 int rc; 2183 2191 unsigned long eip, cs; 2184 - u16 old_cs; 2185 2192 int cpl = ctxt->ops->cpl(ctxt); 2186 - struct desc_struct old_desc, new_desc; 2187 - const struct x86_emulate_ops *ops = ctxt->ops; 2188 - 2189 - if (ctxt->mode == X86EMUL_MODE_PROT64) 2190 - ops->get_segment(ctxt, &old_cs, &old_desc, NULL, 2191 - VCPU_SREG_CS); 2193 + struct desc_struct new_desc; 2192 2194 2193 2195 rc = emulate_pop(ctxt, &eip, ctxt->op_bytes); 2194 2196 if (rc != X86EMUL_CONTINUE) ··· 2199 2213 if (rc != X86EMUL_CONTINUE) 2200 2214 return rc; 2201 2215 rc = assign_eip_far(ctxt, eip, &new_desc); 2202 - if (rc != X86EMUL_CONTINUE) { 2203 - WARN_ON(ctxt->mode != X86EMUL_MODE_PROT64); 2204 - ops->set_segment(ctxt, old_cs, &old_desc, 0, VCPU_SREG_CS); 2205 - } 2216 + /* Error handling is not implemented. */ 2217 + if (rc != X86EMUL_CONTINUE) 2218 + return X86EMUL_UNHANDLEABLE; 2219 + 2206 2220 return rc; 2207 2221 } 2208 2222

+1 -1

arch/x86/kvm/ioapic.c

··· 94 94 static void rtc_irq_eoi_tracking_reset(struct kvm_ioapic *ioapic) 95 95 { 96 96 ioapic->rtc_status.pending_eoi = 0; 97 - bitmap_zero(ioapic->rtc_status.dest_map.map, KVM_MAX_VCPUS); 97 + bitmap_zero(ioapic->rtc_status.dest_map.map, KVM_MAX_VCPU_ID); 98 98 } 99 99 100 100 static void kvm_rtc_eoi_tracking_restore_all(struct kvm_ioapic *ioapic);

+2 -2

arch/x86/kvm/ioapic.h

··· 42 42 43 43 struct dest_map { 44 44 /* vcpu bitmap where IRQ has been sent */ 45 - DECLARE_BITMAP(map, KVM_MAX_VCPUS); 45 + DECLARE_BITMAP(map, KVM_MAX_VCPU_ID); 46 46 47 47 /* 48 48 * Vector sent to a given vcpu, only valid when 49 49 * the vcpu's bit in map is set 50 50 */ 51 - u8 vectors[KVM_MAX_VCPUS]; 51 + u8 vectors[KVM_MAX_VCPU_ID]; 52 52 }; 53 53 54 54

+13

arch/x86/kvm/irq_comm.c

··· 41 41 bool line_status) 42 42 { 43 43 struct kvm_pic *pic = pic_irqchip(kvm); 44 + 45 + /* 46 + * XXX: rejecting pic routes when pic isn't in use would be better, 47 + * but the default routing table is installed while kvm->arch.vpic is 48 + * NULL and KVM_CREATE_IRQCHIP can race with KVM_IRQ_LINE. 49 + */ 50 + if (!pic) 51 + return -1; 52 + 44 53 return kvm_pic_set_irq(pic, e->irqchip.pin, irq_source_id, level); 45 54 } 46 55 ··· 58 49 bool line_status) 59 50 { 60 51 struct kvm_ioapic *ioapic = kvm->arch.vioapic; 52 + 53 + if (!ioapic) 54 + return -1; 55 + 61 56 return kvm_ioapic_set_irq(ioapic, e->irqchip.pin, irq_source_id, level, 62 57 line_status); 63 58 }

+1 -1

arch/x86/kvm/lapic.c

··· 138 138 *mask = dest_id & 0xff; 139 139 return true; 140 140 case KVM_APIC_MODE_XAPIC_CLUSTER: 141 - *cluster = map->xapic_cluster_map[dest_id >> 4]; 141 + *cluster = map->xapic_cluster_map[(dest_id >> 4) & 0xf]; 142 142 *mask = dest_id & 0xf; 143 143 return true; 144 144 default: