commit fc13ca191ee2ae5f379e2933cdff523c3b4fffc9 · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm

Pull KVM fixes from Radim Krčmář:
"Four fixes for bugs found by syzkaller on x86, all for stable"

* tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
KVM: x86: check for pic and ioapic presence before use
KVM: x86: fix out-of-bounds accesses of rtc_eoi map
KVM: x86: drop error recovery in em_jmp_far and em_ret_far
KVM: x86: fix out-of-bounds access in lapic

Linus Torvalds 9 years ago fc13ca19 39c15737

+28 -29

5 changed files

expand all

unified split

arch

x86

kvm

emulate.c

ioapic.c

ioapic.h

irq_comm.c

lapic.c

+11 -25

arch/x86/kvm/emulate.c

··· 2105 static int em_jmp_far(struct x86_emulate_ctxt *ctxt) 2106 { 2107 int rc; 2108 - unsigned short sel, old_sel; 2109 - struct desc_struct old_desc, new_desc; 2110 - const struct x86_emulate_ops *ops = ctxt->ops; 2111 u8 cpl = ctxt->ops->cpl(ctxt); 2112 - 2113 - /* Assignment of RIP may only fail in 64-bit mode */ 2114 - if (ctxt->mode == X86EMUL_MODE_PROT64) 2115 - ops->get_segment(ctxt, &old_sel, &old_desc, NULL, 2116 - VCPU_SREG_CS); 2117 2118 memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2); 2119 ··· 2118 return rc; 2119 2120 rc = assign_eip_far(ctxt, ctxt->src.val, &new_desc); 2121 - if (rc != X86EMUL_CONTINUE) { 2122 - WARN_ON(ctxt->mode != X86EMUL_MODE_PROT64); 2123 - /* assigning eip failed; restore the old cs */ 2124 - ops->set_segment(ctxt, old_sel, &old_desc, 0, VCPU_SREG_CS); 2125 - return rc; 2126 - } 2127 return rc; 2128 } 2129 ··· 2181 { 2182 int rc; 2183 unsigned long eip, cs; 2184 - u16 old_cs; 2185 int cpl = ctxt->ops->cpl(ctxt); 2186 - struct desc_struct old_desc, new_desc; 2187 - const struct x86_emulate_ops *ops = ctxt->ops; 2188 - 2189 - if (ctxt->mode == X86EMUL_MODE_PROT64) 2190 - ops->get_segment(ctxt, &old_cs, &old_desc, NULL, 2191 - VCPU_SREG_CS); 2192 2193 rc = emulate_pop(ctxt, &eip, ctxt->op_bytes); 2194 if (rc != X86EMUL_CONTINUE) ··· 2199 if (rc != X86EMUL_CONTINUE) 2200 return rc; 2201 rc = assign_eip_far(ctxt, eip, &new_desc); 2202 - if (rc != X86EMUL_CONTINUE) { 2203 - WARN_ON(ctxt->mode != X86EMUL_MODE_PROT64); 2204 - ops->set_segment(ctxt, old_cs, &old_desc, 0, VCPU_SREG_CS); 2205 - } 2206 return rc; 2207 } 2208

··· 2105 static int em_jmp_far(struct x86_emulate_ctxt *ctxt) 2106 { 2107 int rc; 2108 + unsigned short sel; 2109 + struct desc_struct new_desc; 2110 u8 cpl = ctxt->ops->cpl(ctxt); 2111 2112 memcpy(&sel, ctxt->src.valptr + ctxt->op_bytes, 2); 2113 ··· 2124 return rc; 2125 2126 rc = assign_eip_far(ctxt, ctxt->src.val, &new_desc); 2127 + /* Error handling is not implemented. */ 2128 + if (rc != X86EMUL_CONTINUE) 2129 + return X86EMUL_UNHANDLEABLE; 2130 + 2131 return rc; 2132 } 2133 ··· 2189 { 2190 int rc; 2191 unsigned long eip, cs; 2192 int cpl = ctxt->ops->cpl(ctxt); 2193 + struct desc_struct new_desc; 2194 2195 rc = emulate_pop(ctxt, &eip, ctxt->op_bytes); 2196 if (rc != X86EMUL_CONTINUE) ··· 2213 if (rc != X86EMUL_CONTINUE) 2214 return rc; 2215 rc = assign_eip_far(ctxt, eip, &new_desc); 2216 + /* Error handling is not implemented. */ 2217 + if (rc != X86EMUL_CONTINUE) 2218 + return X86EMUL_UNHANDLEABLE; 2219 + 2220 return rc; 2221 } 2222

+1 -1

arch/x86/kvm/ioapic.c

··· 94 static void rtc_irq_eoi_tracking_reset(struct kvm_ioapic *ioapic) 95 { 96 ioapic->rtc_status.pending_eoi = 0; 97 - bitmap_zero(ioapic->rtc_status.dest_map.map, KVM_MAX_VCPUS); 98 } 99 100 static void kvm_rtc_eoi_tracking_restore_all(struct kvm_ioapic *ioapic);

··· 94 static void rtc_irq_eoi_tracking_reset(struct kvm_ioapic *ioapic) 95 { 96 ioapic->rtc_status.pending_eoi = 0; 97 + bitmap_zero(ioapic->rtc_status.dest_map.map, KVM_MAX_VCPU_ID); 98 } 99 100 static void kvm_rtc_eoi_tracking_restore_all(struct kvm_ioapic *ioapic);

+2 -2

arch/x86/kvm/ioapic.h

··· 42 43 struct dest_map { 44 /* vcpu bitmap where IRQ has been sent */ 45 - DECLARE_BITMAP(map, KVM_MAX_VCPUS); 46 47 /* 48 * Vector sent to a given vcpu, only valid when 49 * the vcpu's bit in map is set 50 */ 51 - u8 vectors[KVM_MAX_VCPUS]; 52 }; 53 54

··· 42 43 struct dest_map { 44 /* vcpu bitmap where IRQ has been sent */ 45 + DECLARE_BITMAP(map, KVM_MAX_VCPU_ID); 46 47 /* 48 * Vector sent to a given vcpu, only valid when 49 * the vcpu's bit in map is set 50 */ 51 + u8 vectors[KVM_MAX_VCPU_ID]; 52 }; 53 54

+13

arch/x86/kvm/irq_comm.c

··· 41 bool line_status) 42 { 43 struct kvm_pic *pic = pic_irqchip(kvm); 44 return kvm_pic_set_irq(pic, e->irqchip.pin, irq_source_id, level); 45 } 46 ··· 58 bool line_status) 59 { 60 struct kvm_ioapic *ioapic = kvm->arch.vioapic; 61 return kvm_ioapic_set_irq(ioapic, e->irqchip.pin, irq_source_id, level, 62 line_status); 63 }

··· 41 bool line_status) 42 { 43 struct kvm_pic *pic = pic_irqchip(kvm); 44 + 45 + /* 46 + * XXX: rejecting pic routes when pic isn't in use would be better, 47 + * but the default routing table is installed while kvm->arch.vpic is 48 + * NULL and KVM_CREATE_IRQCHIP can race with KVM_IRQ_LINE. 49 + */ 50 + if (!pic) 51 + return -1; 52 + 53 return kvm_pic_set_irq(pic, e->irqchip.pin, irq_source_id, level); 54 } 55 ··· 49 bool line_status) 50 { 51 struct kvm_ioapic *ioapic = kvm->arch.vioapic; 52 + 53 + if (!ioapic) 54 + return -1; 55 + 56 return kvm_ioapic_set_irq(ioapic, e->irqchip.pin, irq_source_id, level, 57 line_status); 58 }

+1 -1

arch/x86/kvm/lapic.c

··· 138 *mask = dest_id & 0xff; 139 return true; 140 case KVM_APIC_MODE_XAPIC_CLUSTER: 141 - *cluster = map->xapic_cluster_map[dest_id >> 4]; 142 *mask = dest_id & 0xf; 143 return true; 144 default:

··· 138 *mask = dest_id & 0xff; 139 return true; 140 case KVM_APIC_MODE_XAPIC_CLUSTER: 141 + *cluster = map->xapic_cluster_map[(dest_id >> 4) & 0xf]; 142 *mask = dest_id & 0xf; 143 return true; 144 default: