From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 39207341AB8; Sat, 30 May 2026 17:33:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780162385; cv=none; b=RrvIM4szBxtaTL847RP2zvjqYvVRnB7EU0/+7EiQ1xn2QJ13gVcqjXq6hEhtpMVpUKN5aXIF4stBjYnULyA9UnoaJaLr9WwIFBKtASF0fiD1qeXMsSw1bsQ7uruK62nf/W6M4amGNlesRnjzmCNkLoc2YhlumnWTPS9j9q92yB4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780162385; c=relaxed/simple; bh=GI88SGU3UYzzfEFcOAUC6ma7KVFuY1wZagn/0InZwtc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=orBSR7045VTebntnVFlLufX2iCug5/dE4A/DOjqX7brNPYLaDoozOSjvrlXYDD5XbSl5G6JPJ2ooFEtHhLVLGdz3Tl91b7lrb0LoaIERb7Pyey4em6bcq6bTBKshD9dC7ffQed00ni5wfxqX/W9qJ1tLxLVWtNiY8y/h02+gEWs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=Lvk/D7wy; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="Lvk/D7wy" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7D4381F00893; Sat, 30 May 2026 17:33:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=korg; t=1780162384; bh=FrxV5NZ9+xQhxqLUpO2GoAi0EK7cHzxNU6TaNP2gskA=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=Lvk/D7wy9/vfPd6ymqTwS7XBfj8++rQjHNKFxeF767dGAQA9zSj4kdp6kGgde99p7 7zz3aF9PCQklhSyXJPiASn5gFTMX5dSeSb5803/SgafImGZowptBi6/z7KdqhGXrL0 zZqJtQxCrICPJ8fY3uqv8MwoNiv1Fk9W7P35QtfQ= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Michael Bommarito , Marc Zyngier Subject: [PATCH 6.1 866/969] KVM: arm64: vgic-its: Reject restored DTE with out-of-range num_eventid_bits Date: Sat, 30 May 2026 18:06:30 +0200 Message-ID: <20260530160324.591829272@linuxfoundation.org> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260530160300.485627683@linuxfoundation.org> References: <20260530160300.485627683@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.1-stable review patch. If anyone has any objections, please let me know. ------------------ From: Michael Bommarito commit 9ce754ed8e7ab4e3999767ce1505f85c449ccb07 upstream. Userspace can restore an ITS Device Table Entry whose Size field encodes more EventID bits than the virtual ITS supports. The live MAPD path rejects that state, but vgic_its_restore_dte() accepts it and stores the out-of-range value in dev->num_eventid_bits. Reject restored DTEs with num_eventid_bits > VITS_TYPER_IDBITS before allocating the device. This mirrors the MAPD check and prevents the restored state from reaching vgic_its_restore_itt(), where the unchecked value can be converted into an oversized scan_its_table() range. Fixes: 57a9a117154c ("KVM: arm64: vgic-its: Device table save/restore") Assisted-by: Claude:claude-opus-4-7 Signed-off-by: Michael Bommarito Link: https://lore.kernel.org/r/20260519132519.2142458-1-michael.bommarito@gmail.com Signed-off-by: Marc Zyngier Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman --- arch/arm64/kvm/vgic/vgic-its.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/arch/arm64/kvm/vgic/vgic-its.c +++ b/arch/arm64/kvm/vgic/vgic-its.c @@ -2413,6 +2413,10 @@ static int vgic_its_restore_dte(struct v /* dte entry is valid */ offset = (entry & KVM_ITS_DTE_NEXT_MASK) >> KVM_ITS_DTE_NEXT_SHIFT; + /* Mimic the MAPD behaviour and reject invalid EID bits. */ + if (num_eventid_bits > VITS_TYPER_IDBITS) + return -EINVAL; + if (!vgic_its_check_id(its, baser, id, NULL)) return -EINVAL;