From: sashiko-bot@kernel.org
To: "Bibo Mao" <maobibo@loongson.cn>
Cc: kvm@vger.kernel.org
Subject: Re: [PATCH v6 1/6] LoongArch: KVM: Check irq validility in kvm_vcpu_ioctl_interrupt()
Date: Thu, 11 Jun 2026 07:08:32 +0000 [thread overview]
Message-ID: <20260611070832.A9BC81F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260611065815.1439154-2-maobibo@loongson.cn>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Un-ratelimited `kvm_err` enables host log flooding DoS from unprivileged userspace, and valid IRQ 0 (`INT_SWI0`) cannot be queued or dequeued.
--
commit fd892c086057b77e1ae791d2e1126c1532b41bbb
Author: Bibo Mao <maobibo@loongson.cn>
LoongArch: KVM: Check irq validility in kvm_vcpu_ioctl_interrupt()
This commit adds validity checking for the interrupt vector in
kvm_vcpu_ioctl_interrupt(), returning an error if it exceeds
EXCCODE_INT_NUM.
> diff --git a/arch/loongarch/kvm/vcpu.c b/arch/loongarch/kvm/vcpu.c
> index e28084c49e682..df5be9b265e8d 100644
> --- a/arch/loongarch/kvm/vcpu.c
> +++ b/arch/loongarch/kvm/vcpu.c
> @@ -1487,6 +1487,11 @@ void kvm_lose_fpu(struct kvm_vcpu *vcpu)
> int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu, struct kvm_interrupt *irq)
> {
> int intr = (int)irq->irq;
> + unsigned int vector;
> +
> + vector = abs(intr);
> + if (vector >= EXCCODE_INT_NUM)
> + return -EINVAL;
>
> if (intr > 0)
> kvm_queue_irq(vcpu, intr);
[Severity: High]
This is a pre-existing issue, but looking at the rest of
kvm_vcpu_ioctl_interrupt(), if irq->irq is 0 (which corresponds to INT_SWI0),
both the intr > 0 and intr < 0 checks are skipped.
The code then falls through to the following else block:
else {
kvm_err("%s: invalid interrupt ioctl %d\n", __func__, irq->irq);
return -EINVAL;
}
Since kvm_err() is not rate-limited, can an unprivileged userspace process
holding a vCPU file descriptor call this ioctl in a tight loop with
irq->irq = 0 to rapidly flood the host kernel log?
Could this create a denial of service by locking up the system via a
serial console or exhausting disk space?
Also, does this logic fundamentally prevent userspace from correctly
queuing or dequeuing INT_SWI0?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260611065815.1439154-1-maobibo@loongson.cn?part=1
next prev parent reply other threads:[~2026-06-11 7:08 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-11 6:58 [PATCH v6 0/6] LoongArch: KVM: Small enhancement about interrupt injection Bibo Mao
2026-06-11 6:58 ` [PATCH v6 1/6] LoongArch: KVM: Check irq validility in kvm_vcpu_ioctl_interrupt() Bibo Mao
2026-06-11 7:08 ` sashiko-bot [this message]
2026-06-11 6:58 ` [PATCH v6 2/6] LoongArch: KVM: Check msgint feature in interrupt post Bibo Mao
2026-06-11 7:13 ` sashiko-bot
2026-06-11 6:58 ` [PATCH v6 3/6] LoongArch: KVM: Use existing macro about interrupt bit mask Bibo Mao
2026-06-11 6:58 ` [PATCH v6 4/6] LoongArch: KVM: Inject interrupt with batch method Bibo Mao
2026-06-11 7:17 ` sashiko-bot
2026-06-11 6:58 ` [PATCH v6 5/6] LoongArch: KVM: Add valid bit check when set ESTAT CSR register Bibo Mao
2026-06-11 10:10 ` Huacai Chen
2026-06-11 12:52 ` Bibo Mao
2026-06-11 13:01 ` Huacai Chen
2026-06-12 8:39 ` Huacai Chen
2026-06-11 6:58 ` [PATCH v6 6/6] LoongArch: KVM: Deliver interrupt after IN_GUEST_MODE is set Bibo Mao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260611070832.A9BC81F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=kvm@vger.kernel.org \
--cc=maobibo@loongson.cn \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.