From: sashiko-bot@kernel.org
To: syzbot <syzbot@kernel.org>
Cc: kvm@vger.kernel.org
Subject: Re: [PATCH] KVM: x86: Drop WARN_ON_ONCE() for concurrently disappearing interrupts
Date: Wed, 24 Jun 2026 13:23:19 +0000 [thread overview]
Message-ID: <20260624132320.2DD621F000E9@smtp.kernel.org> (raw)
In-Reply-To: <345e9d6c-d7d9-4bab-adb3-d6a7bd27599f@mail.kernel.org>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Medium] Guest-triggerable host log spam via pr_err_ratelimited() for a normal TOCTOU condition.
--
commit 116bec97d294fdbb66935efe3243c46e486faba6
Author: Alexander Potapenko <glider@google.com>
KVM: x86: Drop WARN_ON_ONCE() for concurrently disappearing interrupts
This commit removes a warning in kvm_check_and_inject_events() that occurs
when an interrupt disappears between being checked and fetched. Since this
is a legitimate race condition, the warning is replaced with a rate-limited
error message.
Link: https://syzkaller.appspot.com/ai_job?id=35cad3cd-95fd-4c0d-8ca8-812f58d56e59
> diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
> index 0550359ed798f..c5b4cddd9c0cb 100644
> --- a/arch/x86/kvm/x86.c
> +++ b/arch/x86/kvm/x86.c
> @@ -10857,10 +10857,13 @@ static int kvm_check_and_inject_events(struct kvm_vcpu *vcpu,
> if (r) {
> int irq = kvm_cpu_get_interrupt(vcpu);
>
> - if (!WARN_ON_ONCE(irq == -1)) {
> + if (irq != -1) {
> kvm_queue_interrupt(vcpu, irq, false);
> kvm_x86_call(inject_irq)(vcpu, false);
> WARN_ON(kvm_x86_call(interrupt_allowed)(vcpu, true) < 0);
> + } else {
> + pr_err_ratelimited(
> + "KVM: interrupt disappeared between checking and fetching\n");
[Severity: Medium]
Since the commit message identifies this as a legitimate race condition that
can occur during normal operation, could this pr_err_ratelimited() allow an
unprivileged guest to continuously spam the host kernel log?
By configuring a PIT or PCI device to rapidly assert and deassert
level-triggered interrupts, a guest could intentionally trigger this path and
force the host to log messages at the maximum rate-limited frequency
indefinitely.
Should this event be logged with pr_warn_once() instead, or dropped entirely
to prevent adversary-reachable host log pollution?
> + }
> }
> if (kvm_cpu_has_injectable_intr(vcpu))
--
Sashiko AI review · https://sashiko.dev/#/patchset/345e9d6c-d7d9-4bab-adb3-d6a7bd27599f@mail.kernel.org?part=1
next prev parent reply other threads:[~2026-06-24 13:23 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-24 13:15 [PATCH] KVM: x86: Drop WARN_ON_ONCE() for concurrently disappearing interrupts syzbot
2026-06-24 13:23 ` sashiko-bot [this message]
2026-06-24 14:00 ` Sean Christopherson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260624132320.2DD621F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=kvm@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=syzbot@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.