[v2 0/2] KVM: Validate irqchip index in routing entries

[v2 0/2] KVM: Validate irqchip index in routing entries

[Yanfei Xu]

Validate irqchip indexes for LoongArch and PowerPC irq routing entries
to reject out-of-range values before indexing the irqchip array.

v1->v2:
- Split the patch into two by architecture (Sean)
- Pick up Reviewed-by

Yanfei Xu (2):
  KVM: LoongArch: Validate irqchip index in irqfd routing
  KVM: PPC: Validate irqchip index in MPIC routing

 arch/loongarch/kvm/irqfd.c | 3 ++-
 arch/powerpc/kvm/mpic.c    | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

-- 
2.20.1

[v2 1/2] KVM: LoongArch: Validate irqchip index in irqfd routing

[Yanfei Xu]

Sashiko reported that the irqchip index is not validated for LoongArch.
Add validation and reject out-of-range irqchip indexes to avoid indexing
past the routing table's chip array.

Fixes: 1928254c5ccb ("LoongArch: KVM: Add irqfd support")
Reported-by: Sashiko <sashiko-bot@kernel.org>
Closes: https://lore.kernel.org/kvm/20260525051714.485D51F000E9@smtp.kernel.org/
Reviewed-by: Bibo Mao <maobibo@loongson.cn>
Signed-off-by: Yanfei Xu <yanfei.xu@bytedance.com>
---
 arch/loongarch/kvm/irqfd.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/arch/loongarch/kvm/irqfd.c b/arch/loongarch/kvm/irqfd.c
index f4f953b22419..40ed1081c4b6 100644
--- a/arch/loongarch/kvm/irqfd.c
+++ b/arch/loongarch/kvm/irqfd.c
@@ -51,7 +51,8 @@ int kvm_set_routing_entry(struct kvm *kvm,
 		e->irqchip.irqchip = ue->u.irqchip.irqchip;
 		e->irqchip.pin = ue->u.irqchip.pin;
 
-		if (e->irqchip.pin >= KVM_IRQCHIP_NUM_PINS)
+		if (e->irqchip.pin >= KVM_IRQCHIP_NUM_PINS ||
+		    e->irqchip.irqchip >= KVM_NR_IRQCHIPS)
 			return -EINVAL;
 
 		return 0;
-- 
2.20.1

[v2 2/2] KVM: PPC: Validate irqchip index in MPIC routing

[Yanfei Xu]

Sashiko reported that the irqchip index is not validated for PowerPC.
Add validation and reject out-of-range irqchip indexes to avoid indexing
past the routing table's chip array.

Fixes: de9ba2f36368 ("KVM: PPC: Support irq routing and irqfd for in-kernel MPIC")
Reported-by: Sashiko <sashiko-bot@kernel.org>
Closes: https://lore.kernel.org/kvm/20260525051714.485D51F000E9@smtp.kernel.org/
Reviewed-by: Harsh Prateek Bora <harshpb@linux.ibm.com>
Signed-off-by: Yanfei Xu <yanfei.xu@bytedance.com>
---
 arch/powerpc/kvm/mpic.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/arch/powerpc/kvm/mpic.c b/arch/powerpc/kvm/mpic.c
index 3070f36d9fb8..fb5f9e65e02e 100644
--- a/arch/powerpc/kvm/mpic.c
+++ b/arch/powerpc/kvm/mpic.c
@@ -1833,7 +1833,8 @@ int kvm_set_routing_entry(struct kvm *kvm,
 		e->set = mpic_set_irq;
 		e->irqchip.irqchip = ue->u.irqchip.irqchip;
 		e->irqchip.pin = ue->u.irqchip.pin;
-		if (e->irqchip.pin >= KVM_IRQCHIP_NUM_PINS)
+		if (e->irqchip.pin >= KVM_IRQCHIP_NUM_PINS ||
+		    e->irqchip.irqchip >= KVM_NR_IRQCHIPS)
 			goto out;
 		break;
 	case KVM_IRQ_ROUTING_MSI:
-- 
2.20.1

Re: [v2 1/2] KVM: LoongArch: Validate irqchip index in irqfd routing

[sashiko-bot]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [Critical] Missing bounds check on the `e->msi.data` value before using it as an `irq` index in `eiointc_set_irq()` leads to an out-of-bounds memory read and write.
--

commit 217e342828fa29f1b763464cad52ec8a004759a7
Author: Yanfei Xu <yanfei.xu@bytedance.com>

KVM: LoongArch: Validate irqchip index in irqfd routing

This commit adds validation for the irqchip index and pin in the LoongArch
KVM irqfd routing setup to prevent out-of-bounds array access.

Closes: https://lore.kernel.org/kvm/20260525051714.485D51F000E9@smtp.kernel.org/

> diff --git a/arch/loongarch/kvm/irqfd.c b/arch/loongarch/kvm/irqfd.c
> index f4f953b224192..40ed1081c4b62 100644
> --- a/arch/loongarch/kvm/irqfd.c
> +++ b/arch/loongarch/kvm/irqfd.c
> @@ -51,7 +51,8 @@ int kvm_set_routing_entry(struct kvm *kvm,
>  		e->irqchip.irqchip = ue->u.irqchip.irqchip;
>  		e->irqchip.pin = ue->u.irqchip.pin;
>  
> -		if (e->irqchip.pin >= KVM_IRQCHIP_NUM_PINS)
> +		if (e->irqchip.pin >= KVM_IRQCHIP_NUM_PINS ||
> +		    e->irqchip.irqchip >= KVM_NR_IRQCHIPS)
>  			return -EINVAL;
>  
>  		return 0;

[Severity: Critical]
This is a pre-existing issue, but does this code also need bounds checking
for the MSI routing case?

When handling KVM_IRQ_ROUTING_MSI in kvm_set_routing_entry(), we copy the
user-controlled ue->u.msi.data into e->msi.data without any validation:

    e->msi.data = ue->u.msi.data;

During MSI injection, kvm_set_msi() passes this value down to
pch_msi_set_irq(), which directly uses it as the irq parameter:

    eiointc_set_irq(kvm->arch.eiointc, e->msi.data, level);

Inside eiointc_set_irq(), this untrusted value is used as an index in
bitwise operations against s->isr and passed to eiointc_update_irq():

    level ? __set_bit(irq, isr) : __clear_bit(irq, isr);
    ...
    cpu = s->sw_coremap[irq];

Could this allow a malicious guest or unprivileged host userspace to perform
an out-of-bounds memory read and write against the eiointc allocation?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260531135326.2238555-1-yanfei.xu@bytedance.com?part=1

Re: [v2 0/2] KVM: Validate irqchip index in routing entries

[Greg KH]

On Sun, May 31, 2026 at 09:53:24PM +0800, Yanfei Xu wrote:
> Validate irqchip indexes for LoongArch and PowerPC irq routing entries
> to reject out-of-range values before indexing the irqchip array.
> 
> v1->v2:
> - Split the patch into two by architecture (Sean)
> - Pick up Reviewed-by
> 
> Yanfei Xu (2):
>   KVM: LoongArch: Validate irqchip index in irqfd routing
>   KVM: PPC: Validate irqchip index in MPIC routing
> 
>  arch/loongarch/kvm/irqfd.c | 3 ++-
>  arch/powerpc/kvm/mpic.c    | 3 ++-
>  2 files changed, 4 insertions(+), 2 deletions(-)
> 
> -- 
> 2.20.1
> 

<formletter>

This is not the correct way to submit patches for inclusion in the
stable kernel tree.  Please read:
    https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
for how to do this properly.

</formletter>

Re: [v2 0/2] KVM: Validate irqchip index in routing entries

[Yanfei Xu]

On 2026/5/31 22:15, Greg KH wrote:
>> -- 
>> 2.20.1
>>
> <formletter>
>
> This is not the correct way to submit patches for inclusion in the
> stable kernel tree.  Please read:
>      https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
> for how to do this properly.
>
> </formletter>

Thanks for pointing out the correct process. I saw
that PPC maintainer added "Cc: stable@vger.kernel.org"
on v1, so I mistakenly thought v2 should cc...

Thanks,
Yanfei

Re: [v2 0/2] KVM: Validate irqchip index in routing entries

[Greg KH]

On Sun, May 31, 2026 at 10:36:27PM +0800, Yanfei Xu wrote:
> 
> On 2026/5/31 22:15, Greg KH wrote:
> > > -- 
> > > 2.20.1
> > > 
> > <formletter>
> > 
> > This is not the correct way to submit patches for inclusion in the
> > stable kernel tree.  Please read:
> >      https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
> > for how to do this properly.
> > 
> > </formletter>
> 
> Thanks for pointing out the correct process. I saw
> that PPC maintainer added "Cc: stable@vger.kernel.org"
> on v1, so I mistakenly thought v2 should cc...

That's great, then take a look at the file above to show you how to do
that :)