* [v2 1/2] KVM: LoongArch: Validate irqchip index in irqfd routing
2026-05-31 13:53 [v2 0/2] KVM: Validate irqchip index in routing entries Yanfei Xu
@ 2026-05-31 13:53 ` Yanfei Xu
2026-05-31 14:09 ` sashiko-bot
2026-05-31 13:53 ` [v2 2/2] KVM: PPC: Validate irqchip index in MPIC routing Yanfei Xu
2026-05-31 14:15 ` [v2 0/2] KVM: Validate irqchip index in routing entries Greg KH
2 siblings, 1 reply; 7+ messages in thread
From: Yanfei Xu @ 2026-05-31 13:53 UTC (permalink / raw)
To: harshpb, zhaotianrui, maobibo, chenhuacai, maddy, npiggin,
sashiko-reviews, seanjc, pbonzini
Cc: kvm, stable, loongarch, linuxppc-dev, caixiangfeng,
fangying.tommy, yanfei.xu, isyanfei.xu, Sashiko
Sashiko reported that the irqchip index is not validated for LoongArch.
Add validation and reject out-of-range irqchip indexes to avoid indexing
past the routing table's chip array.
Fixes: 1928254c5ccb ("LoongArch: KVM: Add irqfd support")
Reported-by: Sashiko <sashiko-bot@kernel.org>
Closes: https://lore.kernel.org/kvm/20260525051714.485D51F000E9@smtp.kernel.org/
Reviewed-by: Bibo Mao <maobibo@loongson.cn>
Signed-off-by: Yanfei Xu <yanfei.xu@bytedance.com>
---
arch/loongarch/kvm/irqfd.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/loongarch/kvm/irqfd.c b/arch/loongarch/kvm/irqfd.c
index f4f953b22419..40ed1081c4b6 100644
--- a/arch/loongarch/kvm/irqfd.c
+++ b/arch/loongarch/kvm/irqfd.c
@@ -51,7 +51,8 @@ int kvm_set_routing_entry(struct kvm *kvm,
e->irqchip.irqchip = ue->u.irqchip.irqchip;
e->irqchip.pin = ue->u.irqchip.pin;
- if (e->irqchip.pin >= KVM_IRQCHIP_NUM_PINS)
+ if (e->irqchip.pin >= KVM_IRQCHIP_NUM_PINS ||
+ e->irqchip.irqchip >= KVM_NR_IRQCHIPS)
return -EINVAL;
return 0;
--
2.20.1
^ permalink raw reply related [flat|nested] 7+ messages in thread* Re: [v2 1/2] KVM: LoongArch: Validate irqchip index in irqfd routing
2026-05-31 13:53 ` [v2 1/2] KVM: LoongArch: Validate irqchip index in irqfd routing Yanfei Xu
@ 2026-05-31 14:09 ` sashiko-bot
0 siblings, 0 replies; 7+ messages in thread
From: sashiko-bot @ 2026-05-31 14:09 UTC (permalink / raw)
To: Yanfei Xu; +Cc: kvm
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [Critical] Missing bounds check on the `e->msi.data` value before using it as an `irq` index in `eiointc_set_irq()` leads to an out-of-bounds memory read and write.
--
commit 217e342828fa29f1b763464cad52ec8a004759a7
Author: Yanfei Xu <yanfei.xu@bytedance.com>
KVM: LoongArch: Validate irqchip index in irqfd routing
This commit adds validation for the irqchip index and pin in the LoongArch
KVM irqfd routing setup to prevent out-of-bounds array access.
Closes: https://lore.kernel.org/kvm/20260525051714.485D51F000E9@smtp.kernel.org/
> diff --git a/arch/loongarch/kvm/irqfd.c b/arch/loongarch/kvm/irqfd.c
> index f4f953b224192..40ed1081c4b62 100644
> --- a/arch/loongarch/kvm/irqfd.c
> +++ b/arch/loongarch/kvm/irqfd.c
> @@ -51,7 +51,8 @@ int kvm_set_routing_entry(struct kvm *kvm,
> e->irqchip.irqchip = ue->u.irqchip.irqchip;
> e->irqchip.pin = ue->u.irqchip.pin;
>
> - if (e->irqchip.pin >= KVM_IRQCHIP_NUM_PINS)
> + if (e->irqchip.pin >= KVM_IRQCHIP_NUM_PINS ||
> + e->irqchip.irqchip >= KVM_NR_IRQCHIPS)
> return -EINVAL;
>
> return 0;
[Severity: Critical]
This is a pre-existing issue, but does this code also need bounds checking
for the MSI routing case?
When handling KVM_IRQ_ROUTING_MSI in kvm_set_routing_entry(), we copy the
user-controlled ue->u.msi.data into e->msi.data without any validation:
e->msi.data = ue->u.msi.data;
During MSI injection, kvm_set_msi() passes this value down to
pch_msi_set_irq(), which directly uses it as the irq parameter:
eiointc_set_irq(kvm->arch.eiointc, e->msi.data, level);
Inside eiointc_set_irq(), this untrusted value is used as an index in
bitwise operations against s->isr and passed to eiointc_update_irq():
level ? __set_bit(irq, isr) : __clear_bit(irq, isr);
...
cpu = s->sw_coremap[irq];
Could this allow a malicious guest or unprivileged host userspace to perform
an out-of-bounds memory read and write against the eiointc allocation?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260531135326.2238555-1-yanfei.xu@bytedance.com?part=1
^ permalink raw reply [flat|nested] 7+ messages in thread
* [v2 2/2] KVM: PPC: Validate irqchip index in MPIC routing
2026-05-31 13:53 [v2 0/2] KVM: Validate irqchip index in routing entries Yanfei Xu
2026-05-31 13:53 ` [v2 1/2] KVM: LoongArch: Validate irqchip index in irqfd routing Yanfei Xu
@ 2026-05-31 13:53 ` Yanfei Xu
2026-05-31 14:15 ` [v2 0/2] KVM: Validate irqchip index in routing entries Greg KH
2 siblings, 0 replies; 7+ messages in thread
From: Yanfei Xu @ 2026-05-31 13:53 UTC (permalink / raw)
To: harshpb, zhaotianrui, maobibo, chenhuacai, maddy, npiggin,
sashiko-reviews, seanjc, pbonzini
Cc: kvm, stable, loongarch, linuxppc-dev, caixiangfeng,
fangying.tommy, yanfei.xu, isyanfei.xu, Sashiko
Sashiko reported that the irqchip index is not validated for PowerPC.
Add validation and reject out-of-range irqchip indexes to avoid indexing
past the routing table's chip array.
Fixes: de9ba2f36368 ("KVM: PPC: Support irq routing and irqfd for in-kernel MPIC")
Reported-by: Sashiko <sashiko-bot@kernel.org>
Closes: https://lore.kernel.org/kvm/20260525051714.485D51F000E9@smtp.kernel.org/
Reviewed-by: Harsh Prateek Bora <harshpb@linux.ibm.com>
Signed-off-by: Yanfei Xu <yanfei.xu@bytedance.com>
---
arch/powerpc/kvm/mpic.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/powerpc/kvm/mpic.c b/arch/powerpc/kvm/mpic.c
index 3070f36d9fb8..fb5f9e65e02e 100644
--- a/arch/powerpc/kvm/mpic.c
+++ b/arch/powerpc/kvm/mpic.c
@@ -1833,7 +1833,8 @@ int kvm_set_routing_entry(struct kvm *kvm,
e->set = mpic_set_irq;
e->irqchip.irqchip = ue->u.irqchip.irqchip;
e->irqchip.pin = ue->u.irqchip.pin;
- if (e->irqchip.pin >= KVM_IRQCHIP_NUM_PINS)
+ if (e->irqchip.pin >= KVM_IRQCHIP_NUM_PINS ||
+ e->irqchip.irqchip >= KVM_NR_IRQCHIPS)
goto out;
break;
case KVM_IRQ_ROUTING_MSI:
--
2.20.1
^ permalink raw reply related [flat|nested] 7+ messages in thread* Re: [v2 0/2] KVM: Validate irqchip index in routing entries
2026-05-31 13:53 [v2 0/2] KVM: Validate irqchip index in routing entries Yanfei Xu
2026-05-31 13:53 ` [v2 1/2] KVM: LoongArch: Validate irqchip index in irqfd routing Yanfei Xu
2026-05-31 13:53 ` [v2 2/2] KVM: PPC: Validate irqchip index in MPIC routing Yanfei Xu
@ 2026-05-31 14:15 ` Greg KH
2026-05-31 14:36 ` Yanfei Xu
2 siblings, 1 reply; 7+ messages in thread
From: Greg KH @ 2026-05-31 14:15 UTC (permalink / raw)
To: Yanfei Xu
Cc: harshpb, zhaotianrui, maobibo, chenhuacai, maddy, npiggin,
sashiko-reviews, seanjc, pbonzini, kvm, stable, loongarch,
linuxppc-dev, caixiangfeng, fangying.tommy, isyanfei.xu
On Sun, May 31, 2026 at 09:53:24PM +0800, Yanfei Xu wrote:
> Validate irqchip indexes for LoongArch and PowerPC irq routing entries
> to reject out-of-range values before indexing the irqchip array.
>
> v1->v2:
> - Split the patch into two by architecture (Sean)
> - Pick up Reviewed-by
>
> Yanfei Xu (2):
> KVM: LoongArch: Validate irqchip index in irqfd routing
> KVM: PPC: Validate irqchip index in MPIC routing
>
> arch/loongarch/kvm/irqfd.c | 3 ++-
> arch/powerpc/kvm/mpic.c | 3 ++-
> 2 files changed, 4 insertions(+), 2 deletions(-)
>
> --
> 2.20.1
>
<formletter>
This is not the correct way to submit patches for inclusion in the
stable kernel tree. Please read:
https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
for how to do this properly.
</formletter>
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [v2 0/2] KVM: Validate irqchip index in routing entries
2026-05-31 14:15 ` [v2 0/2] KVM: Validate irqchip index in routing entries Greg KH
@ 2026-05-31 14:36 ` Yanfei Xu
2026-05-31 15:25 ` Greg KH
0 siblings, 1 reply; 7+ messages in thread
From: Yanfei Xu @ 2026-05-31 14:36 UTC (permalink / raw)
To: Greg KH, Yanfei Xu
Cc: harshpb, zhaotianrui, maobibo, chenhuacai, maddy, npiggin,
sashiko-reviews, seanjc, pbonzini, kvm, stable, loongarch,
linuxppc-dev, caixiangfeng, fangying.tommy
On 2026/5/31 22:15, Greg KH wrote:
>> --
>> 2.20.1
>>
> <formletter>
>
> This is not the correct way to submit patches for inclusion in the
> stable kernel tree. Please read:
> https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
> for how to do this properly.
>
> </formletter>
Thanks for pointing out the correct process. I saw
that PPC maintainer added "Cc: stable@vger.kernel.org"
on v1, so I mistakenly thought v2 should cc...
Thanks,
Yanfei
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [v2 0/2] KVM: Validate irqchip index in routing entries
2026-05-31 14:36 ` Yanfei Xu
@ 2026-05-31 15:25 ` Greg KH
0 siblings, 0 replies; 7+ messages in thread
From: Greg KH @ 2026-05-31 15:25 UTC (permalink / raw)
To: Yanfei Xu
Cc: Yanfei Xu, harshpb, zhaotianrui, maobibo, chenhuacai, maddy,
npiggin, sashiko-reviews, seanjc, pbonzini, kvm, stable,
loongarch, linuxppc-dev, caixiangfeng, fangying.tommy
On Sun, May 31, 2026 at 10:36:27PM +0800, Yanfei Xu wrote:
>
> On 2026/5/31 22:15, Greg KH wrote:
> > > --
> > > 2.20.1
> > >
> > <formletter>
> >
> > This is not the correct way to submit patches for inclusion in the
> > stable kernel tree. Please read:
> > https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
> > for how to do this properly.
> >
> > </formletter>
>
> Thanks for pointing out the correct process. I saw
> that PPC maintainer added "Cc: stable@vger.kernel.org"
> on v1, so I mistakenly thought v2 should cc...
That's great, then take a look at the file above to show you how to do
that :)
^ permalink raw reply [flat|nested] 7+ messages in thread