Re: [PATCH v3 2/3] LoongArch: KVM: Replace kvm_err() with WARN_ONCE()

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Critical] Replacing `kvm_err()` with `WARN_ONCE()` on user- and guest-controllable error paths introduces a host Denial of Service (DoS) vulnerability.
--

commit 2fb4171bf923d0f32f53ed0ef52aee506acd81c3
Author: Bibo Mao <maobibo@loongson.cn>

LoongArch: KVM: Replace kvm_err() with WARN_ONCE()

Since guest kernel and ioctl parameter from user mode is untrusted,
there may be noise kernel log output in host hypervisor with abnormal
state. Here replace kvm_err() with WARN_ONCE() to reduce this kind
of noise kernel log, and there is no function change.

> diff --git a/arch/loongarch/kvm/exit.c b/arch/loongarch/kvm/exit.c
> --- a/arch/loongarch/kvm/exit.c
> +++ b/arch/loongarch/kvm/exit.c
> @@ -252,7 +252,7 @@ int kvm_complete_iocsr_read(struct kvm_vcpu *vcpu, struct kvm_run *run)
>  		*gpr = *(s64 *)run->iocsr_io.data;
>  		break;
>  	default:
> -		kvm_err("Bad IOCSR length: %d, addr is 0x%lx\n",
> +		WARN_ONCE(1, "Bad IOCSR length: %d, addr is 0x%lx\n",
>  				run->iocsr_io.len, vcpu->arch.badv);

[Severity: Critical]
Does changing this to a WARN_ONCE() introduce a host denial of service
vector? A malicious guest executing an operation with a bad IOCSR length
can trigger this path in kvm_complete_iocsr_read().

If the host system is configured with panic_on_warn=1, this allows an
untrusted guest to crash the host. Could this be changed to pr_warn_once()
or pr_err_ratelimited() instead to reduce the log spam without the risk
of a kernel panic?

[ ... ]

> diff --git a/arch/loongarch/kvm/intc/dmsintc.c b/arch/loongarch/kvm/intc/dmsintc.c
> --- a/arch/loongarch/kvm/intc/dmsintc.c
> +++ b/arch/loongarch/kvm/intc/dmsintc.c
> @@ -114,7 +114,7 @@ static int kvm_dmsintc_ctrl_access(struct kvm_device *dev,
>  		}
>  		break;
>  	default:
> -		kvm_err("%s: unknown dmsintc register, addr = %d\n", __func__, addr);
> +		WARN_ONCE(1, "%s: unknown dmsintc register, addr = %d\n", __func__, addr);

[Severity: Critical]
Similarly here, can a host userspace process trigger this WARN_ONCE by
passing an invalid address to KVM_SET_DEVICE_ATTR for the dmsintc device?

This would allow an unprivileged host userspace process to crash the host
if panic_on_warn=1 is set.

[ ... ]

> diff --git a/arch/loongarch/kvm/vcpu.c b/arch/loongarch/kvm/vcpu.c
> --- a/arch/loongarch/kvm/vcpu.c
> +++ b/arch/loongarch/kvm/vcpu.c
> @@ -1473,7 +1473,7 @@ int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu, struct kvm_interrupt *irq)
>  	else if (intr < 0)
>  		kvm_dequeue_irq(vcpu, -intr);
>  	else {
> -		kvm_err("%s: invalid interrupt ioctl %d\n", __func__, irq->irq);
> +		WARN_ONCE(1, "%s: invalid interrupt ioctl %d\n", __func__, irq->irq);

[Severity: Critical]
Does this also allow unprivileged userspace to trigger a warning via a
bad interrupt ioctl parameter?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260629023213.597030-1-maobibo@loongson.cn?part=2