Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f8c1b85b authored by Paolo Bonzini's avatar Paolo Bonzini Committed by Radim Krčmář
Browse files

KVM: x86: avoid vmalloc(0) in the KVM_SET_CPUID 



This causes an ugly dmesg splat.  Beautified syzkaller testcase:

    #include <unistd.h>
    #include <sys/syscall.h>
    #include <sys/ioctl.h>
    #include <fcntl.h>
    #include <linux/kvm.h>

    long r[8];

    int main()
    {
        struct kvm_irq_routing ir = { 0 };
        r[2] = open("/dev/kvm", O_RDWR);
        r[3] = ioctl(r[2], KVM_CREATE_VM, 0);
        r[4] = ioctl(r[3], KVM_SET_GSI_ROUTING, &ir);
        return 0;
    }

Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: default avatarRadim Krčmář <rkrcmar@redhat.com>
parent c622a3c2

virt/kvm/kvm_main.c

+12 −10
Original line number Diff line number Diff line
@@ -2935,7 +2935,7 @@ static long kvm_vm_ioctl(struct file *filp, 
	case KVM_SET_GSI_ROUTING: {

		struct kvm_irq_routing routing;

		struct kvm_irq_routing __user *urouting;

		struct kvm_irq_routing_entry *entries;

		struct kvm_irq_routing_entry *entries = NULL;



		r = -EFAULT;

		if (copy_from_user(&routing, argp, sizeof(routing)))
@@ -2945,6 +2945,7 @@ static long kvm_vm_ioctl(struct file *filp, 
			goto out;

		if (routing.flags)

			goto out;

		if (routing.nr) {

			r = -ENOMEM;

			entries = vmalloc(routing.nr * sizeof(*entries));

			if (!entries)
@@ -2954,6 +2955,7 @@ static long kvm_vm_ioctl(struct file *filp, 
			if (copy_from_user(entries, urouting->entries,

					   routing.nr * sizeof(*entries)))

				goto out_free_irq_routing;

		}

		r = kvm_set_irq_routing(kvm, entries, routing.nr,

					routing.flags);

out_free_irq_routing: