Patch "KVM: x86/xen: Fix eventfd error handling in kvm_xen_eventfd_assign()" has been added to the 6.0-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Wed, 23 Nov 2022 09:17:12 +0100

This is a note to let you know that I've just added the patch titled

    KVM: x86/xen: Fix eventfd error handling in kvm_xen_eventfd_assign()

to the 6.0-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     kvm-x86-xen-fix-eventfd-error-handling-in-kvm_xen_eventfd_assign.patch
and it can be found in the queue-6.0 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From 7353633814f6e5b4899fb9ee1483709d6bb0e1cd Mon Sep 17 00:00:00 2001
From: Eiichi Tsukata <eiichi.tsukata@xxxxxxxxxxx>
Date: Fri, 28 Oct 2022 09:26:31 +0000
Subject: KVM: x86/xen: Fix eventfd error handling in kvm_xen_eventfd_assign()

From: Eiichi Tsukata <eiichi.tsukata@xxxxxxxxxxx>

commit 7353633814f6e5b4899fb9ee1483709d6bb0e1cd upstream.

Should not call eventfd_ctx_put() in case of error.

Fixes: 2fd6df2f2b47 ("KVM: x86/xen: intercept EVTCHNOP_send from guests")
Reported-by: syzbot+6f0c896c5a9449a10ded@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Eiichi Tsukata <eiichi.tsukata@xxxxxxxxxxx>
Message-Id: <20221028092631.117438-1-eiichi.tsukata@xxxxxxxxxxx>
[Introduce new goto target instead. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 arch/x86/kvm/xen.c |    7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

--- a/arch/x86/kvm/xen.c
+++ b/arch/x86/kvm/xen.c
@@ -1667,18 +1667,18 @@ static int kvm_xen_eventfd_assign(struct
 	case EVTCHNSTAT_ipi:
 		/* IPI  must map back to the same port# */
 		if (data->u.evtchn.deliver.port.port != data->u.evtchn.send_port)
-			goto out; /* -EINVAL */
+			goto out_noeventfd; /* -EINVAL */
 		break;
 
 	case EVTCHNSTAT_interdomain:
 		if (data->u.evtchn.deliver.port.port) {
 			if (data->u.evtchn.deliver.port.port >= max_evtchn_port(kvm))
-				goto out; /* -EINVAL */
+				goto out_noeventfd; /* -EINVAL */
 		} else {
 			eventfd = eventfd_ctx_fdget(data->u.evtchn.deliver.eventfd.fd);
 			if (IS_ERR(eventfd)) {
 				ret = PTR_ERR(eventfd);
-				goto out;
+				goto out_noeventfd;
 			}
 		}
 		break;
@@ -1718,6 +1718,7 @@ static int kvm_xen_eventfd_assign(struct
 out:
 	if (eventfd)
 		eventfd_ctx_put(eventfd);
+out_noeventfd:
 	kfree(evtchnfd);
 	return ret;
 }


Patches currently in stable-queue which might be from eiichi.tsukata@xxxxxxxxxxx are

queue-6.0/kvm-x86-xen-fix-eventfd-error-handling-in-kvm_xen_eventfd_assign.patch






