On 04/03/20 09:26, Greg Kroah-Hartman wrote:
> On Wed, Mar 04, 2020 at 09:19:09AM +0100, Paolo Bonzini wrote:
>> On 04/03/20 09:10, Greg Kroah-Hartman wrote:
>>> I'll be glad to just put KVM into the "never apply any patches to
>>> stable unless you explicitly mark it as such", but the sad fact is that
>>> many recent KVM fixes for reported CVEs never had any "Cc: stable@vger"
>>> markings.
>>
>> Hmm, I did miss it in 433f4ba1904100da65a311033f17a9bf586b287e and
>> acff78477b9b4f26ecdf65733a4ed77fe837e9dc, but that's going back to
>> August 2018, so I can do better but it's not too shabby a record. :)
>
> 35a571346a94 ("KVM: nVMX: Check IO instruction VM-exit conditions")
> e71237d3ff1a ("KVM: nVMX: Refactor IO bitmap checks into helper function")
>
> Were both from a few weeks ago and needed to resolve CVE-2020-2732 :(
No, they weren't, only the patch that was CCed stable was needed to
resolve the CVE.
Remember that at this point a lot of bugfixes or vulnerabilities in KVM
exploit corner cases of the architecture and don't show up with the
usual guests (Linux, Windows, BSDs). Since we didn't have full
information on the impact on guests that people do run, we started with
the bare minimum (the two patches above) but only for 5.6. The idea was
to collect follow-up patches for 2-4 weeks, decide which subset was
stable-worthy, and only then post them as stable backport subsets.
Paolo
