1. Patchew
  2. linux
  3. View series

[PATCH v2] KVM: arm64: vgic-its: reject restored DTE with out-of-range num_eventid_bits

Michael Bommarito posted 1 patch 5 days, 11 hours ago 
arch/arm64/kvm/vgic/vgic-its.c | 4 ++++
1 file changed, 4 insertions(+)
[PATCH v2] KVM: arm64: vgic-its: reject restored DTE with out-of-range num_eventid_bits
Posted by Michael Bommarito 5 days, 11 hours ago 
Userspace can restore an ITS Device Table Entry whose Size field encodes
more EventID bits than the virtual ITS supports.  The live MAPD path
rejects that state, but vgic_its_restore_dte() accepts it and stores the
out-of-range value in dev->num_eventid_bits.

Reject restored DTEs with num_eventid_bits > VITS_TYPER_IDBITS before
allocating the device.  This mirrors the MAPD check and prevents the
restored state from reaching vgic_its_restore_itt(), where the unchecked
value can be converted into an oversized scan_its_table() range.

Fixes: 57a9a117154c ("KVM: arm64: vgic-its: Device table save/restore")
Assisted-by: Claude:claude-opus-4-7
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
---
Changes in v2:
- Trim the commit message to the root cause and fix.
- Shorten the in-code comment as suggested by Marc.
- Keep the validation logic unchanged.

 arch/arm64/kvm/vgic/vgic-its.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/arch/arm64/kvm/vgic/vgic-its.c b/arch/arm64/kvm/vgic/vgic-its.c
index 2ea9f1c7ebcd0..1d7e5d560af4c 100644
--- a/arch/arm64/kvm/vgic/vgic-its.c
+++ b/arch/arm64/kvm/vgic/vgic-its.c
@@ -2307,6 +2307,10 @@ static int vgic_its_restore_dte(struct vgic_its *its, u32 id,
 	/* dte entry is valid */
 	offset = (entry & KVM_ITS_DTE_NEXT_MASK) >> KVM_ITS_DTE_NEXT_SHIFT;
 
+	/* Mimic the MAPD behaviour and reject invalid EID bits. */
+	if (num_eventid_bits > VITS_TYPER_IDBITS)
+		return -EINVAL;
+
 	if (!vgic_its_check_id(its, baser, id, NULL))
 		return -EINVAL;
 
-- 
2.53.0
Re: [PATCH v2] KVM: arm64: vgic-its: reject restored DTE with out-of-range num_eventid_bits
Posted by Marc Zyngier 4 days, 17 hours ago 
On Tue, 19 May 2026 09:25:19 -0400, Michael Bommarito wrote:
> Userspace can restore an ITS Device Table Entry whose Size field encodes
> more EventID bits than the virtual ITS supports.  The live MAPD path
> rejects that state, but vgic_its_restore_dte() accepts it and stores the
> out-of-range value in dev->num_eventid_bits.
> 
> Reject restored DTEs with num_eventid_bits > VITS_TYPER_IDBITS before
> allocating the device.  This mirrors the MAPD check and prevents the
> restored state from reaching vgic_its_restore_itt(), where the unchecked
> value can be converted into an oversized scan_its_table() range.
> 
> [...]

Applied to fixes, thanks!

[1/1] KVM: arm64: vgic-its: reject restored DTE with out-of-range num_eventid_bits
      commit: 9ce754ed8e7ab4e3999767ce1505f85c449ccb07

Cheers,

	M.
-- 
Jazz isn't dead. It just smells funny.

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.