On 04/03/20 09:26, Greg Kroah-Hartman wrote:
On Wed, Mar 04, 2020 at 09:19:09AM +0100, Paolo Bonzini wrote:
On 04/03/20 09:10, Greg Kroah-Hartman wrote:
I'll be glad to just put KVM into the "never apply any patches to stable unless you explicitly mark it as such", but the sad fact is that many recent KVM fixes for reported CVEs never had any "Cc: stable@vger" markings.
Hmm, I did miss it in 433f4ba1904100da65a311033f17a9bf586b287e and acff78477b9b4f26ecdf65733a4ed77fe837e9dc, but that's going back to August 2018, so I can do better but it's not too shabby a record. :)
35a571346a94 ("KVM: nVMX: Check IO instruction VM-exit conditions") e71237d3ff1a ("KVM: nVMX: Refactor IO bitmap checks into helper function")
Were both from a few weeks ago and needed to resolve CVE-2020-2732 :(
No, they weren't, only the patch that was CCed stable was needed to resolve the CVE.
Remember that at this point a lot of bugfixes or vulnerabilities in KVM exploit corner cases of the architecture and don't show up with the usual guests (Linux, Windows, BSDs). Since we didn't have full information on the impact on guests that people do run, we started with the bare minimum (the two patches above) but only for 5.6. The idea was to collect follow-up patches for 2-4 weeks, decide which subset was stable-worthy, and only then post them as stable backport subsets.
Paolo