From 6adde40b1c08a66fca3c5054edce1c230e4c1e45 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Fri, 12 Jun 2015 10:15:55 -0400
Subject: [PATCH] CVE-2015-XXXX kvm: NULL ptr deref in kvm_apic_has_events
 (rhbz 1230770 1230774)

---
 kernel.spec                                   |  9 +++++++
 ...apic_has_events-to-check-for-NULL-po.patch | 25 +++++++++++++++++++
 2 files changed, 34 insertions(+)
 create mode 100644 kvm-x86-fix-kvm_apic_has_events-to-check-for-NULL-po.patch

diff --git a/kernel.spec b/kernel.spec
index cc4838287..cca7ae939 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -618,6 +618,9 @@ Patch26221: drm-i915-turn-off-wc-mmaps.patch
 #rhbz 1223051
 Patch26230: Input-synaptics-add-min-max-quirk-for-Lenovo-S540.patch
 
+# CVE-2015-XXXX rhbz 1230770 1230774
+Patch26231: kvm-x86-fix-kvm_apic_has_events-to-check-for-NULL-po.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1354,6 +1357,9 @@ ApplyPatch drm-i915-turn-off-wc-mmaps.patch
 #rhbz 1223051
 ApplyPatch Input-synaptics-add-min-max-quirk-for-Lenovo-S540.patch
 
+# CVE-2015-XXXX rhbz 1230770 1230774
+ApplyPatch kvm-x86-fix-kvm_apic_has_events-to-check-for-NULL-po.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2218,6 +2224,9 @@ fi
 #
 # 
 %changelog
+* Fri Jun 12 2015 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2015-XXXX kvm: NULL ptr deref in kvm_apic_has_events (rhbz 1230770 1230774)
+
 * Tue Jun 09 2015 Josh Boyer <jwboyer@fedoraproject.org>
 - Fix touchpad for Thinkpad S540 (rhbz 1223051)
 
diff --git a/kvm-x86-fix-kvm_apic_has_events-to-check-for-NULL-po.patch b/kvm-x86-fix-kvm_apic_has_events-to-check-for-NULL-po.patch
new file mode 100644
index 000000000..d060b5f24
--- /dev/null
+++ b/kvm-x86-fix-kvm_apic_has_events-to-check-for-NULL-po.patch
@@ -0,0 +1,25 @@
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Thu, 4 Jun 2015 10:18:22 +0200
+Subject: [PATCH] kvm: x86: fix kvm_apic_has_events to check for NULL pointer
+
+Malicious (or egregiously buggy) userspace can trigger it, but it
+should never happen in normal operation.
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ arch/x86/kvm/lapic.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kvm/lapic.h b/arch/x86/kvm/lapic.h
+index 9d28383fc1e7..c4ea87eedf8a 100644
+--- a/arch/x86/kvm/lapic.h
++++ b/arch/x86/kvm/lapic.h
+@@ -150,7 +150,7 @@ static inline bool kvm_apic_vid_enabled(struct kvm *kvm)
+ 
+ static inline bool kvm_apic_has_events(struct kvm_vcpu *vcpu)
+ {
+-	return vcpu->arch.apic->pending_events;
++	return kvm_vcpu_has_lapic(vcpu) && vcpu->arch.apic->pending_events;
+ }
+ 
+ bool kvm_apic_pending_eoi(struct kvm_vcpu *vcpu, int vector);