From: Haimin Zhang <[email protected]>
[ Upstream commit eb7511bf9182292ef1df1082d23039e856d1ddfb ]
Check the return of init_srcu_struct(), which can fail due to OOM, when
initializing the page track mechanism. Lack of checking leads to a NULL
pointer deref found by a modified syzkaller.
Reported-by: TCS Robot <[email protected]>
Signed-off-by: Haimin Zhang <[email protected]>
Message-Id: <[email protected]>
[Move the call towards the beginning of kvm_arch_init_vm. - Paolo]
Signed-off-by: Paolo Bonzini <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
arch/x86/include/asm/kvm_page_track.h | 2 +-
arch/x86/kvm/page_track.c | 4 ++--
arch/x86/kvm/x86.c | 7 ++++++-
3 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/arch/x86/include/asm/kvm_page_track.h b/arch/x86/include/asm/kvm_page_track.h
index 172f9749dbb2..5986bd4aacd6 100644
--- a/arch/x86/include/asm/kvm_page_track.h
+++ b/arch/x86/include/asm/kvm_page_track.h
@@ -46,7 +46,7 @@ struct kvm_page_track_notifier_node {
struct kvm_page_track_notifier_node *node);
};
-void kvm_page_track_init(struct kvm *kvm);
+int kvm_page_track_init(struct kvm *kvm);
void kvm_page_track_cleanup(struct kvm *kvm);
void kvm_page_track_free_memslot(struct kvm_memory_slot *free,
diff --git a/arch/x86/kvm/page_track.c b/arch/x86/kvm/page_track.c
index 3052a59a3065..1f6b0d9b0c85 100644
--- a/arch/x86/kvm/page_track.c
+++ b/arch/x86/kvm/page_track.c
@@ -169,13 +169,13 @@ void kvm_page_track_cleanup(struct kvm *kvm)
cleanup_srcu_struct(&head->track_srcu);
}
-void kvm_page_track_init(struct kvm *kvm)
+int kvm_page_track_init(struct kvm *kvm)
{
struct kvm_page_track_notifier_head *head;
head = &kvm->arch.track_notifier_head;
- init_srcu_struct(&head->track_srcu);
INIT_HLIST_HEAD(&head->track_notifier_list);
+ return init_srcu_struct(&head->track_srcu);
}
/*
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 417abc9ba1ad..70cb18f89029 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -9039,9 +9039,15 @@ void kvm_arch_sched_in(struct kvm_vcpu *vcpu, int cpu)
int kvm_arch_init_vm(struct kvm *kvm, unsigned long type)
{
+ int ret;
+
if (type)
return -EINVAL;
+ ret = kvm_page_track_init(kvm);
+ if (ret)
+ return ret;
+
INIT_HLIST_HEAD(&kvm->arch.mask_notifier_list);
INIT_LIST_HEAD(&kvm->arch.active_mmu_pages);
INIT_LIST_HEAD(&kvm->arch.zapped_obsolete_pages);
@@ -9068,7 +9074,6 @@ int kvm_arch_init_vm(struct kvm *kvm, unsigned long type)
INIT_DELAYED_WORK(&kvm->arch.kvmclock_sync_work, kvmclock_sync_fn);
kvm_hv_init_vm(kvm);
- kvm_page_track_init(kvm);
kvm_mmu_init_vm(kvm);
if (kvm_x86_ops->vm_init)
--
2.33.0
On 06/10/21 13:12, Sasha Levin wrote:
> From: Haimin Zhang <[email protected]>
>
> [ Upstream commit eb7511bf9182292ef1df1082d23039e856d1ddfb ]
>
> Check the return of init_srcu_struct(), which can fail due to OOM, when
> initializing the page track mechanism. Lack of checking leads to a NULL
> pointer deref found by a modified syzkaller.
>
> Reported-by: TCS Robot <[email protected]>
> Signed-off-by: Haimin Zhang <[email protected]>
> Message-Id: <[email protected]>
> [Move the call towards the beginning of kvm_arch_init_vm. - Paolo]
> Signed-off-by: Paolo Bonzini <[email protected]>
> Signed-off-by: Sasha Levin <[email protected]>
> ---
> arch/x86/include/asm/kvm_page_track.h | 2 +-
> arch/x86/kvm/page_track.c | 4 ++--
> arch/x86/kvm/x86.c | 7 ++++++-
> 3 files changed, 9 insertions(+), 4 deletions(-)
>
> diff --git a/arch/x86/include/asm/kvm_page_track.h b/arch/x86/include/asm/kvm_page_track.h
> index 172f9749dbb2..5986bd4aacd6 100644
> --- a/arch/x86/include/asm/kvm_page_track.h
> +++ b/arch/x86/include/asm/kvm_page_track.h
> @@ -46,7 +46,7 @@ struct kvm_page_track_notifier_node {
> struct kvm_page_track_notifier_node *node);
> };
>
> -void kvm_page_track_init(struct kvm *kvm);
> +int kvm_page_track_init(struct kvm *kvm);
> void kvm_page_track_cleanup(struct kvm *kvm);
>
> void kvm_page_track_free_memslot(struct kvm_memory_slot *free,
> diff --git a/arch/x86/kvm/page_track.c b/arch/x86/kvm/page_track.c
> index 3052a59a3065..1f6b0d9b0c85 100644
> --- a/arch/x86/kvm/page_track.c
> +++ b/arch/x86/kvm/page_track.c
> @@ -169,13 +169,13 @@ void kvm_page_track_cleanup(struct kvm *kvm)
> cleanup_srcu_struct(&head->track_srcu);
> }
>
> -void kvm_page_track_init(struct kvm *kvm)
> +int kvm_page_track_init(struct kvm *kvm)
> {
> struct kvm_page_track_notifier_head *head;
>
> head = &kvm->arch.track_notifier_head;
> - init_srcu_struct(&head->track_srcu);
> INIT_HLIST_HEAD(&head->track_notifier_list);
> + return init_srcu_struct(&head->track_srcu);
> }
>
> /*
> diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
> index 417abc9ba1ad..70cb18f89029 100644
> --- a/arch/x86/kvm/x86.c
> +++ b/arch/x86/kvm/x86.c
> @@ -9039,9 +9039,15 @@ void kvm_arch_sched_in(struct kvm_vcpu *vcpu, int cpu)
>
> int kvm_arch_init_vm(struct kvm *kvm, unsigned long type)
> {
> + int ret;
> +
> if (type)
> return -EINVAL;
>
> + ret = kvm_page_track_init(kvm);
> + if (ret)
> + return ret;
> +
> INIT_HLIST_HEAD(&kvm->arch.mask_notifier_list);
> INIT_LIST_HEAD(&kvm->arch.active_mmu_pages);
> INIT_LIST_HEAD(&kvm->arch.zapped_obsolete_pages);
> @@ -9068,7 +9074,6 @@ int kvm_arch_init_vm(struct kvm *kvm, unsigned long type)
> INIT_DELAYED_WORK(&kvm->arch.kvmclock_sync_work, kvmclock_sync_fn);
>
> kvm_hv_init_vm(kvm);
> - kvm_page_track_init(kvm);
> kvm_mmu_init_vm(kvm);
>
> if (kvm_x86_ops->vm_init)
>
Acked-by: Paolo Bonzini <[email protected]>
On 2021/10/6 19:23, Paolo Bonzini wrote:
> On 06/10/21 13:12, Sasha Levin wrote:
> > From: Haimin Zhang <[email protected]>
> >
> > [ Upstream commit eb7511bf9182292ef1df1082d23039e856d1ddfb ]
> >
> > Check the return of init_srcu_struct(), which can fail due to OOM, when
> > initializing the page track mechanism. Lack of checking leads to a NULL
> > pointer deref found by a modified syzkaller.
> >
> > Reported-by: TCS Robot <[email protected]>
> > Signed-off-by: Haimin Zhang <[email protected]>
> > Message-Id: <[email protected]>
> > [Move the call towards the beginning of kvm_arch_init_vm. - Paolo]
> > Signed-off-by: Paolo Bonzini <[email protected]>
> > Signed-off-by: Sasha Levin <[email protected]>
>
> Acked-by: Paolo Bonzini <[email protected]>
Sasha, will this patch be applied for 4.19?
The same question for the 5.4 backport [*]. It looks like both of them
are missed for unknown reasons.
[*] https://lore.kernel.org/stable/[email protected]
On Wed, May 29, 2024 at 04:29:32PM +0800, Zenghui Yu wrote:
> On 2021/10/6 19:23, Paolo Bonzini wrote:
> > On 06/10/21 13:12, Sasha Levin wrote:
> > > From: Haimin Zhang <[email protected]>
> > >
> > > [ Upstream commit eb7511bf9182292ef1df1082d23039e856d1ddfb ]
> > >
> > > Check the return of init_srcu_struct(), which can fail due to OOM, when
> > > initializing the page track mechanism.? Lack of checking leads to a NULL
> > > pointer deref found by a modified syzkaller.
> > >
> > > Reported-by: TCS Robot <[email protected]>
> > > Signed-off-by: Haimin Zhang <[email protected]>
> > > Message-Id: <[email protected]>
> > > [Move the call towards the beginning of kvm_arch_init_vm. - Paolo]
> > > Signed-off-by: Paolo Bonzini <[email protected]>
> > > Signed-off-by: Sasha Levin <[email protected]>
> >
> > Acked-by: Paolo Bonzini <[email protected]>
>
> Sasha, will this patch be applied for 4.19?
>
> The same question for the 5.4 backport [*]. It looks like both of them
> are missed for unknown reasons.
>
> [*] https://lore.kernel.org/stable/[email protected]
This was from 2021, quite a while ago.
Can you please send them in backported form if you feel they should be
applied?
thanks,
greg k-h