Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp97484imu;
        Mon, 19 Nov 2018 18:31:32 -0800 (PST)
X-Google-Smtp-Source: AJdET5eRmiAAqXyyOu7YEK/hD4dLkMFBSbns5AVNlQwWYBPw4rvLQ+V8bGLTNrCFUiI+YTOUGUEQ
X-Received: by 2002:a62:2c16:: with SMTP id s22-v6mr265240pfs.6.1542681092328;
        Mon, 19 Nov 2018 18:31:32 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1542681092; cv=none;
        d=google.com; s=arc-20160816;
        b=vjV4TqwhwzQP0q32/+WzqCwe5CmjCnkzkDRrWhCbY6ICzBQo0drYVJMKn6QHUH80L/
         DO/v+EWbOKHhr2/0LQuItfUjFo2at8EKUFNVtfgXh/Zxo6aF56fcCal6dHY6nrb9eXoS
         L5AFSoyu0od/rAuwR7wp4dAOwd97l4ZjeyvDANUrm321p77Z7kNRdmLyNQjT1sFQUlxi
         A19dLK1G/w39Cthd0CpTV25XMedJIWH50iBzLO4CPxU5zLGljjfG+IDkhtePZCfOP0OI
         Ln8qwARD5Z1WzknwvqyCuUHYkPgvdHhrcf/guNfo4YrRAhYGiiW+3JzlX7mWttQNQIQy
         atPA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=15hb+grtbNcFaezMlYRQbvLicdDt/2EpkoKzaIMYkUs=;
        b=hYtkTZajvTLKIvS8h6oaDakYguAMrWzHgsyE3HHh9SilRYhBEMKytsoSbBf5/i6O8h
         rDztgj3afT7XGnthbyK1g9ou2CLO0VkVVVJLHiDvb1QZSmIKSVcEJFi95bIr58HWrASn
         Z/z/SDXDJPrOcnvrDAFsjaI0+x7ZnWXisVVj+s25TBAOs4f6pGg5QTpIgSMPg7EY4J6X
         ij34vEUoEZaPmZnynMGGKWibREhVUi1elc+psPi5bNEfCH00K/FFhR2myML7UK8zQwIL
         m3shH5M6CXS4320m9k89/gqi6R2DxnIcG6+M2/etOXJwLkBLxE2QGxqGxYgZdPxPkqzv
         Hx5A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=Tj7NeSAs;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id f34-v6si44465456ple.218.2018.11.19.18.31.13;
        Mon, 19 Nov 2018 18:31:32 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=Tj7NeSAs;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1732609AbeKTMGK (ORCPT <rfc822;kkoh.linux@gmail.com>
        + 99 others); Tue, 20 Nov 2018 07:06:10 -0500
Received: from mail-pl1-f193.google.com ([209.85.214.193]:36406 "EHLO
        mail-pl1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727679AbeKTMGK (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 20 Nov 2018 07:06:10 -0500
Received: by mail-pl1-f193.google.com with SMTP id y6-v6so163757plt.3;
        Mon, 19 Nov 2018 17:39:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=15hb+grtbNcFaezMlYRQbvLicdDt/2EpkoKzaIMYkUs=;
        b=Tj7NeSAsbaM3AE2IbOLB1BWKiHzB+602VF8pFqffmX/x9dZYO0858JOgHXnxkuVFoQ
         YO8cWVyhis0nhOT7r9W7hpQDAd8K2XLcTNy0srXEcdExtIiZQhoRYDnxdnS8WFZc0xWb
         LBcGu5PFRAFj6X/1G8KON84f2KY4EfD0BQvJNsvHslkSfu+L9QaLzM8nL2X4gdCnUU21
         KdvYlm8txhunqldHQ1yoPhu1D+QObl8izK8XEsZetjTUNMY9U9hZuni0FQlYIFuW0t6T
         rNveQ95raJI14KDkMpQKxKNDhyKIIp5aQ/79EOU/colFvA6RJ+N4gwDGG49KsAlG1xCe
         3yeg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=15hb+grtbNcFaezMlYRQbvLicdDt/2EpkoKzaIMYkUs=;
        b=Z8yjjgDiu8niHjWoStmoZiSmjCEM+Ngls4OplOPRvjLuyELV3zneTSB5f7F+rf9acT
         fQ2rnCT3I1Yi5k8/2rH3sWasChL0F1nfZ/I7Mddx1aUOAccXikR7Tgl5aAO2n6DYqfdc
         zAp3pER/Jz6WDdXtib2FkXREI5krkgt1fYkLEm8yiwznMB8LjlUlrNzvHMu/VQy9UnlV
         8lzrnyNOrVLxS95aK6pOVFB7Cdd6Zs7ICBCbcNnl9QMh7Ma6uL54Adp42/JY8+ICDvyi
         94gISdB0/Fp+eKxa0Vxugppdr9FxxOvsHhFdSb4HX7f/cKup2My9og/Gu7RMQlNozrpT
         wK1w==
X-Gm-Message-State: AA+aEWare6bbnzqiJ13prVqNVMYuoOnK+f/7kgrTslYh+W/+4MzdzJgv
        P184Qxsbyv6cBLOIeq+P7VS+U1Hw
X-Received: by 2002:a17:902:aa08:: with SMTP id be8-v6mr82401plb.294.1542677975479;
        Mon, 19 Nov 2018 17:39:35 -0800 (PST)
Received: from localhost.localdomain ([203.205.141.123])
        by smtp.googlemail.com with ESMTPSA id u78sm56397924pfi.2.2018.11.19.17.39.33
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
        Mon, 19 Nov 2018 17:39:34 -0800 (PST)
From:   Wanpeng Li <kernellwp@gmail.com>
X-Google-Original-From: Wanpeng Li <wanpengli@tencent.com>
To:     linux-kernel@vger.kernel.org, kvm@vger.kernel.org
Cc:     Paolo Bonzini <pbonzini@redhat.com>,
        =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>,
        Wei Wu <ww9210@gmail.com>
Subject: [PATCH] KVM: LAPIC: Fix pv ipis use-before-initialization
Date:   Tue, 20 Nov 2018 09:39:30 +0800
Message-Id: <1542677970-5627-1-git-send-email-wanpengli@tencent.com>
X-Mailer: git-send-email 2.7.4
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Reported by syzkaller:

 BUG: unable to handle kernel NULL pointer dereference at 0000000000000014
 PGD 800000040410c067 P4D 800000040410c067 PUD 40410d067 PMD 0 
 Oops: 0000 [#1] PREEMPT SMP PTI
 CPU: 3 PID: 2567 Comm: poc Tainted: G           OE     4.19.0-rc5 #16
 RIP: 0010:kvm_pv_send_ipi+0x94/0x350 [kvm]
 Call Trace:
  kvm_emulate_hypercall+0x3cc/0x700 [kvm]
  handle_vmcall+0xe/0x10 [kvm_intel]
  vmx_handle_exit+0xc1/0x11b0 [kvm_intel]
  vcpu_enter_guest+0x9fb/0x1910 [kvm]
  kvm_arch_vcpu_ioctl_run+0x35c/0x610 [kvm]
  kvm_vcpu_ioctl+0x3e9/0x6d0 [kvm]
  do_vfs_ioctl+0xa5/0x690
  ksys_ioctl+0x6d/0x80
  __x64_sys_ioctl+0x1a/0x20
  do_syscall_64+0x83/0x6e0
  entry_SYSCALL_64_after_hwframe+0x49/0xbe

The reason is that the apic map has not yet been initialized, the testcase 
triggers pv_send_ipi interface by vmcall which results in kvm->arch.apic_map
is dereferenced. This patch fixes it by checking whether or not apic map is 
NULL and bailing out immediately if that is the case.

Fixes: 4180bf1b65 (KVM: X86: Implement "send IPI" hypercall)
Reported-by: Wei Wu <ww9210@gmail.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Radim Krčmář <rkrcmar@redhat.com>
Cc: Wei Wu <ww9210@gmail.com>
Signed-off-by: Wanpeng Li <wanpengli@tencent.com>
---
 arch/x86/kvm/lapic.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
index 3cd227f..09e3a12 100644
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -576,6 +576,11 @@ int kvm_pv_send_ipi(struct kvm *kvm, unsigned long ipi_bitmap_low,
 	rcu_read_lock();
 	map = rcu_dereference(kvm->arch.apic_map);
 
+	if (unlikely(!map)) {
+		count = -EOPNOTSUPP;
+		goto out;
+	}
+
 	if (min > map->max_apic_id)
 		goto out;
 	/* Bits above cluster_size are masked in the caller.  */
-- 
2.7.4