Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp8108076imu; Tue, 4 Dec 2018 03:08:19 -0800 (PST) X-Google-Smtp-Source: AFSGD/WVHcFioFZ8f/qEaUcfuQV0IrCKjVWZGIiXM6hZSq++jGDgLDP4/+uf03/3darTmIY6TkUx X-Received: by 2002:a62:a99:: with SMTP id 25mr19324110pfk.121.1543921699780; Tue, 04 Dec 2018 03:08:19 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543921699; cv=none; d=google.com; s=arc-20160816; b=FfiAIInc8F5SakT/Hdzl0jlRCyYBKtjsXkq7ZCZmvJlBmROyMn/h3r7Eqv9mZ2J/ii G4ws4agVPYOZOwSf/m4oB9EmhBneuWo8UBvSIp9QI5IXwDFaQl6Xqt8apDwE+1ktMeVu Dovk/mMoGwi3ZvyRxL7Ql4vqXgMOoTvGaEj91roX/1vcopyzLmwjcCboTMPVSHSbRFog yKHyeaRYFRUI2cLTj1SRg+899KN7pEzdTalmgcQQxEBltta2EeahwTooc4LsyWy7cQu8 mY79mFRjklL4nT/0t+zJ7K6GNzGFfXN8syIrKuvvVWAe/G8f1cl+Y1RsHxIqJ9x80nXh 1sBw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=O/cayApxIGoJVetGefohgjNk7gEng5vrIRk3OmBzWk4=; b=UmQudx+nlaxcw5O309SP6QEkUFL1AuoiH96ay+GK/S8LttiaFIIkLBU439nyquD6Wr U4dNwOCzROZ1qhpCSkaQ5uhLdtQc9EbluFuRAhhVhN+rWakQVxh+9da+UgF0eTuhY8+X ixcLHGFELnQblAb98HRXcV/72zSRm8XsU6HqLOwVmo3A6/KeWRdSZiYMNJBQoqxCQJ1/ Y0l8cSBPPN4FKEsj3cUAEhbNEaXpg+Dp0DGYAdKWbysK1+W/4+M9SChb258ELG3u1VQf Y1vBWJsV/gh/iBPSfr/DIRf6I0oXtfh/lcOPkcLXzM3tED0r3vjBS+ta7bND7DdkBFMG cmEg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=J2ujFRLI; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e15si14751952pgg.281.2018.12.04.03.08.03; Tue, 04 Dec 2018 03:08:19 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=J2ujFRLI; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727852AbeLDLFp (ORCPT + 99 others); Tue, 4 Dec 2018 06:05:45 -0500 Received: from mail.kernel.org ([198.145.29.99]:53648 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728192AbeLDLFm (ORCPT ); Tue, 4 Dec 2018 06:05:42 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id DF71E2146D; Tue, 4 Dec 2018 11:05:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1543921541; bh=48X0RNKScEUrjBytRv5TK12l1DeWzbGaxUq9bufez6U=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=J2ujFRLIwBeQ5G6DWFyLYd2XpmEanJRwAaEiOYLWolPwZ2xXRJ9G5fydGSywx7+Wn Q026O0wZzXWezbnJqrSVP3Uh9ZpzeqKYjKSmcz3cmN2ZdcNA8IXWttH8Hhmqv7XlDx CKAZIj69orGKsrt7OVZS5ZUdsiNEd9ucVbd7OsLw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Wei Wu , Paolo Bonzini , =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= , Wanpeng Li Subject: [PATCH 4.14 112/146] KVM: X86: Fix scan ioapic use-before-initialization Date: Tue, 4 Dec 2018 11:49:58 +0100 Message-Id: <20181204103731.329046549@linuxfoundation.org> X-Mailer: git-send-email 2.19.2 In-Reply-To: <20181204103726.750894136@linuxfoundation.org> References: <20181204103726.750894136@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Wanpeng Li commit e97f852fd4561e77721bb9a4e0ea9d98305b1e93 upstream. Reported by syzkaller: BUG: unable to handle kernel NULL pointer dereference at 00000000000001c8 PGD 80000003ec4da067 P4D 80000003ec4da067 PUD 3f7bfa067 PMD 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 7 PID: 5059 Comm: debug Tainted: G OE 4.19.0-rc5 #16 RIP: 0010:__lock_acquire+0x1a6/0x1990 Call Trace: lock_acquire+0xdb/0x210 _raw_spin_lock+0x38/0x70 kvm_ioapic_scan_entry+0x3e/0x110 [kvm] vcpu_enter_guest+0x167e/0x1910 [kvm] kvm_arch_vcpu_ioctl_run+0x35c/0x610 [kvm] kvm_vcpu_ioctl+0x3e9/0x6d0 [kvm] do_vfs_ioctl+0xa5/0x690 ksys_ioctl+0x6d/0x80 __x64_sys_ioctl+0x1a/0x20 do_syscall_64+0x83/0x6e0 entry_SYSCALL_64_after_hwframe+0x49/0xbe The reason is that the testcase writes hyperv synic HV_X64_MSR_SINT6 msr and triggers scan ioapic logic to load synic vectors into EOI exit bitmap. However, irqchip is not initialized by this simple testcase, ioapic/apic objects should not be accessed. This can be triggered by the following program: #define _GNU_SOURCE #include #include #include #include #include #include #include #include uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); long res = 0; memcpy((void*)0x20000040, "/dev/kvm", 9); res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000040, 0, 0); if (res != -1) r[0] = res; res = syscall(__NR_ioctl, r[0], 0xae01, 0); if (res != -1) r[1] = res; res = syscall(__NR_ioctl, r[1], 0xae41, 0); if (res != -1) r[2] = res; memcpy( (void*)0x20000080, "\x01\x00\x00\x00\x00\x5b\x61\xbb\x96\x00\x00\x40\x00\x00\x00\x00\x01\x00" "\x08\x00\x00\x00\x00\x00\x0b\x77\xd1\x78\x4d\xd8\x3a\xed\xb1\x5c\x2e\x43" "\xaa\x43\x39\xd6\xff\xf5\xf0\xa8\x98\xf2\x3e\x37\x29\x89\xde\x88\xc6\x33" "\xfc\x2a\xdb\xb7\xe1\x4c\xac\x28\x61\x7b\x9c\xa9\xbc\x0d\xa0\x63\xfe\xfe" "\xe8\x75\xde\xdd\x19\x38\xdc\x34\xf5\xec\x05\xfd\xeb\x5d\xed\x2e\xaf\x22" "\xfa\xab\xb7\xe4\x42\x67\xd0\xaf\x06\x1c\x6a\x35\x67\x10\x55\xcb", 106); syscall(__NR_ioctl, r[2], 0x4008ae89, 0x20000080); syscall(__NR_ioctl, r[2], 0xae80, 0); return 0; } This patch fixes it by bailing out scan ioapic if ioapic is not initialized in kernel. Reported-by: Wei Wu Cc: Paolo Bonzini Cc: Radim Krčmář Cc: Wei Wu Signed-off-by: Wanpeng Li Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman --- arch/x86/kvm/x86.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -6885,7 +6885,8 @@ static void vcpu_scan_ioapic(struct kvm_ else { if (kvm_x86_ops->sync_pir_to_irr && vcpu->arch.apicv_active) kvm_x86_ops->sync_pir_to_irr(vcpu); - kvm_ioapic_scan_entry(vcpu, vcpu->arch.ioapic_handled_vectors); + if (ioapic_in_kernel(vcpu->kvm)) + kvm_ioapic_scan_entry(vcpu, vcpu->arch.ioapic_handled_vectors); } bitmap_or((ulong *)eoi_exit_bitmap, vcpu->arch.ioapic_handled_vectors, vcpu_to_synic(vcpu)->vec_bitmap, 256);