Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp2058783pxb; Thu, 28 Oct 2021 15:23:15 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwH+Tz2kebcuHoqughrbvFXgBSQscplnu4AXAciCXPvX30qKI4xTe+mcFAYHMsajzm92jjI X-Received: by 2002:aa7:8294:0:b0:44c:c0b:d94c with SMTP id s20-20020aa78294000000b0044c0c0bd94cmr6977605pfm.24.1635459795707; Thu, 28 Oct 2021 15:23:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635459795; cv=none; d=google.com; s=arc-20160816; b=tL2D4wARj073B3e6AhmL5VvPvHxKUtqOW3dlXgjCVM1eODT4zvgwnhry/979MDnnCH K/YyBtQMZiDpb2WdjsFRW6wwb41bcXDw9yzgWV6D6PSwAUHb8n67loLinbOUhGDx1wrx D4wcmLn5ipW7uBMZ45SQIGhQm1w6WnNbpx9bBDPdYy1r8QgeJGbc3V1VagN00GnEPalS 7sXTZA1nYJwiKi3jJ5LjYrbUwdUmkwS+2pSjXno+Uhiwq8h6yDdw7ZRm+l0y6E/PlT3C zfVXFBnF0Ql2UgPzGW5XVg3twasGoBD1pStlLHOCoLIjXl1aJXZ0cNi8J61ytCtdHbwf +/qw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:references:mime-version :message-id:in-reply-to:date:reply-to:dkim-signature; bh=8CcTf3pQkseQsKnmfaBBHuXTwJk1xIeHhVdYMof8Tdc=; b=gDudrwhEqHMM/9Nb5Y+ckXXDexk0y/XvCX8FAgsW1E3y8huhYL1aeEh7ZmpUqqFXe0 UHAGAsvr+w2D/8uJwB9gvlPPjb5NqR6lCb5xS55pSYWboCCOirOhxJtN8OeWE8xoNoX1 qbNqoQedM9J9qXgzyUBw+A8A0KGR2KreLWwXtzc3qAbfpL+PRmZ3J3z1C73l6hG3OgXu DVMLEL4+lsWcQ4Sf1UGaTm6tFx6Vcvl1y8ylPcYpjB6bdpzQ0tTNWty76pZIO2gcVc3I Inftd6u1AqIuhHjeOt6WWVSiQHA+BAHxWpjZVwo8zAO5sdX8Cw7L2Cv0xyr0iAok4VYD vrZA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=QTDTiv9W; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o2si406945pji.184.2021.10.28.15.23.02; Thu, 28 Oct 2021 15:23:15 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=QTDTiv9W; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231511AbhJ1WY2 (ORCPT + 99 others); Thu, 28 Oct 2021 18:24:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55192 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231506AbhJ1WY1 (ORCPT ); Thu, 28 Oct 2021 18:24:27 -0400 Received: from mail-yb1-xb49.google.com (mail-yb1-xb49.google.com [IPv6:2607:f8b0:4864:20::b49]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 13C83C061745 for ; Thu, 28 Oct 2021 15:22:00 -0700 (PDT) Received: by mail-yb1-xb49.google.com with SMTP id m78-20020a252651000000b005c1f44d3c7bso3647628ybm.22 for ; Thu, 28 Oct 2021 15:22:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=reply-to:date:in-reply-to:message-id:mime-version:references :subject:from:to:cc; bh=8CcTf3pQkseQsKnmfaBBHuXTwJk1xIeHhVdYMof8Tdc=; b=QTDTiv9Wm1gqOM2tHZvaWkNUm13AJ8nTO+UYBHPctKi9zAmXMLcDqiB4qAUC+axZFV uOW+uK/vZHHJBOtET2aAK72Zd2NWS/AjicBIxZUo7WReE9LVhNRHsBsYjG6rEInWBGve cFnY9uf8Px1t65rAMgQp6BAw1wDZegIA5gU5j8Bhq8KJmLnGThha/MzAbYaEvYJ0dvBY eMmL2siGJGPHXYXlHYoe43GkwY5NRypz3GBas3HSuV+nFfygs449UXCu0/ZXarzVHi0t ori799z4VpWDth8OrvGBT+LxEsm9grRuwzfYROAK+dQBT23Y0aLuhDUeeCfqXRatKuMZ fyow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:reply-to:date:in-reply-to:message-id :mime-version:references:subject:from:to:cc; bh=8CcTf3pQkseQsKnmfaBBHuXTwJk1xIeHhVdYMof8Tdc=; b=eWS7iy7rHqYWCCaBIIWZLL6e7ssTzG2ZQEuMcmp/XCVTTXIu3TQdrLZS3S3ke4RY2U WdJULKBuzgom8ByYp/X8eaMd9F6LHFXy5JFuqHDvhB8lKlH68lfjKvqRvyz49SxIDUO2 01wWP/zkTg69OzWOv2QUeUjgP0s6EEC9Vw+NqwvRcnvGvCfJmVt0hH9t9du3gaO1Nx6j 7J929l/SflKWCwetQ2hbgU7w4dpgXaE/0arXzk0++xJgoU+0iDEDlM4zBA9sWuqA+/g5 SnYomO8deKaIlTrhp+N3QH7EYGAqfTNUi5WJXZ2GVTyBIPtt7E5rGQY2GqT6dwjRDqQE 3Xag== X-Gm-Message-State: AOAM530x2fWBWMCMqdQcu5h3p3An1a0I/Uk2nlBhQcH2dyko7ft6qL4x VT6S6VKaR28HmkbaIbvI74/lq/SaFcE= X-Received: from seanjc798194.pdx.corp.google.com ([2620:15c:90:200:cbc8:1a0d:eab9:2274]) (user=seanjc job=sendgmr) by 2002:a5b:886:: with SMTP id e6mr7160533ybq.198.1635459719316; Thu, 28 Oct 2021 15:21:59 -0700 (PDT) Reply-To: Sean Christopherson Date: Thu, 28 Oct 2021 15:21:47 -0700 In-Reply-To: <20211028222148.2924457-1-seanjc@google.com> Message-Id: <20211028222148.2924457-2-seanjc@google.com> Mime-Version: 1.0 References: <20211028222148.2924457-1-seanjc@google.com> X-Mailer: git-send-email 2.33.0.1079.g6e70778dc9-goog Subject: [PATCH 1/2] x86/hyperv: Fix NULL deref in set_hv_tscchange_cb() if Hyper-V setup fails From: Sean Christopherson To: "K. Y. Srinivasan" , Haiyang Zhang , Stephen Hemminger , Wei Liu , Dexuan Cui , Thomas Gleixner , Ingo Molnar , Borislav Petkov , x86@kernel.org Cc: "H. Peter Anvin" , linux-hyperv@vger.kernel.org, linux-kernel@vger.kernel.org, Vitaly Kuznetsov , Sean Christopherson Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Check for re-enlightenment support and for a valid hv_vp_index array prior to derefencing hv_vp_index when setting Hyper-V's TSC change callback. If Hyper-V setup failed in hyperv_init(), e.g. because of a bad VMM config that doesn't advertise the HYPERCALL MSR, the kernel will still report that it's running under Hyper-V, but will have silently disabled nearly all functionality. BUG: kernel NULL pointer dereference, address: 0000000000000010 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] SMP CPU: 4 PID: 1 Comm: swapper/0 Not tainted 5.15.0-rc2+ #75 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:set_hv_tscchange_cb+0x15/0xa0 Code: <8b> 04 82 8b 15 12 17 85 01 48 c1 e0 20 48 0d ee 00 01 00 f6 c6 08 ... Call Trace: kvm_arch_init+0x17c/0x280 kvm_init+0x31/0x330 vmx_init+0xba/0x13a do_one_initcall+0x41/0x1c0 kernel_init_freeable+0x1f2/0x23b kernel_init+0x16/0x120 ret_from_fork+0x22/0x30 Fixes: 93286261de1b ("x86/hyperv: Reenlightenment notifications support") Cc: stable@vger.kernel.org Cc: Vitaly Kuznetsov Signed-off-by: Sean Christopherson --- arch/x86/hyperv/hv_init.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/arch/x86/hyperv/hv_init.c b/arch/x86/hyperv/hv_init.c index 708a2712a516..6cc845c026d4 100644 --- a/arch/x86/hyperv/hv_init.c +++ b/arch/x86/hyperv/hv_init.c @@ -139,7 +139,7 @@ void set_hv_tscchange_cb(void (*cb)(void)) struct hv_reenlightenment_control re_ctrl = { .vector = HYPERV_REENLIGHTENMENT_VECTOR, .enabled = 1, - .target_vp = hv_vp_index[smp_processor_id()] + .target_vp = -1, }; struct hv_tsc_emulation_control emu_ctrl = {.enabled = 1}; @@ -148,6 +148,11 @@ void set_hv_tscchange_cb(void (*cb)(void)) return; } + if (!hv_vp_index) + return; + + re_ctrl.target_vp = hv_vp_index[smp_processor_id()]; + hv_reenlightenment_cb = cb; /* Make sure callback is registered before we write to MSRs */ -- 2.33.0.1079.g6e70778dc9-goog