Received: by 2002:a19:f614:0:0:0:0:0 with SMTP id x20csp55205lfe; Fri, 15 Apr 2022 19:13:22 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwMSG9UbhASsaB0pkIQr0oxOywNm3hgBeWN6wbdrjgPYTD3gj2TmyKlWMnnyC/OU/VpJJE8 X-Received: by 2002:a17:90b:3e88:b0:1c7:87e9:61ff with SMTP id rj8-20020a17090b3e8800b001c787e961ffmr7094052pjb.234.1650075202104; Fri, 15 Apr 2022 19:13:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1650075202; cv=none; d=google.com; s=arc-20160816; b=StcNrliEl7u7c2OWZyVxCuOAxDcvg02/4ZE4ZHo9Hn7XKgASrb+soM7zXNeuZVE1L/ VvViQy8JNIVg8PjT+LpeXiKBkPnNMaOCRtGM/80eL/Vo75ICRLNg2g5whYV7CKkRiBjy frRyKsPxL+gpsp3w7TAPw4tNGy0/FnC88mx31XPKdpDz/C0GYySYgdwgEkgjLO/8vdJC 7pAM1nTHtiXFfqF5R/SYjyugiMeUJdg2j9QLh0wGY9/g0To3tYqBjorgaMfflFevQlSD 3hBaNfP08hsOWw91soGw2siAIJivSvvrtf5He0CuzqLxuH2osUHDeaYr+fM8G5RrH8Wd WzcA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=i1kEshpY+bfjAzJd2dch21w3U6ODPPX0HvCQv7/rIUk=; b=t8u8FtbOS29hCVyp7ZrJplApIERjPyXrZuMOkAm1q9srNfnGoPCMzxuRbUof5hJa0w KDZFO2t8mbjHVifQFd6LIF5JFtOE7J6PN1F+kNBmznbUVISbbzpZimESET452ONy+UuD kvim3Kf3qZgCqqWFm4h0vnyufN+i5GB9UllLYsfSY2+stq/PaGKeb/sz+2eugRS3Oji6 fu1KmVU4Ginji2KtPZLA40GP9HSxn6hGieonfxCJhCVZFEMyvMRcEIjtK4H+a9jsCila s/0XIw+A7PTnRrj1k1Wurtd8CeEQTOI+RzbRGbNIViTmD5Xpa8iOiU04qIICWDj2yx9C xVGw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=sqtDaPZ6; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id w14-20020a170902e88e00b00153b2d164easi2949563plg.242.2022.04.15.19.13.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 15 Apr 2022 19:13:22 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=sqtDaPZ6; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 6C2D91F42E9; Fri, 15 Apr 2022 18:29:59 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1348307AbiDOBIK (ORCPT + 99 others); Thu, 14 Apr 2022 21:08:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52376 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239250AbiDOBII (ORCPT ); Thu, 14 Apr 2022 21:08:08 -0400 Received: from mail-lj1-x22f.google.com (mail-lj1-x22f.google.com [IPv6:2a00:1450:4864:20::22f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 26BE750B1A for ; Thu, 14 Apr 2022 18:05:42 -0700 (PDT) Received: by mail-lj1-x22f.google.com with SMTP id bj36so2134312ljb.13 for ; Thu, 14 Apr 2022 18:05:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=i1kEshpY+bfjAzJd2dch21w3U6ODPPX0HvCQv7/rIUk=; b=sqtDaPZ6m+iNPTZ6XSqpfdLXxS2nCVLNgM2n5ShWRZ18eJAyu4Gm1LG3kqhMRSbH7C faTTzEtyYDi4m+GC9jA3TqDO3uOUqGOxhmCgWEP+SMYuUb/2YXL5b92J5X1eV24Vc9Ll uw05Om3PGdeBUA2B2eatuj8Jkf0Sv1/gyR3OkqW8wHgKsD/CI1gRqZ+nV4yPwcN7LqiY aQT8ldiFBD/0JMPXBXjbD1oiT/fS2WrkMAy4X7IcKs5JkroNgEAnu7CyA5sKZyTHzlNq b/QhSZdegQSz8hH8nd11CkhcIr97jBzxZK/hWrtCrZneXHeGMEKWTObXOTkNOowFu90B bf/g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=i1kEshpY+bfjAzJd2dch21w3U6ODPPX0HvCQv7/rIUk=; b=D/uiD9SMqpwZjQ0Xf869/VXU/IYSJEhnkOCkko7F8zxH5yAPGbRsR6bekfatpSVv7n cSzOMjbi7SbP+Rbo+0C25bvUCStJdivXcLGhgySJv6Y5mr2ybuc2AUBMs0KAOyrlUbIz 1f+2HGQpK+9RuP1l07oaCI++JUVAdsHbmKoYFvjdQNM+4At1Mo7ARtBL2TGFpvIkdyIS lDpovMFtVVj2lXgM1oWJGpslSQFezZy8Wd8nQQIrIIORg2wqI+tCfIe8n3FpCv9ouKuO fLxDL7kXXa/nH6L1OtW2Mz5svhOh3OmJxcfdsJmED4TCnUaGPqzkbv2i8FCMhZOUJx+p IMOA== X-Gm-Message-State: AOAM532Zopzm/e4flY8UqM7TMDGgYRH54NtgyovYUgaa1saGDk04yzk1 kjJ6HdVm9lox9/0KL6dTQn7VaqicXu2ihPfCEVxq3g== X-Received: by 2002:a2e:5cc1:0:b0:24b:112f:9b36 with SMTP id q184-20020a2e5cc1000000b0024b112f9b36mr3094520ljb.337.1649984740135; Thu, 14 Apr 2022 18:05:40 -0700 (PDT) MIME-Version: 1.0 References: <20220415004622.2207751-1-seanjc@google.com> In-Reply-To: <20220415004622.2207751-1-seanjc@google.com> From: Oliver Upton Date: Thu, 14 Apr 2022 18:05:29 -0700 Message-ID: Subject: Re: [PATCH] KVM: Initialize debugfs_dentry when a VM is created to avoid NULL deref To: Sean Christopherson Cc: Paolo Bonzini , kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Marc Zyngier , syzbot+df6fbbd2ee39f21289ef@syzkaller.appspotmail.com Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-9.5 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE, USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Sean, On Thu, Apr 14, 2022 at 5:46 PM Sean Christopherson wrote: > > Initialize debugfs_entry to its semi-magical -ENOENT value when the VM > is created. KVM's teardown when VM creation fails is kludgy and calls > kvm_uevent_notify_change() and kvm_destroy_vm_debugfs() even if KVM never > attempted kvm_create_vm_debugfs(). Because debugfs_entry is zero Boo! I've got a few patches to bring kvm_create_vm_debugfs() in line with the rest of the VM initialization. Kinda gross it is done in the ioctl body. > initialized, the IS_ERR() checks pass and KVM derefs a NULL pointer. > > BUG: kernel NULL pointer dereference, address: 0000000000000018 > #PF: supervisor read access in kernel mode > #PF: error_code(0x0000) - not-present page > PGD 1068b1067 P4D 1068b1067 PUD 1068b0067 PMD 0 > Oops: 0000 [#1] SMP > CPU: 0 PID: 871 Comm: repro Not tainted 5.18.0-rc1+ #825 > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 > RIP: 0010:__dentry_path+0x7b/0x130 > Call Trace: > > dentry_path_raw+0x42/0x70 > kvm_uevent_notify_change.part.0+0x10c/0x200 [kvm] > kvm_put_kvm+0x63/0x2b0 [kvm] > kvm_dev_ioctl+0x43a/0x920 [kvm] > __x64_sys_ioctl+0x83/0xb0 > do_syscall_64+0x31/0x50 > entry_SYSCALL_64_after_hwframe+0x44/0xae > > Modules linked in: kvm_intel kvm irqbypass > > Fixes: a44a4cc1c969 ("KVM: Don't create VM debugfs files outside of the VM directory") > Cc: stable@vger.kernel.org > Cc: Marc Zyngier > Cc: Oliver Upton > Reported-by: syzbot+df6fbbd2ee39f21289ef@syzkaller.appspotmail.com > Signed-off-by: Sean Christopherson Looks good, grats to the bots for finding my dirty laundry. Reviewed-by: Oliver Upton