From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Paolo Bonzini <pbonzini@redhat.com>,
Sean Christopherson <seanjc@google.com>,
Sasha Levin <sashal@kernel.org>,
tglx@linutronix.de, mingo@redhat.com, bp@alien8.de,
dave.hansen@linux.intel.com, x86@kernel.org, kvm@vger.kernel.org
Subject: [PATCH MANUALSEL 5.10 3/4] KVM: x86/mmu: avoid NULL-pointer dereference on page freeing bugs
Date: Wed, 27 Apr 2022 11:54:34 -0400 [thread overview]
Message-ID: <20220427155435.19554-3-sashal@kernel.org> (raw)
In-Reply-To: <20220427155435.19554-1-sashal@kernel.org>
From: Paolo Bonzini <pbonzini@redhat.com>
[ Upstream commit 9191b8f0745e63edf519e4a54a4aaae1d3d46fbd ]
WARN and bail if KVM attempts to free a root that isn't backed by a shadow
page. KVM allocates a bare page for "special" roots, e.g. when using PAE
paging or shadowing 2/3/4-level page tables with 4/5-level, and so root_hpa
will be valid but won't be backed by a shadow page. It's all too easy to
blindly call mmu_free_root_page() on root_hpa, be nice and WARN instead of
crashing KVM and possibly the kernel.
Reviewed-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kvm/mmu/mmu.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c
index 99ea1ec12ffe..70ef5b542681 100644
--- a/arch/x86/kvm/mmu/mmu.c
+++ b/arch/x86/kvm/mmu/mmu.c
@@ -3140,6 +3140,8 @@ static void mmu_free_root_page(struct kvm *kvm, hpa_t *root_hpa,
return;
sp = to_shadow_page(*root_hpa & PT64_BASE_ADDR_MASK);
+ if (WARN_ON(!sp))
+ return;
if (kvm_mmu_put_root(kvm, sp)) {
if (sp->tdp_mmu_page)
--
2.35.1
next prev parent reply other threads:[~2022-04-27 15:55 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-27 15:54 [PATCH MANUALSEL 5.10 1/4] x86/kvm: Preserve BSP MSR_KVM_POLL_CONTROL across suspend/resume Sasha Levin
2022-04-27 15:54 ` [PATCH MANUALSEL 5.10 2/4] KVM: x86: Do not change ICR on write to APIC_SELF_IPI Sasha Levin
2022-04-27 16:19 ` Paolo Bonzini
2022-04-27 15:54 ` Sasha Levin [this message]
2022-04-27 16:19 ` [PATCH MANUALSEL 5.10 3/4] KVM: x86/mmu: avoid NULL-pointer dereference on page freeing bugs Paolo Bonzini
2022-04-27 15:54 ` [PATCH MANUALSEL 5.10 4/4] KVM: LAPIC: Enable timer posted-interrupt only when mwait/hlt is advertised Sasha Levin
2022-04-27 16:19 ` Paolo Bonzini
2022-04-27 16:19 ` [PATCH MANUALSEL 5.10 1/4] x86/kvm: Preserve BSP MSR_KVM_POLL_CONTROL across suspend/resume Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220427155435.19554-3-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=pbonzini@redhat.com \
--cc=seanjc@google.com \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.