From: Pavel Skripkin <paskripkin@gmail.com>
To: pbonzini@redhat.com, seanjc@google.com, vkuznets@redhat.com,
wanpengli@tencent.com, jmattson@google.com
Cc: x86@kernel.org, kvm@vger.kernel.org,
linux-kernel@vger.kernel.org,
Pavel Skripkin <paskripkin@gmail.com>,
syzbot+717ed82268812a643b28@syzkaller.appspotmail.com
Subject: [RFC PATCH] KVM: x86/mmu: fix general protection fault in kvm_mmu_uninit_tdp_mmu
Date: Fri, 25 Mar 2022 19:38:15 +0300 [thread overview]
Message-ID: <20220325163815.3514-1-paskripkin@gmail.com> (raw)
Syzbot reported GPF in kvm_mmu_uninit_tdp_mmu(), which is caused by
passing NULL pointer to flush_workqueue().
tdp_mmu_zap_wq is allocated via alloc_workqueue() which may fail. There
is no error hanling and kvm_mmu_uninit_tdp_mmu() return value is simply
ignored. Even all kvm_*_init_vm() functions are void, so the easiest
solution is to check that tdp_mmu_zap_wq is valid pointer before passing
it somewhere.
Fixes: 22b94c4b63eb ("KVM: x86/mmu: Zap invalidated roots via asynchronous worker")
Reported-and-tested-by: syzbot+717ed82268812a643b28@syzkaller.appspotmail.com
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
---
arch/x86/kvm/mmu/tdp_mmu.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/arch/x86/kvm/mmu/tdp_mmu.c b/arch/x86/kvm/mmu/tdp_mmu.c
index e7e7876251b3..b3e8ff7ac5b0 100644
--- a/arch/x86/kvm/mmu/tdp_mmu.c
+++ b/arch/x86/kvm/mmu/tdp_mmu.c
@@ -48,8 +48,10 @@ void kvm_mmu_uninit_tdp_mmu(struct kvm *kvm)
if (!kvm->arch.tdp_mmu_enabled)
return;
- flush_workqueue(kvm->arch.tdp_mmu_zap_wq);
- destroy_workqueue(kvm->arch.tdp_mmu_zap_wq);
+ if (kvm->arch.tdp_mmu_zap_wq) {
+ flush_workqueue(kvm->arch.tdp_mmu_zap_wq);
+ destroy_workqueue(kvm->arch.tdp_mmu_zap_wq);
+ }
WARN_ON(!list_empty(&kvm->arch.tdp_mmu_pages));
WARN_ON(!list_empty(&kvm->arch.tdp_mmu_roots));
@@ -119,9 +121,11 @@ static void tdp_mmu_zap_root_work(struct work_struct *work)
static void tdp_mmu_schedule_zap_root(struct kvm *kvm, struct kvm_mmu_page *root)
{
- root->tdp_mmu_async_data = kvm;
- INIT_WORK(&root->tdp_mmu_async_work, tdp_mmu_zap_root_work);
- queue_work(kvm->arch.tdp_mmu_zap_wq, &root->tdp_mmu_async_work);
+ if (kvm->arch.tdp_mmu_zap_wq) {
+ root->tdp_mmu_async_data = kvm;
+ INIT_WORK(&root->tdp_mmu_async_work, tdp_mmu_zap_root_work);
+ queue_work(kvm->arch.tdp_mmu_zap_wq, &root->tdp_mmu_async_work);
+ }
}
static inline bool kvm_tdp_root_mark_invalid(struct kvm_mmu_page *page)
--
2.35.1
next reply other threads:[~2022-03-25 16:38 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-25 16:38 Pavel Skripkin [this message]
2022-03-25 16:46 ` [RFC PATCH] KVM: x86/mmu: fix general protection fault in kvm_mmu_uninit_tdp_mmu Christophe JAILLET
2022-03-25 16:50 ` Paolo Bonzini
2022-03-25 18:11 ` Pavel Skripkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220325163815.3514-1-paskripkin@gmail.com \
--to=paskripkin@gmail.com \
--cc=jmattson@google.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=seanjc@google.com \
--cc=syzbot+717ed82268812a643b28@syzkaller.appspotmail.com \
--cc=vkuznets@redhat.com \
--cc=wanpengli@tencent.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox