From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pj1-f73.google.com (mail-pj1-f73.google.com [209.85.216.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 157C036DA09 for ; Thu, 5 Mar 2026 15:33:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.73 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772724788; cv=none; b=dBxJfE9lovdEav75MwIbE49XxEGE7XH6graembZjG2PbYS7e+L7BtxExmbzhrSM535t3WaHWJ/maCO3O6Wvi125KSRalxB+CQXYXQxa7Q2OKwBkgyVdQnFjuuoIhKqggy0qabJOT/19fslBrzWes2z7wUnlUnKKA3/wTu72LBSE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772724788; c=relaxed/simple; bh=sBohCdeL84PSvBUf7YUzOPwpe/DBqrjyCfFfqvIffiA=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=WnLBGxTPdM4TjkZ3zDO8zvEnOKqGyFJ6y3iofK5xRXXvN6CNYdeONMDzfRnM650Bcwrc9E4qr6PGlT2M3K7MQafQqxG1FKQ0VUbJoGTcFxgOJ6E2WIF22/AuelKv4e1cbHIYtoH0WAGmLj+OoqFwAoVWhfmkM6LBn5Ydb3tLTv8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=lqWpSxIt; arc=none smtp.client-ip=209.85.216.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="lqWpSxIt" Received: by mail-pj1-f73.google.com with SMTP id 98e67ed59e1d1-3594620fe97so38820151a91.1 for ; Thu, 05 Mar 2026 07:33:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1772724786; x=1773329586; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=HuC7vw5TewHVqYtxo4NaHVLtIIY2hMz/mpCs88acKy0=; b=lqWpSxItx3yG4HYld4Wc34XrA6ZYfyaHpdyGq51QfGwyJSgjgt8LOGj1ji/q09Uecz PX7Mt6rX0Ssu4oIqFeHhYzhH8/IvtdZ+7EtIrSsfiE1ZyAvsc1zasgj4LE1VMu6CsbXU PyRphAiGSfaQUa/LqXW+39mMlUEl9lnc3AdhUZzwiL1qEuXJ7D9qC+haDEZFvHF7NXsd FAq7RvV0jMeK+z7tI19lOXlTP/bZ8R6GUlreihp8xUT2seCwRvkoou3Z3O9jRKAmvB3g AMXOPhwkFTw0KAs4R4J4NFuQPL8OewZN7mlEAPiTG0+qf1rDYQ2+zzoiLRDEy7NuRfHF wIOA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772724786; x=1773329586; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=HuC7vw5TewHVqYtxo4NaHVLtIIY2hMz/mpCs88acKy0=; b=NIi2jEHahIn20BWyXnozu5An33HzBwVF4g1Mu/QI3plQkK9k5q1h2jsBeL5ArZKTdM HC5UFUbC7mMfreDNlvRHyjHafC9jE+kPJ6vW/LymNENb0m03rrbjKs8A9pbhiC7a425m sNNU5HR99E2mMNDelzxN1OyW0EPqXwDwCFj0SKnhgVUz8pGijFpeNBsXhmiGgTILPGp6 qIYRHX/hxQyOMtL+BYXQpV/mY5/raeXmyjBLE/IUbQ7xyf5G+5y7Iw0BH281Mu88dgdW zeQ31yRGjTEoabppUMm+ifXvz+tiO3Lx1n74e/cOmcsdfG/MUtMIyUwhgmXO7TUw+UBo VKhA== X-Forwarded-Encrypted: i=1; AJvYcCWl1L06GDrdP47tThubIl11frABc2pjEiT3D4IW/dMNbl3DHfsWlBfrZtmw6OpALn2ANzL8VoqJPjOK7CI=@vger.kernel.org X-Gm-Message-State: AOJu0YzalVsxb2o3i4fopFvGGq0Mk6I+wqstGhWEn+Ow4phO4a9MA6JN Mxb3xlEQxGmflxMNtFZMPqpyyGpx3EC+ORoKsU4eciyR0ef9auRXLOdVdWWWWeTVPYzhZaHy91G sd40mIA== X-Received: from pjj5.prod.google.com ([2002:a17:90b:5545:b0:359:974a:3d42]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:90b:3e86:b0:359:92b5:da70 with SMTP id 98e67ed59e1d1-359a69d64e9mr5463259a91.9.1772724786236; Thu, 05 Mar 2026 07:33:06 -0800 (PST) Date: Thu, 5 Mar 2026 07:33:04 -0800 In-Reply-To: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: Message-ID: Subject: Re: [PATCH] KVM: x86: Add LAPIC guard in kvm_apic_write_nodecode() From: Sean Christopherson To: xuanqingshi <1356292400@qq.com> Cc: pbonzini@redhat.com, kvm@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="us-ascii" On Thu, Mar 05, 2026, xuanqingshi wrote: > kvm_apic_write_nodecode() dereferences vcpu->arch.apic without first > checking whether the in-kernel LAPIC has been initialized. If it has > not (e.g. the vCPU was created without an in-kernel LAPIC), the > dereference results in a NULL pointer access. > > While APIC-write VM-Exits are not expected to occur on a vCPU without > an in-kernel LAPIC, kvm_apic_write_nodecode() should be robust against > such a scenario as a defense-in-depth measure, e.g. to guard against > KVM bugs or CPU errata that could generate a spurious APIC-write > VM-Exit. > > Add a WARN_ON_ONCE() guard and bail early if vcpu->arch.apic is NULL. > > Found by a VMCS-targeted fuzzer based on syzkaller. Found how exactly? If you managed to actually hit a NULL pointer deref here, that *significantly* changes the value of adding defense in depth. > Signed-off-by: xuanqingshi <1356292400@qq.com> > --- > arch/x86/kvm/lapic.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c > index 9381c58d4c85..0f9d314dfa2a 100644 > --- a/arch/x86/kvm/lapic.c > +++ b/arch/x86/kvm/lapic.c > @@ -2657,6 +2657,9 @@ void kvm_apic_write_nodecode(struct kvm_vcpu *vcpu, u32 offset) > { > struct kvm_lapic *apic = vcpu->arch.apic; > > + if (WARN_ON_ONCE(!apic)) > + return; Hmm, a simple WARN isn't a net positive. If the CPU generates a spurious APICv/AVIC VM-Exit, or KVM managed to enable one or the other without an in-kernel local APIC, then I'd *much* prefer a crash due to a NULL pointer dereference. Letting the vCPU continue on in this state would be disastrous for the guest. But luckily we have KVM_BUG_ON(). And we can use lapic_in_kernel() to make this "free" for the overwhelming majority of setups, which always use an in-kernel local APIC (in which case lapic_in_kernel() is a static branch that returns true). if (KVM_BUG_ON(!lapic_in_kernel(vcpu), vcpu->kvm)) return;