From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Ellerman Subject: [PATCH] KVM: x86: Avoid NULL dereference in kvm_apic_accept_pic_intr() Date: Tue, 7 Feb 2012 17:32:07 +1100 Message-ID: <1328596327-18662-1-git-send-email-michael@ellerman.id.au> Cc: avi@redhat.com, mtosatti@redhat.com To: kvm@vger.kernel.org Return-path: Received: from ozlabs.org ([203.10.76.45]:53645 "EHLO ozlabs.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751187Ab2BGGdr (ORCPT ); Tue, 7 Feb 2012 01:33:47 -0500 Sender: kvm-owner@vger.kernel.org List-ID: A test case which does the following: ioctl(vmfd, KVM_CREATE_VCPU, 0); ioctl(vmfd, KVM_CREATE_IRQCHIP); ioctl(cpufd, KVM_RUN); Can oops in kvm_apic_accept_pic_intr() because vcpu->arch.apic == NULL. Because irqchip_in_kernel() is false when we create the vcpu we leave vcpu->arch.apic uninitialised (in kvm_arch_vcpu_init()). Then when we run, irqchip_in_kernel() is true, but we didn't do the correct initialisation. The root of the problem seems to be that there is an assumption that KVM_CREATE_IRQCHIP will be called before any VCPUs are created. The documentation says "sets up future vcpus to have a local APIC". So the simplest fix seems to be to enforce that ordering in the code. Signed-off-by: Michael Ellerman --- arch/x86/kvm/x86.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 14d6cad..27dd380 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -3110,6 +3110,9 @@ long kvm_arch_vm_ioctl(struct file *filp, r = -EEXIST; if (kvm->arch.vpic) goto create_irqchip_unlock; + r = -EINVAL; + if (atomic_read(&kvm->online_vcpus)) + goto create_irqchip_unlock; r = -ENOMEM; vpic = kvm_create_pic(kvm); if (vpic) { -- 1.7.5.4