From: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org
Cc: pbonzini@redhat.com, joro@8bytes.org
Subject: Re: [PATCH] KVM: SVM: Initialize prev_ga_tag before use
Date: Fri, 9 Oct 2020 18:06:43 +0700 [thread overview]
Message-ID: <50da7a89-a727-18b8-79be-fde665bc9419@amd.com> (raw)
In-Reply-To: <20201003232707.4662-1-suravee.suthikulpanit@amd.com>
Paolo,
Are there any issues or concerns about this patch?
Thank you,
Suravee
On 10/4/20 6:27 AM, Suravee Suthikulpanit wrote:
> The function amd_ir_set_vcpu_affinity makes use of the parameter struct
> amd_iommu_pi_data.prev_ga_tag to determine if it should delete struct
> amd_iommu_pi_data from a list when not running in AVIC mode.
>
> However, prev_ga_tag is initialized only when AVIC is enabled. The non-zero
> uninitialized value can cause unintended code path, which ends up making
> use of the struct vcpu_svm.ir_list and ir_list_lock without being
> initialized (since they are intended only for the AVIC case).
>
> This triggers NULL pointer dereference bug in the function vm_ir_list_del
> with the following call trace:
>
> svm_update_pi_irte+0x3c2/0x550 [kvm_amd]
> ? proc_create_single_data+0x41/0x50
> kvm_arch_irq_bypass_add_producer+0x40/0x60 [kvm]
> __connect+0x5f/0xb0 [irqbypass]
> irq_bypass_register_producer+0xf8/0x120 [irqbypass]
> vfio_msi_set_vector_signal+0x1de/0x2d0 [vfio_pci]
> vfio_msi_set_block+0x77/0xe0 [vfio_pci]
> vfio_pci_set_msi_trigger+0x25c/0x2f0 [vfio_pci]
> vfio_pci_set_irqs_ioctl+0x88/0xb0 [vfio_pci]
> vfio_pci_ioctl+0x2ea/0xed0 [vfio_pci]
> ? alloc_file_pseudo+0xa5/0x100
> vfio_device_fops_unl_ioctl+0x26/0x30 [vfio]
> ? vfio_device_fops_unl_ioctl+0x26/0x30 [vfio]
> __x64_sys_ioctl+0x96/0xd0
> do_syscall_64+0x37/0x80
> entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
> Therefore, initialize prev_ga_tag to zero before use. This should be safe
> because ga_tag value 0 is invalid (see function avic_vm_init).
>
> Fixes: dfa20099e26e ("KVM: SVM: Refactor AVIC vcpu initialization into avic_init_vcpu()")
> Signed-off-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
> ---
> arch/x86/kvm/svm/avic.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/arch/x86/kvm/svm/avic.c b/arch/x86/kvm/svm/avic.c
> index ac830cd50830..381d22daa4ac 100644
> --- a/arch/x86/kvm/svm/avic.c
> +++ b/arch/x86/kvm/svm/avic.c
> @@ -868,6 +868,7 @@ int svm_update_pi_irte(struct kvm *kvm, unsigned int host_irq,
> * - Tell IOMMU to use legacy mode for this interrupt.
> * - Retrieve ga_tag of prior interrupt remapping data.
> */
> + pi.prev_ga_tag = 0;
> pi.is_guest_mode = false;
> ret = irq_set_vcpu_affinity(host_irq, &pi);
>
>
next prev parent reply other threads:[~2020-10-09 11:06 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-03 23:27 [PATCH] KVM: SVM: Initialize prev_ga_tag before use Suravee Suthikulpanit
2020-10-09 11:06 ` Suravee Suthikulpanit [this message]
2020-10-19 15:54 ` Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50da7a89-a727-18b8-79be-fde665bc9419@amd.com \
--to=suravee.suthikulpanit@amd.com \
--cc=joro@8bytes.org \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.