From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 43A14C433EF for ; Thu, 28 Oct 2021 22:22:03 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 2B28C610D2 for ; Thu, 28 Oct 2021 22:22:03 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231519AbhJ1WY3 (ORCPT ); Thu, 28 Oct 2021 18:24:29 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55192 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231506AbhJ1WY1 (ORCPT ); Thu, 28 Oct 2021 18:24:27 -0400 Received: from mail-yb1-xb49.google.com (mail-yb1-xb49.google.com [IPv6:2607:f8b0:4864:20::b49]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 13C83C061745 for ; Thu, 28 Oct 2021 15:22:00 -0700 (PDT) Received: by mail-yb1-xb49.google.com with SMTP id m78-20020a252651000000b005c1f44d3c7bso3647628ybm.22 for ; Thu, 28 Oct 2021 15:22:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=reply-to:date:in-reply-to:message-id:mime-version:references :subject:from:to:cc; bh=8CcTf3pQkseQsKnmfaBBHuXTwJk1xIeHhVdYMof8Tdc=; b=QTDTiv9Wm1gqOM2tHZvaWkNUm13AJ8nTO+UYBHPctKi9zAmXMLcDqiB4qAUC+axZFV uOW+uK/vZHHJBOtET2aAK72Zd2NWS/AjicBIxZUo7WReE9LVhNRHsBsYjG6rEInWBGve cFnY9uf8Px1t65rAMgQp6BAw1wDZegIA5gU5j8Bhq8KJmLnGThha/MzAbYaEvYJ0dvBY eMmL2siGJGPHXYXlHYoe43GkwY5NRypz3GBas3HSuV+nFfygs449UXCu0/ZXarzVHi0t ori799z4VpWDth8OrvGBT+LxEsm9grRuwzfYROAK+dQBT23Y0aLuhDUeeCfqXRatKuMZ fyow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:reply-to:date:in-reply-to:message-id :mime-version:references:subject:from:to:cc; bh=8CcTf3pQkseQsKnmfaBBHuXTwJk1xIeHhVdYMof8Tdc=; b=eWS7iy7rHqYWCCaBIIWZLL6e7ssTzG2ZQEuMcmp/XCVTTXIu3TQdrLZS3S3ke4RY2U WdJULKBuzgom8ByYp/X8eaMd9F6LHFXy5JFuqHDvhB8lKlH68lfjKvqRvyz49SxIDUO2 01wWP/zkTg69OzWOv2QUeUjgP0s6EEC9Vw+NqwvRcnvGvCfJmVt0hH9t9du3gaO1Nx6j 7J929l/SflKWCwetQ2hbgU7w4dpgXaE/0arXzk0++xJgoU+0iDEDlM4zBA9sWuqA+/g5 SnYomO8deKaIlTrhp+N3QH7EYGAqfTNUi5WJXZ2GVTyBIPtt7E5rGQY2GqT6dwjRDqQE 3Xag== X-Gm-Message-State: AOAM530x2fWBWMCMqdQcu5h3p3An1a0I/Uk2nlBhQcH2dyko7ft6qL4x VT6S6VKaR28HmkbaIbvI74/lq/SaFcE= X-Google-Smtp-Source: ABdhPJx23cCFNn1aEDHYrI6T+1I8tWVsIZJYfGDo3WJTG7PHPHY5C9iPiQPZsBpNJvmSfblhkH+6fZCbxFI= X-Received: from seanjc798194.pdx.corp.google.com ([2620:15c:90:200:cbc8:1a0d:eab9:2274]) (user=seanjc job=sendgmr) by 2002:a5b:886:: with SMTP id e6mr7160533ybq.198.1635459719316; Thu, 28 Oct 2021 15:21:59 -0700 (PDT) Reply-To: Sean Christopherson Date: Thu, 28 Oct 2021 15:21:47 -0700 In-Reply-To: <20211028222148.2924457-1-seanjc@google.com> Message-Id: <20211028222148.2924457-2-seanjc@google.com> Mime-Version: 1.0 References: <20211028222148.2924457-1-seanjc@google.com> X-Mailer: git-send-email 2.33.0.1079.g6e70778dc9-goog Subject: [PATCH 1/2] x86/hyperv: Fix NULL deref in set_hv_tscchange_cb() if Hyper-V setup fails From: Sean Christopherson To: "K. Y. Srinivasan" , Haiyang Zhang , Stephen Hemminger , Wei Liu , Dexuan Cui , Thomas Gleixner , Ingo Molnar , Borislav Petkov , x86@kernel.org Cc: "H. Peter Anvin" , linux-hyperv@vger.kernel.org, linux-kernel@vger.kernel.org, Vitaly Kuznetsov , Sean Christopherson Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Check for re-enlightenment support and for a valid hv_vp_index array prior to derefencing hv_vp_index when setting Hyper-V's TSC change callback. If Hyper-V setup failed in hyperv_init(), e.g. because of a bad VMM config that doesn't advertise the HYPERCALL MSR, the kernel will still report that it's running under Hyper-V, but will have silently disabled nearly all functionality. BUG: kernel NULL pointer dereference, address: 0000000000000010 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] SMP CPU: 4 PID: 1 Comm: swapper/0 Not tainted 5.15.0-rc2+ #75 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:set_hv_tscchange_cb+0x15/0xa0 Code: <8b> 04 82 8b 15 12 17 85 01 48 c1 e0 20 48 0d ee 00 01 00 f6 c6 08 ... Call Trace: kvm_arch_init+0x17c/0x280 kvm_init+0x31/0x330 vmx_init+0xba/0x13a do_one_initcall+0x41/0x1c0 kernel_init_freeable+0x1f2/0x23b kernel_init+0x16/0x120 ret_from_fork+0x22/0x30 Fixes: 93286261de1b ("x86/hyperv: Reenlightenment notifications support") Cc: stable@vger.kernel.org Cc: Vitaly Kuznetsov Signed-off-by: Sean Christopherson --- arch/x86/hyperv/hv_init.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/arch/x86/hyperv/hv_init.c b/arch/x86/hyperv/hv_init.c index 708a2712a516..6cc845c026d4 100644 --- a/arch/x86/hyperv/hv_init.c +++ b/arch/x86/hyperv/hv_init.c @@ -139,7 +139,7 @@ void set_hv_tscchange_cb(void (*cb)(void)) struct hv_reenlightenment_control re_ctrl = { .vector = HYPERV_REENLIGHTENMENT_VECTOR, .enabled = 1, - .target_vp = hv_vp_index[smp_processor_id()] + .target_vp = -1, }; struct hv_tsc_emulation_control emu_ctrl = {.enabled = 1}; @@ -148,6 +148,11 @@ void set_hv_tscchange_cb(void (*cb)(void)) return; } + if (!hv_vp_index) + return; + + re_ctrl.target_vp = hv_vp_index[smp_processor_id()]; + hv_reenlightenment_cb = cb; /* Make sure callback is registered before we write to MSRs */ -- 2.33.0.1079.g6e70778dc9-goog