linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [RFC PATCH] KVM: x86/mmu: fix general protection fault in kvm_mmu_uninit_tdp_mmu
@ 2022-03-25 16:38 Pavel Skripkin
  2022-03-25 16:46 ` Christophe JAILLET
  2022-03-25 16:50 ` Paolo Bonzini
  0 siblings, 2 replies; 4+ messages in thread
From: Pavel Skripkin @ 2022-03-25 16:38 UTC (permalink / raw)
  To: pbonzini, seanjc, vkuznets, wanpengli, jmattson
  Cc: x86, kvm, linux-kernel, Pavel Skripkin, syzbot+717ed82268812a643b28

Syzbot reported GPF in kvm_mmu_uninit_tdp_mmu(), which is caused by
passing NULL pointer to flush_workqueue().

tdp_mmu_zap_wq is allocated via alloc_workqueue() which may fail. There
is no error hanling and kvm_mmu_uninit_tdp_mmu() return value is simply
ignored. Even all kvm_*_init_vm() functions are void, so the easiest
solution is to check that tdp_mmu_zap_wq is valid pointer before passing
it somewhere.

Fixes: 22b94c4b63eb ("KVM: x86/mmu: Zap invalidated roots via asynchronous worker")
Reported-and-tested-by: syzbot+717ed82268812a643b28@syzkaller.appspotmail.com
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
---
 arch/x86/kvm/mmu/tdp_mmu.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/arch/x86/kvm/mmu/tdp_mmu.c b/arch/x86/kvm/mmu/tdp_mmu.c
index e7e7876251b3..b3e8ff7ac5b0 100644
--- a/arch/x86/kvm/mmu/tdp_mmu.c
+++ b/arch/x86/kvm/mmu/tdp_mmu.c
@@ -48,8 +48,10 @@ void kvm_mmu_uninit_tdp_mmu(struct kvm *kvm)
 	if (!kvm->arch.tdp_mmu_enabled)
 		return;
 
-	flush_workqueue(kvm->arch.tdp_mmu_zap_wq);
-	destroy_workqueue(kvm->arch.tdp_mmu_zap_wq);
+	if (kvm->arch.tdp_mmu_zap_wq) {
+		flush_workqueue(kvm->arch.tdp_mmu_zap_wq);
+		destroy_workqueue(kvm->arch.tdp_mmu_zap_wq);
+	}
 
 	WARN_ON(!list_empty(&kvm->arch.tdp_mmu_pages));
 	WARN_ON(!list_empty(&kvm->arch.tdp_mmu_roots));
@@ -119,9 +121,11 @@ static void tdp_mmu_zap_root_work(struct work_struct *work)
 
 static void tdp_mmu_schedule_zap_root(struct kvm *kvm, struct kvm_mmu_page *root)
 {
-	root->tdp_mmu_async_data = kvm;
-	INIT_WORK(&root->tdp_mmu_async_work, tdp_mmu_zap_root_work);
-	queue_work(kvm->arch.tdp_mmu_zap_wq, &root->tdp_mmu_async_work);
+	if (kvm->arch.tdp_mmu_zap_wq) {
+		root->tdp_mmu_async_data = kvm;
+		INIT_WORK(&root->tdp_mmu_async_work, tdp_mmu_zap_root_work);
+		queue_work(kvm->arch.tdp_mmu_zap_wq, &root->tdp_mmu_async_work);
+	}
 }
 
 static inline bool kvm_tdp_root_mark_invalid(struct kvm_mmu_page *page)
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [RFC PATCH] KVM: x86/mmu: fix general protection fault in kvm_mmu_uninit_tdp_mmu
  2022-03-25 16:38 [RFC PATCH] KVM: x86/mmu: fix general protection fault in kvm_mmu_uninit_tdp_mmu Pavel Skripkin
@ 2022-03-25 16:46 ` Christophe JAILLET
  2022-03-25 16:50 ` Paolo Bonzini
  1 sibling, 0 replies; 4+ messages in thread
From: Christophe JAILLET @ 2022-03-25 16:46 UTC (permalink / raw)
  To: Pavel Skripkin, pbonzini, seanjc, vkuznets, wanpengli, jmattson
  Cc: x86, kvm, linux-kernel, syzbot+717ed82268812a643b28

Le 25/03/2022 à 17:38, Pavel Skripkin a écrit :
> Syzbot reported GPF in kvm_mmu_uninit_tdp_mmu(), which is caused by
> passing NULL pointer to flush_workqueue().
> 
> tdp_mmu_zap_wq is allocated via alloc_workqueue() which may fail. There
> is no error hanling and kvm_mmu_uninit_tdp_mmu() return value is simply
> ignored. Even all kvm_*_init_vm() functions are void, so the easiest
> solution is to check that tdp_mmu_zap_wq is valid pointer before passing
> it somewhere.
> 
> Fixes: 22b94c4b63eb ("KVM: x86/mmu: Zap invalidated roots via asynchronous worker")
> Reported-and-tested-by: syzbot+717ed82268812a643b28@syzkaller.appspotmail.com
> Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
> ---
>   arch/x86/kvm/mmu/tdp_mmu.c | 14 +++++++++-----
>   1 file changed, 9 insertions(+), 5 deletions(-)
> 
> diff --git a/arch/x86/kvm/mmu/tdp_mmu.c b/arch/x86/kvm/mmu/tdp_mmu.c
> index e7e7876251b3..b3e8ff7ac5b0 100644
> --- a/arch/x86/kvm/mmu/tdp_mmu.c
> +++ b/arch/x86/kvm/mmu/tdp_mmu.c
> @@ -48,8 +48,10 @@ void kvm_mmu_uninit_tdp_mmu(struct kvm *kvm)
>   	if (!kvm->arch.tdp_mmu_enabled)
>   		return;
>   
> -	flush_workqueue(kvm->arch.tdp_mmu_zap_wq);
> -	destroy_workqueue(kvm->arch.tdp_mmu_zap_wq);
> +	if (kvm->arch.tdp_mmu_zap_wq) {
> +		flush_workqueue(kvm->arch.tdp_mmu_zap_wq);
> +		destroy_workqueue(kvm->arch.tdp_mmu_zap_wq);

Hi,
unrelated to the patch, but flush_workqueue() is redundant and could be 
removed.
destroy_workqueue() already drains the queue.

Just my 2c,
CJ

> +	}
>   
>   	WARN_ON(!list_empty(&kvm->arch.tdp_mmu_pages));
>   	WARN_ON(!list_empty(&kvm->arch.tdp_mmu_roots));
> @@ -119,9 +121,11 @@ static void tdp_mmu_zap_root_work(struct work_struct *work)
>   
>   static void tdp_mmu_schedule_zap_root(struct kvm *kvm, struct kvm_mmu_page *root)
>   {
> -	root->tdp_mmu_async_data = kvm;
> -	INIT_WORK(&root->tdp_mmu_async_work, tdp_mmu_zap_root_work);
> -	queue_work(kvm->arch.tdp_mmu_zap_wq, &root->tdp_mmu_async_work);
> +	if (kvm->arch.tdp_mmu_zap_wq) {
> +		root->tdp_mmu_async_data = kvm;
> +		INIT_WORK(&root->tdp_mmu_async_work, tdp_mmu_zap_root_work);
> +		queue_work(kvm->arch.tdp_mmu_zap_wq, &root->tdp_mmu_async_work);
> +	}
>   }
>   
>   static inline bool kvm_tdp_root_mark_invalid(struct kvm_mmu_page *page)


^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [RFC PATCH] KVM: x86/mmu: fix general protection fault in kvm_mmu_uninit_tdp_mmu
  2022-03-25 16:38 [RFC PATCH] KVM: x86/mmu: fix general protection fault in kvm_mmu_uninit_tdp_mmu Pavel Skripkin
  2022-03-25 16:46 ` Christophe JAILLET
@ 2022-03-25 16:50 ` Paolo Bonzini
  2022-03-25 18:11   ` Pavel Skripkin
  1 sibling, 1 reply; 4+ messages in thread
From: Paolo Bonzini @ 2022-03-25 16:50 UTC (permalink / raw)
  To: Pavel Skripkin, seanjc, vkuznets, wanpengli, jmattson
  Cc: x86, kvm, linux-kernel, syzbot+717ed82268812a643b28

On 3/25/22 17:38, Pavel Skripkin wrote:
> Syzbot reported GPF in kvm_mmu_uninit_tdp_mmu(), which is caused by
> passing NULL pointer to flush_workqueue().
> 
> tdp_mmu_zap_wq is allocated via alloc_workqueue() which may fail. There
> is no error hanling and kvm_mmu_uninit_tdp_mmu() return value is simply
> ignored. Even all kvm_*_init_vm() functions are void, so the easiest
> solution is to check that tdp_mmu_zap_wq is valid pointer before passing
> it somewhere.

Thanks for the analysis, but not scheduling the work item in 
tdp_mmu_schedule_zap_root is broken; you can't just let the roots 
survive (KVM uses its own workqueue because it needs to work item to 
complete has to flush it before kvm_mmu_zap_all_fast returns).

I'll fix it properly by propagating the error up to kvm_mmu_init_vm and 
kvm_arch_init_vm,

Thanks,

Paolo


^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [RFC PATCH] KVM: x86/mmu: fix general protection fault in kvm_mmu_uninit_tdp_mmu
  2022-03-25 16:50 ` Paolo Bonzini
@ 2022-03-25 18:11   ` Pavel Skripkin
  0 siblings, 0 replies; 4+ messages in thread
From: Pavel Skripkin @ 2022-03-25 18:11 UTC (permalink / raw)
  To: Paolo Bonzini, seanjc, vkuznets, wanpengli, jmattson
  Cc: x86, kvm, linux-kernel, syzbot+717ed82268812a643b28

Hi Paolo,

On 3/25/22 19:50, Paolo Bonzini wrote:
> On 3/25/22 17:38, Pavel Skripkin wrote:
>> Syzbot reported GPF in kvm_mmu_uninit_tdp_mmu(), which is caused by
>> passing NULL pointer to flush_workqueue().
>> 
>> tdp_mmu_zap_wq is allocated via alloc_workqueue() which may fail. There
>> is no error hanling and kvm_mmu_uninit_tdp_mmu() return value is simply
>> ignored. Even all kvm_*_init_vm() functions are void, so the easiest
>> solution is to check that tdp_mmu_zap_wq is valid pointer before passing
>> it somewhere.
> 
> Thanks for the analysis, but not scheduling the work item in
> tdp_mmu_schedule_zap_root is broken; you can't just let the roots
> survive (KVM uses its own workqueue because it needs to work item to
> complete has to flush it before kvm_mmu_zap_all_fast returns).
> 

Ah, I see, thanks for explanation.

I thought about propagating an error up to callers, but 
kvm_mmu_uninit_tdp_mmu() returns false with config disabled, so I 
decided to implement easiest fix w/o digging into details

sorry about that


With regards,
Pavel Skripkin

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-03-25 19:32 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-03-25 16:38 [RFC PATCH] KVM: x86/mmu: fix general protection fault in kvm_mmu_uninit_tdp_mmu Pavel Skripkin
2022-03-25 16:46 ` Christophe JAILLET
2022-03-25 16:50 ` Paolo Bonzini
2022-03-25 18:11   ` Pavel Skripkin

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).