Alexey Kardashevskiy <aik@xxxxxxxxx> writes:
> The powernv-rng driver has 2 users - the bare metal powernv platform and
> the KVM's H_RANDOM hcall. The hcall handler works fine when it is L0 KVM
> but fails in L1 KVM as there is no support for the HW registers in L1 VMs
> and such support is not advertised either (== no "ibm,power-rng" in
> the FDT). So when a nested VM tries H_RANDOM, the L1 KVM crashes on
> in_be64(rng->regs).
>
> This checks the pointers and returns an error if the feature is not
> set up.
>
> Signed-off-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
> ---
>
>
> Randomly randomized H_RANDOM:
>
> 00:00:45 executing program 10:
> r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
> r1 = ioctl$KVM_CREATE_VM(r0, 0x2000ae01, 0x0)
> r2 = ioctl$KVM_CREATE_VCPU(r1, 0x2000ae41, 0x0)
> ioctl$KVM_SET_REGS(r2, 0x8188ae82, &(0x7f00000001c0)={[0x0, 0x0, 0xffffffffffffffe1, 0x0, 0x0, 0x200000953, 0x0, 0xfffffffffffffffe, 0x0, 0x0, 0x2], 0x2000})
> syz_kvm_setup_cpu$ppc64(0xffffffffffffffff, r2, &(0x7f0000e80000/0x180000)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
> r3 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
> syz_kvm_setup_cpu$ppc64(r1, r2, &(0x7f0000e70000/0x180000)=nil, &(0x7f0000000080)=[{0x0, &(0x7f0000000280)="0000e03d0080ef61e403ef790000ef650900ef61647b007c0000e03f0000ff63e403ff7b0000ff679952ff6370e63f7e0000603c00006360e4036378000063640003636018a8803c28bf8460e4038478ef97846436888460b6f6a03c88d6a560e403a5781beda564d879a5602665c03cb08dc660e403c67806b3c664966fc660d53fe03cddf1e760e403e7785c41e7646623e76022000044463fb1f20000803e00809462e403947a0000946604009462a6a6607f4abb4c130000603f00007b63e4037b7b00007b679a367b6332d9c17c201c994f7201004cbb7a603f72047b63e4037b7b955f7b6799947b636401607f", 0xf0}], 0x1, 0x0, &(0x7f00000000c0)=[@featur2={0x1, 0x1000}], 0x1)
>
>
> cpu 0xd: Vector: 300 (Data Access) at [c00000001599f590]
> pc: c00000000011d2bc: powernv_get_random_long+0x4c/0xc0
> lr: c00000000011d298: powernv_get_random_long+0x28/0xc0
> sp: c00000001599f830
> msr: 800000000280b033
> dar: 0
> dsisr: 40000000
> current = 0xc0000000614c7f80
> paca = 0xc0000000fff81700 irqmask: 0x03 irq_happened: 0x01
> pid = 31576, comm = syz-executor.10
>
> Linux version 5.14.0-rc2-le_f29cf1ff9a23_a+fstn1 (aik@fstn1-p1) (gcc (Ubuntu 10.3.0-1ubuntu1) 10.3.0, GNU ld (GNU Binutils for Ubuntu) 2.36.1) #263 SMP Thu Jul 29 17:56:12 AEST 2021
> enter ? for help
> [c00000001599f860] c0000000001e45f8 kvmppc_pseries_do_hcall+0x5d8/0x2190
> [c00000001599f8f0] c0000000001ea2dc kvmppc_vcpu_run_hv+0x31c/0x14d0
> [c00000001599f9c0] c0000000001bd518 kvmppc_vcpu_run+0x48/0x60
> [c00000001599f9f0] c0000000001b74b0 kvm_arch_vcpu_ioctl_run+0x580/0x7d0
> [c00000001599fa90] c00000000019e6f8 kvm_vcpu_ioctl+0x418/0xd00
> [c00000001599fc70] c00000000079d8c4 sys_ioctl+0xb44/0x2100
> [c00000001599fd90] c00000000003b704 system_call_exception+0x224/0x410
> [c00000001599fe10] c00000000000c0e8 system_call_vectored_common+0xe8/0x278
There would be no bug if KVM was using arch_get_random_seed_long(),
because that defers to ppc_md, which is only populated when the RNG is
setup correctly. That seems like a better fix?
cheers
