Syzkaller found the following crash:
general protection fault, probably for non-canonical address
0xdffffc0000000013: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000098-0x000000000000009f]
CPU: 1 PID: 679 Comm: syz-executor210 Not tainted 5.17.0-rc8 #6
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.10.2-1ubuntu1~cloud0 04/01/2014
RIP: 0010:kvm_irq_delivery_to_apic_fast+0x3dd/0x670 arch/x86/kvm/lapic.c:995
...
Call Trace:
<TASK>
kvm_irq_delivery_to_apic+0xb8/0x860 arch/x86/kvm/irq_comm.c:54
synic_set_irq+0x169/0x340 arch/x86/kvm/hyperv.c:463
synic_deliver_msg arch/x86/kvm/hyperv.c:770 [inline]
stimer_send_msg arch/x86/kvm/hyperv.c:793 [inline]
stimer_expiration arch/x86/kvm/hyperv.c:817 [inline]
kvm_hv_process_stimers+0xe85/0x1210 arch/x86/kvm/hyperv.c:849
vcpu_enter_guest+0x37cb/0x4070 arch/x86/kvm/x86.c:9947
vcpu_run arch/x86/kvm/x86.c:10261 [inline]
...
The immediate issue is that kvm_irq_delivery_to_apic_fast() dereferences
'src' while in some cases it can be NULL. A sentinel against this is added
in PATCH2 of the series, however, the condition should not happen in the
first place. synic_set_irq() should not call kvm_irq_delivery_to_apic() with
'shorthand = APIC_DEST_SELF' and 'vcpu->arch.apic == NULL' and this is also
'fixed' by PATCH1. The root cause of the problem, however, is that VMM was
allowed to enable Hyper-V synthetic timer when IRQ chip wasn't created.
This is fixed by PATCH3.
Vitaly Kuznetsov (3):
KVM: x86: Check lapic_in_kernel() before attempting to set a SynIC irq
KVM: x86: Avoid theoretical NULL pointer dereference in
kvm_irq_delivery_to_apic_fast()
KVM: x86: Forbid VMM to set SYNIC/STIMER MSRs when SynIC wasn't
activated
arch/x86/kvm/hyperv.c | 12 +++++++++---
arch/x86/kvm/lapic.c | 4 ++++
2 files changed, 13 insertions(+), 3 deletions(-)
--
2.35.1
