Re: [syzbot] general protection fault in kvm_mmu_uninit_tdp_mmu

Pavel Skripkin <paskripkin@xxxxxxxxx> · Fri, 25 Mar 2022 18:51:40 +0300

On 3/25/22 16:10, syzbot wrote:
Hello,

syzbot found the following issue on:

HEAD commit:    f9006d9269ea Add linux-next specific files for 20220321
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=101191bd700000
kernel config:  https://syzkaller.appspot.com/x/.config?x=c1619ffa2b0259a1
dashboard link: https://syzkaller.appspot.com/bug?extid=717ed82268812a643b28
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=109e8f5d700000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1666180b700000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+717ed82268812a643b28@xxxxxxxxxxxxxxxxxxxxxxxxx


The following code is not safe:

arch/x86/kvm/mmu/tdp_mmu.c:

28	kvm->arch.tdp_mmu_zap_wq =
29		alloc_workqueue("kvm", WQ_UNBOUND|WQ_MEM_RECLAIM|WQ_CPU_INTENSIVE, 0);
30
31	return true;


Looks like kvm_mmu_init_tdp_mmu() error value is just ignored, and then 
all kvm_*_init_vm() functions are void, so the easiest solution is to 
check that tdp_mmu_zap_wq is valid pointer


#syz test: 
git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master




With regards,
Pavel Skripkin

diff --git a/arch/x86/kvm/mmu/tdp_mmu.c b/arch/x86/kvm/mmu/tdp_mmu.c
index e7e7876251b3..b3e8ff7ac5b0 100644
--- a/arch/x86/kvm/mmu/tdp_mmu.c
+++ b/arch/x86/kvm/mmu/tdp_mmu.c
@@ -48,8 +48,10 @@ void kvm_mmu_uninit_tdp_mmu(struct kvm *kvm)
 	if (!kvm->arch.tdp_mmu_enabled)
 		return;
 
-	flush_workqueue(kvm->arch.tdp_mmu_zap_wq);
-	destroy_workqueue(kvm->arch.tdp_mmu_zap_wq);
+	if (kvm->arch.tdp_mmu_zap_wq) {
+		flush_workqueue(kvm->arch.tdp_mmu_zap_wq);
+		destroy_workqueue(kvm->arch.tdp_mmu_zap_wq);
+	}
 
 	WARN_ON(!list_empty(&kvm->arch.tdp_mmu_pages));
 	WARN_ON(!list_empty(&kvm->arch.tdp_mmu_roots));
@@ -119,9 +121,11 @@ static void tdp_mmu_zap_root_work(struct work_struct *work)
 
 static void tdp_mmu_schedule_zap_root(struct kvm *kvm, struct kvm_mmu_page *root)
 {
-	root->tdp_mmu_async_data = kvm;
-	INIT_WORK(&root->tdp_mmu_async_work, tdp_mmu_zap_root_work);
-	queue_work(kvm->arch.tdp_mmu_zap_wq, &root->tdp_mmu_async_work);
+	if (kvm->arch.tdp_mmu_zap_wq) {
+		root->tdp_mmu_async_data = kvm;
+		INIT_WORK(&root->tdp_mmu_async_work, tdp_mmu_zap_root_work);
+		queue_work(kvm->arch.tdp_mmu_zap_wq, &root->tdp_mmu_async_work);
+	}
 }
 
 static inline bool kvm_tdp_root_mark_invalid(struct kvm_mmu_page *page)




