On 3/25/22 17:38, Pavel Skripkin wrote:
Syzbot reported GPF in kvm_mmu_uninit_tdp_mmu(), which is caused by passing NULL pointer to flush_workqueue(). tdp_mmu_zap_wq is allocated via alloc_workqueue() which may fail. There is no error hanling and kvm_mmu_uninit_tdp_mmu() return value is simply ignored. Even all kvm_*_init_vm() functions are void, so the easiest solution is to check that tdp_mmu_zap_wq is valid pointer before passing it somewhere.
Thanks for the analysis, but not scheduling the work item in tdp_mmu_schedule_zap_root is broken; you can't just let the roots survive (KVM uses its own workqueue because it needs to work item to complete has to flush it before kvm_mmu_zap_all_fast returns).
I'll fix it properly by propagating the error up to kvm_mmu_init_vm and kvm_arch_init_vm,
Thanks, Paolo
