On Thu, 2022-07-28 at 14:47 -0500, Coleman Dietsch wrote: > This crash appears to be happening when vcpu->arch.xen.timer is > already set and kvm_xen_init_timer(vcpu) is called. > > During testing with the syzbot reproducer code it seemed apparent > that the else if statement in the KVM_XEN_VCPU_ATTR_TYPE_TIMER switch > case was not being reached, which is where the > kvm_xen_stop_timer(vcpu) call is located. > > Link: https://syzkaller.appspot.com/bug?id=8234a9dfd3aafbf092cc5a7cd9842e3ebc45fc42 > > Reported-and-tested-by: syzbot+e54f930ed78eb0f85281@xxxxxxxxxxxxxxxxxxxxxxxxx > > Signed-off-by: Coleman Dietsch <dietschc@xxxxxxx> Modulo the cosmetic issues discussed, Acked-by: David Woodhouse <dwmw@xxxxxxxxxxxx> Thanks. > --- > arch/x86/kvm/xen.c | 9 ++++++--- > 1 file changed, 6 insertions(+), 3 deletions(-) > > diff --git a/arch/x86/kvm/xen.c b/arch/x86/kvm/xen.c > index 610beba35907..4b4b985813c5 100644 > --- a/arch/x86/kvm/xen.c > +++ b/arch/x86/kvm/xen.c > @@ -707,6 +707,12 @@ int kvm_xen_vcpu_set_attr(struct kvm_vcpu *vcpu, struct kvm_xen_vcpu_attr *data) > break; > > case KVM_XEN_VCPU_ATTR_TYPE_TIMER: > + /* Stop current timer if it is enabled */ > + if (kvm_xen_timer_enabled(vcpu)) { > + kvm_xen_stop_timer(vcpu); > + vcpu->arch.xen.timer_virq = 0; > + } > + > if (data->u.timer.port) { > if (data->u.timer.priority != KVM_IRQ_ROUTING_XEN_EVTCHN_PRIO_2LEVEL) { > r = -EINVAL; > @@ -720,9 +726,6 @@ int kvm_xen_vcpu_set_attr(struct kvm_vcpu *vcpu, struct kvm_xen_vcpu_attr *data) > kvm_xen_start_timer(vcpu, data->u.timer.expires_ns, > data->u.timer.expires_ns - > get_kvmclock_ns(vcpu->kvm)); > - } else if (kvm_xen_timer_enabled(vcpu)) { > - kvm_xen_stop_timer(vcpu); > - vcpu->arch.xen.timer_virq = 0; > } > > r = 0; >
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
