diff mbox series

[SRU,1/1] KVM: X86: Fix scan ioapic use-before-initialization

Message ID 20181204022238.13757-2-khalid.elmously@canonical.com
State New
Headers show
Series Fix for CVE-2018-19407 | expand

Commit Message

Khalid Elmously Dec. 4, 2018, 2:22 a.m. UTC 
From: Wanpeng Li <wanpengli@tencent.com>

CVE-2018-19407

Reported by syzkaller:

 BUG: unable to handle kernel NULL pointer dereference at 00000000000001c8
 PGD 80000003ec4da067 P4D 80000003ec4da067 PUD 3f7bfa067 PMD 0
 Oops: 0000 [#1] PREEMPT SMP PTI
 CPU: 7 PID: 5059 Comm: debug Tainted: G           OE     4.19.0-rc5 #16
 RIP: 0010:__lock_acquire+0x1a6/0x1990
 Call Trace:
  lock_acquire+0xdb/0x210
  _raw_spin_lock+0x38/0x70
  kvm_ioapic_scan_entry+0x3e/0x110 [kvm]
  vcpu_enter_guest+0x167e/0x1910 [kvm]
  kvm_arch_vcpu_ioctl_run+0x35c/0x610 [kvm]
  kvm_vcpu_ioctl+0x3e9/0x6d0 [kvm]
  do_vfs_ioctl+0xa5/0x690
  ksys_ioctl+0x6d/0x80
  __x64_sys_ioctl+0x1a/0x20
  do_syscall_64+0x83/0x6e0
  entry_SYSCALL_64_after_hwframe+0x49/0xbe

The reason is that the testcase writes hyperv synic HV_X64_MSR_SINT6 msr
and triggers scan ioapic logic to load synic vectors into EOI exit bitmap.
However, irqchip is not initialized by this simple testcase, ioapic/apic
objects should not be accessed.
This can be triggered by the following program:

    #define _GNU_SOURCE

    #include <endian.h>
    #include <stdint.h>
    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #include <sys/syscall.h>
    #include <sys/types.h>
    #include <unistd.h>

    uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff};

    int main(void)
    {
    	syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
    	long res = 0;
    	memcpy((void*)0x20000040, "/dev/kvm", 9);
    	res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000040, 0, 0);
    	if (res != -1)
    		r[0] = res;
    	res = syscall(__NR_ioctl, r[0], 0xae01, 0);
    	if (res != -1)
    		r[1] = res;
    	res = syscall(__NR_ioctl, r[1], 0xae41, 0);
    	if (res != -1)
    		r[2] = res;
    	memcpy(
    			(void*)0x20000080,
    			"\x01\x00\x00\x00\x00\x5b\x61\xbb\x96\x00\x00\x40\x00\x00\x00\x00\x01\x00"
    			"\x08\x00\x00\x00\x00\x00\x0b\x77\xd1\x78\x4d\xd8\x3a\xed\xb1\x5c\x2e\x43"
    			"\xaa\x43\x39\xd6\xff\xf5\xf0\xa8\x98\xf2\x3e\x37\x29\x89\xde\x88\xc6\x33"
    			"\xfc\x2a\xdb\xb7\xe1\x4c\xac\x28\x61\x7b\x9c\xa9\xbc\x0d\xa0\x63\xfe\xfe"
    			"\xe8\x75\xde\xdd\x19\x38\xdc\x34\xf5\xec\x05\xfd\xeb\x5d\xed\x2e\xaf\x22"
    			"\xfa\xab\xb7\xe4\x42\x67\xd0\xaf\x06\x1c\x6a\x35\x67\x10\x55\xcb",
    			106);
    	syscall(__NR_ioctl, r[2], 0x4008ae89, 0x20000080);
    	syscall(__NR_ioctl, r[2], 0xae80, 0);
    	return 0;
    }

This patch fixes it by bailing out scan ioapic if ioapic is not initialized in
kernel.

Reported-by: Wei Wu <ww9210@gmail.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Radim Krčmář <rkrcmar@redhat.com>
Cc: Wei Wu <ww9210@gmail.com>
Signed-off-by: Wanpeng Li <wanpengli@tencent.com>
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry-picked from e97f852fd4561e77721bb9a4e0ea9d98305b1e93)
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>
---
 arch/x86/kvm/x86.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Juerg Haefliger Dec. 4, 2018, 11:14 a.m. UTC | #1 
On Mon,  3 Dec 2018 21:22:38 -0500
Khalid Elmously <khalid.elmously@canonical.com> wrote:

> From: Wanpeng Li <wanpengli@tencent.com>
> 
> CVE-2018-19407
> 
> Reported by syzkaller:
> 
>  BUG: unable to handle kernel NULL pointer dereference at 00000000000001c8
>  PGD 80000003ec4da067 P4D 80000003ec4da067 PUD 3f7bfa067 PMD 0
>  Oops: 0000 [#1] PREEMPT SMP PTI
>  CPU: 7 PID: 5059 Comm: debug Tainted: G           OE     4.19.0-rc5 #16
>  RIP: 0010:__lock_acquire+0x1a6/0x1990
>  Call Trace:
>   lock_acquire+0xdb/0x210
>   _raw_spin_lock+0x38/0x70
>   kvm_ioapic_scan_entry+0x3e/0x110 [kvm]
>   vcpu_enter_guest+0x167e/0x1910 [kvm]
>   kvm_arch_vcpu_ioctl_run+0x35c/0x610 [kvm]
>   kvm_vcpu_ioctl+0x3e9/0x6d0 [kvm]
>   do_vfs_ioctl+0xa5/0x690
>   ksys_ioctl+0x6d/0x80
>   __x64_sys_ioctl+0x1a/0x20
>   do_syscall_64+0x83/0x6e0
>   entry_SYSCALL_64_after_hwframe+0x49/0xbe
> 
> The reason is that the testcase writes hyperv synic HV_X64_MSR_SINT6 msr
> and triggers scan ioapic logic to load synic vectors into EOI exit bitmap.
> However, irqchip is not initialized by this simple testcase, ioapic/apic
> objects should not be accessed.
> This can be triggered by the following program:
> 
>     #define _GNU_SOURCE
> 
>     #include <endian.h>
>     #include <stdint.h>
>     #include <stdio.h>
>     #include <stdlib.h>
>     #include <string.h>
>     #include <sys/syscall.h>
>     #include <sys/types.h>
>     #include <unistd.h>
> 
>     uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff};
> 
>     int main(void)
>     {
>     	syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
>     	long res = 0;
>     	memcpy((void*)0x20000040, "/dev/kvm", 9);
>     	res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000040, 0, 0);
>     	if (res != -1)
>     		r[0] = res;
>     	res = syscall(__NR_ioctl, r[0], 0xae01, 0);
>     	if (res != -1)
>     		r[1] = res;
>     	res = syscall(__NR_ioctl, r[1], 0xae41, 0);
>     	if (res != -1)
>     		r[2] = res;
>     	memcpy(
>     			(void*)0x20000080,
>     			"\x01\x00\x00\x00\x00\x5b\x61\xbb\x96\x00\x00\x40\x00\x00\x00\x00\x01\x00"
>     			"\x08\x00\x00\x00\x00\x00\x0b\x77\xd1\x78\x4d\xd8\x3a\xed\xb1\x5c\x2e\x43"
>     			"\xaa\x43\x39\xd6\xff\xf5\xf0\xa8\x98\xf2\x3e\x37\x29\x89\xde\x88\xc6\x33"
>     			"\xfc\x2a\xdb\xb7\xe1\x4c\xac\x28\x61\x7b\x9c\xa9\xbc\x0d\xa0\x63\xfe\xfe"
>     			"\xe8\x75\xde\xdd\x19\x38\xdc\x34\xf5\xec\x05\xfd\xeb\x5d\xed\x2e\xaf\x22"
>     			"\xfa\xab\xb7\xe4\x42\x67\xd0\xaf\x06\x1c\x6a\x35\x67\x10\x55\xcb",
>     			106);
>     	syscall(__NR_ioctl, r[2], 0x4008ae89, 0x20000080);
>     	syscall(__NR_ioctl, r[2], 0xae80, 0);
>     	return 0;
>     }
> 
> This patch fixes it by bailing out scan ioapic if ioapic is not initialized in
> kernel.
> 
> Reported-by: Wei Wu <ww9210@gmail.com>
> Cc: Paolo Bonzini <pbonzini@redhat.com>
> Cc: Radim Krčmář <rkrcmar@redhat.com>
> Cc: Wei Wu <ww9210@gmail.com>
> Signed-off-by: Wanpeng Li <wanpengli@tencent.com>
> Cc: stable@vger.kernel.org
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

Empty line here please.

> (cherry-picked from e97f852fd4561e77721bb9a4e0ea9d98305b1e93)

(cherry picked from commit ...

Just like git cherry-pick -x produces.

...Juerg


> Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>
> ---
>  arch/x86/kvm/x86.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
> index c98ffb0e6b47..a3b6f780ad99 100644
> --- a/arch/x86/kvm/x86.c
> +++ b/arch/x86/kvm/x86.c
> @@ -7225,7 +7225,8 @@ static void vcpu_scan_ioapic(struct kvm_vcpu *vcpu)
>  	else {
>  		if (vcpu->arch.apicv_active)
>  			kvm_x86_ops->sync_pir_to_irr(vcpu);
> -		kvm_ioapic_scan_entry(vcpu, vcpu->arch.ioapic_handled_vectors);
> +		if (ioapic_in_kernel(vcpu->kvm))
> +			kvm_ioapic_scan_entry(vcpu, vcpu->arch.ioapic_handled_vectors);
>  	}
>  
>  	if (is_guest_mode(vcpu))
Seth Forshee Dec. 5, 2018, 2:06 p.m. UTC | #2 
On Tue, Dec 04, 2018 at 12:14:08PM +0100, Juerg Haefliger wrote:
> On Mon,  3 Dec 2018 21:22:38 -0500
> Khalid Elmously <khalid.elmously@canonical.com> wrote:
> 
> > From: Wanpeng Li <wanpengli@tencent.com>
> > 
> > CVE-2018-19407
> > 
> > Reported by syzkaller:
> > 
> >  BUG: unable to handle kernel NULL pointer dereference at 00000000000001c8
> >  PGD 80000003ec4da067 P4D 80000003ec4da067 PUD 3f7bfa067 PMD 0
> >  Oops: 0000 [#1] PREEMPT SMP PTI
> >  CPU: 7 PID: 5059 Comm: debug Tainted: G           OE     4.19.0-rc5 #16
> >  RIP: 0010:__lock_acquire+0x1a6/0x1990
> >  Call Trace:
> >   lock_acquire+0xdb/0x210
> >   _raw_spin_lock+0x38/0x70
> >   kvm_ioapic_scan_entry+0x3e/0x110 [kvm]
> >   vcpu_enter_guest+0x167e/0x1910 [kvm]
> >   kvm_arch_vcpu_ioctl_run+0x35c/0x610 [kvm]
> >   kvm_vcpu_ioctl+0x3e9/0x6d0 [kvm]
> >   do_vfs_ioctl+0xa5/0x690
> >   ksys_ioctl+0x6d/0x80
> >   __x64_sys_ioctl+0x1a/0x20
> >   do_syscall_64+0x83/0x6e0
> >   entry_SYSCALL_64_after_hwframe+0x49/0xbe
> > 
> > The reason is that the testcase writes hyperv synic HV_X64_MSR_SINT6 msr
> > and triggers scan ioapic logic to load synic vectors into EOI exit bitmap.
> > However, irqchip is not initialized by this simple testcase, ioapic/apic
> > objects should not be accessed.
> > This can be triggered by the following program:
> > 
> >     #define _GNU_SOURCE
> > 
> >     #include <endian.h>
> >     #include <stdint.h>
> >     #include <stdio.h>
> >     #include <stdlib.h>
> >     #include <string.h>
> >     #include <sys/syscall.h>
> >     #include <sys/types.h>
> >     #include <unistd.h>
> > 
> >     uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff};
> > 
> >     int main(void)
> >     {
> >     	syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
> >     	long res = 0;
> >     	memcpy((void*)0x20000040, "/dev/kvm", 9);
> >     	res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000040, 0, 0);
> >     	if (res != -1)
> >     		r[0] = res;
> >     	res = syscall(__NR_ioctl, r[0], 0xae01, 0);
> >     	if (res != -1)
> >     		r[1] = res;
> >     	res = syscall(__NR_ioctl, r[1], 0xae41, 0);
> >     	if (res != -1)
> >     		r[2] = res;
> >     	memcpy(
> >     			(void*)0x20000080,
> >     			"\x01\x00\x00\x00\x00\x5b\x61\xbb\x96\x00\x00\x40\x00\x00\x00\x00\x01\x00"
> >     			"\x08\x00\x00\x00\x00\x00\x0b\x77\xd1\x78\x4d\xd8\x3a\xed\xb1\x5c\x2e\x43"
> >     			"\xaa\x43\x39\xd6\xff\xf5\xf0\xa8\x98\xf2\x3e\x37\x29\x89\xde\x88\xc6\x33"
> >     			"\xfc\x2a\xdb\xb7\xe1\x4c\xac\x28\x61\x7b\x9c\xa9\xbc\x0d\xa0\x63\xfe\xfe"
> >     			"\xe8\x75\xde\xdd\x19\x38\xdc\x34\xf5\xec\x05\xfd\xeb\x5d\xed\x2e\xaf\x22"
> >     			"\xfa\xab\xb7\xe4\x42\x67\xd0\xaf\x06\x1c\x6a\x35\x67\x10\x55\xcb",
> >     			106);
> >     	syscall(__NR_ioctl, r[2], 0x4008ae89, 0x20000080);
> >     	syscall(__NR_ioctl, r[2], 0xae80, 0);
> >     	return 0;
> >     }
> > 
> > This patch fixes it by bailing out scan ioapic if ioapic is not initialized in
> > kernel.
> > 
> > Reported-by: Wei Wu <ww9210@gmail.com>
> > Cc: Paolo Bonzini <pbonzini@redhat.com>
> > Cc: Radim Krčmář <rkrcmar@redhat.com>
> > Cc: Wei Wu <ww9210@gmail.com>
> > Signed-off-by: Wanpeng Li <wanpengli@tencent.com>
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> 
> Empty line here please.

Um, why? This has never been a requirement, and it's not what is
produced by 'git cherry-pick -x'. I personally don't want to have to go
in and hand-edit the commit message to add a blank line here every time
I cherry pick a patch.
Colin Ian King Dec. 5, 2018, 2:10 p.m. UTC | #3 
On 05/12/2018 14:06, Seth Forshee wrote:
> On Tue, Dec 04, 2018 at 12:14:08PM +0100, Juerg Haefliger wrote:
>> On Mon,  3 Dec 2018 21:22:38 -0500
>> Khalid Elmously <khalid.elmously@canonical.com> wrote:
>>
>>> From: Wanpeng Li <wanpengli@tencent.com>
>>>
>>> CVE-2018-19407
>>>
>>> Reported by syzkaller:
>>>
>>>  BUG: unable to handle kernel NULL pointer dereference at 00000000000001c8
>>>  PGD 80000003ec4da067 P4D 80000003ec4da067 PUD 3f7bfa067 PMD 0
>>>  Oops: 0000 [#1] PREEMPT SMP PTI
>>>  CPU: 7 PID: 5059 Comm: debug Tainted: G           OE     4.19.0-rc5 #16
>>>  RIP: 0010:__lock_acquire+0x1a6/0x1990
>>>  Call Trace:
>>>   lock_acquire+0xdb/0x210
>>>   _raw_spin_lock+0x38/0x70
>>>   kvm_ioapic_scan_entry+0x3e/0x110 [kvm]
>>>   vcpu_enter_guest+0x167e/0x1910 [kvm]
>>>   kvm_arch_vcpu_ioctl_run+0x35c/0x610 [kvm]
>>>   kvm_vcpu_ioctl+0x3e9/0x6d0 [kvm]
>>>   do_vfs_ioctl+0xa5/0x690
>>>   ksys_ioctl+0x6d/0x80
>>>   __x64_sys_ioctl+0x1a/0x20
>>>   do_syscall_64+0x83/0x6e0
>>>   entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>>
>>> The reason is that the testcase writes hyperv synic HV_X64_MSR_SINT6 msr
>>> and triggers scan ioapic logic to load synic vectors into EOI exit bitmap.
>>> However, irqchip is not initialized by this simple testcase, ioapic/apic
>>> objects should not be accessed.
>>> This can be triggered by the following program:
>>>
>>>     #define _GNU_SOURCE
>>>
>>>     #include <endian.h>
>>>     #include <stdint.h>
>>>     #include <stdio.h>
>>>     #include <stdlib.h>
>>>     #include <string.h>
>>>     #include <sys/syscall.h>
>>>     #include <sys/types.h>
>>>     #include <unistd.h>
>>>
>>>     uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff};
>>>
>>>     int main(void)
>>>     {
>>>     	syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
>>>     	long res = 0;
>>>     	memcpy((void*)0x20000040, "/dev/kvm", 9);
>>>     	res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000040, 0, 0);
>>>     	if (res != -1)
>>>     		r[0] = res;
>>>     	res = syscall(__NR_ioctl, r[0], 0xae01, 0);
>>>     	if (res != -1)
>>>     		r[1] = res;
>>>     	res = syscall(__NR_ioctl, r[1], 0xae41, 0);
>>>     	if (res != -1)
>>>     		r[2] = res;
>>>     	memcpy(
>>>     			(void*)0x20000080,
>>>     			"\x01\x00\x00\x00\x00\x5b\x61\xbb\x96\x00\x00\x40\x00\x00\x00\x00\x01\x00"
>>>     			"\x08\x00\x00\x00\x00\x00\x0b\x77\xd1\x78\x4d\xd8\x3a\xed\xb1\x5c\x2e\x43"
>>>     			"\xaa\x43\x39\xd6\xff\xf5\xf0\xa8\x98\xf2\x3e\x37\x29\x89\xde\x88\xc6\x33"
>>>     			"\xfc\x2a\xdb\xb7\xe1\x4c\xac\x28\x61\x7b\x9c\xa9\xbc\x0d\xa0\x63\xfe\xfe"
>>>     			"\xe8\x75\xde\xdd\x19\x38\xdc\x34\xf5\xec\x05\xfd\xeb\x5d\xed\x2e\xaf\x22"
>>>     			"\xfa\xab\xb7\xe4\x42\x67\xd0\xaf\x06\x1c\x6a\x35\x67\x10\x55\xcb",
>>>     			106);
>>>     	syscall(__NR_ioctl, r[2], 0x4008ae89, 0x20000080);
>>>     	syscall(__NR_ioctl, r[2], 0xae80, 0);
>>>     	return 0;
>>>     }
>>>
>>> This patch fixes it by bailing out scan ioapic if ioapic is not initialized in
>>> kernel.
>>>
>>> Reported-by: Wei Wu <ww9210@gmail.com>
>>> Cc: Paolo Bonzini <pbonzini@redhat.com>
>>> Cc: Radim Krčmář <rkrcmar@redhat.com>
>>> Cc: Wei Wu <ww9210@gmail.com>
>>> Signed-off-by: Wanpeng Li <wanpengli@tencent.com>
>>> Cc: stable@vger.kernel.org
>>> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
>>
>> Empty line here please.
> 
> Um, why? This has never been a requirement, and it's not what is
> produced by 'git cherry-pick -x'. I personally don't want to have to go
> in and hand-edit the commit message to add a blank line here every time
> I cherry pick a patch.

+1 to that too, we've never added blank lines in the past, why the change?

Colin
Stefan Bader Dec. 5, 2018, 3:30 p.m. UTC | #4 
On 05.12.18 15:10, Colin Ian King wrote:
> On 05/12/2018 14:06, Seth Forshee wrote:
>> On Tue, Dec 04, 2018 at 12:14:08PM +0100, Juerg Haefliger wrote:
>>> On Mon,  3 Dec 2018 21:22:38 -0500
>>> Khalid Elmously <khalid.elmously@canonical.com> wrote:
>>>
>>>> From: Wanpeng Li <wanpengli@tencent.com>
>>>>
>>>> CVE-2018-19407
>>>>
>>>> Reported by syzkaller:
>>>>
>>>>  BUG: unable to handle kernel NULL pointer dereference at 00000000000001c8
>>>>  PGD 80000003ec4da067 P4D 80000003ec4da067 PUD 3f7bfa067 PMD 0
>>>>  Oops: 0000 [#1] PREEMPT SMP PTI
>>>>  CPU: 7 PID: 5059 Comm: debug Tainted: G           OE     4.19.0-rc5 #16
>>>>  RIP: 0010:__lock_acquire+0x1a6/0x1990
>>>>  Call Trace:
>>>>   lock_acquire+0xdb/0x210
>>>>   _raw_spin_lock+0x38/0x70
>>>>   kvm_ioapic_scan_entry+0x3e/0x110 [kvm]
>>>>   vcpu_enter_guest+0x167e/0x1910 [kvm]
>>>>   kvm_arch_vcpu_ioctl_run+0x35c/0x610 [kvm]
>>>>   kvm_vcpu_ioctl+0x3e9/0x6d0 [kvm]
>>>>   do_vfs_ioctl+0xa5/0x690
>>>>   ksys_ioctl+0x6d/0x80
>>>>   __x64_sys_ioctl+0x1a/0x20
>>>>   do_syscall_64+0x83/0x6e0
>>>>   entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>>>
>>>> The reason is that the testcase writes hyperv synic HV_X64_MSR_SINT6 msr
>>>> and triggers scan ioapic logic to load synic vectors into EOI exit bitmap.
>>>> However, irqchip is not initialized by this simple testcase, ioapic/apic
>>>> objects should not be accessed.
>>>> This can be triggered by the following program:
>>>>
>>>>     #define _GNU_SOURCE
>>>>
>>>>     #include <endian.h>
>>>>     #include <stdint.h>
>>>>     #include <stdio.h>
>>>>     #include <stdlib.h>
>>>>     #include <string.h>
>>>>     #include <sys/syscall.h>
>>>>     #include <sys/types.h>
>>>>     #include <unistd.h>
>>>>
>>>>     uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff};
>>>>
>>>>     int main(void)
>>>>     {
>>>>     	syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
>>>>     	long res = 0;
>>>>     	memcpy((void*)0x20000040, "/dev/kvm", 9);
>>>>     	res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000040, 0, 0);
>>>>     	if (res != -1)
>>>>     		r[0] = res;
>>>>     	res = syscall(__NR_ioctl, r[0], 0xae01, 0);
>>>>     	if (res != -1)
>>>>     		r[1] = res;
>>>>     	res = syscall(__NR_ioctl, r[1], 0xae41, 0);
>>>>     	if (res != -1)
>>>>     		r[2] = res;
>>>>     	memcpy(
>>>>     			(void*)0x20000080,
>>>>     			"\x01\x00\x00\x00\x00\x5b\x61\xbb\x96\x00\x00\x40\x00\x00\x00\x00\x01\x00"
>>>>     			"\x08\x00\x00\x00\x00\x00\x0b\x77\xd1\x78\x4d\xd8\x3a\xed\xb1\x5c\x2e\x43"
>>>>     			"\xaa\x43\x39\xd6\xff\xf5\xf0\xa8\x98\xf2\x3e\x37\x29\x89\xde\x88\xc6\x33"
>>>>     			"\xfc\x2a\xdb\xb7\xe1\x4c\xac\x28\x61\x7b\x9c\xa9\xbc\x0d\xa0\x63\xfe\xfe"
>>>>     			"\xe8\x75\xde\xdd\x19\x38\xdc\x34\xf5\xec\x05\xfd\xeb\x5d\xed\x2e\xaf\x22"
>>>>     			"\xfa\xab\xb7\xe4\x42\x67\xd0\xaf\x06\x1c\x6a\x35\x67\x10\x55\xcb",
>>>>     			106);
>>>>     	syscall(__NR_ioctl, r[2], 0x4008ae89, 0x20000080);
>>>>     	syscall(__NR_ioctl, r[2], 0xae80, 0);
>>>>     	return 0;
>>>>     }
>>>>
>>>> This patch fixes it by bailing out scan ioapic if ioapic is not initialized in
>>>> kernel.
>>>>
>>>> Reported-by: Wei Wu <ww9210@gmail.com>
>>>> Cc: Paolo Bonzini <pbonzini@redhat.com>
>>>> Cc: Radim Krčmář <rkrcmar@redhat.com>
>>>> Cc: Wei Wu <ww9210@gmail.com>
>>>> Signed-off-by: Wanpeng Li <wanpengli@tencent.com>
>>>> Cc: stable@vger.kernel.org
>>>> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
>>>
>>> Empty line here please.
>>
>> Um, why? This has never been a requirement, and it's not what is
>> produced by 'git cherry-pick -x'. I personally don't want to have to go
>> in and hand-edit the commit message to add a blank line here every time
>> I cherry pick a patch.
> 
> +1 to that too, we've never added blank lines in the past, why the change?
> 
> Colin
> 
I did in some cases but would not make that a strict requirement in general. It
helps to improve separating the signed off chain from upstream from those added
by us.

-Stefan
Kleber Sacilotto de Souza Dec. 6, 2018, 7:47 a.m. UTC | #5 
On 12/5/18 3:06 PM, Seth Forshee wrote:
> On Tue, Dec 04, 2018 at 12:14:08PM +0100, Juerg Haefliger wrote:
>> On Mon,  3 Dec 2018 21:22:38 -0500
>> Khalid Elmously <khalid.elmously@canonical.com> wrote:
>>
>>> From: Wanpeng Li <wanpengli@tencent.com>
>>>
>>> CVE-2018-19407
>>>
>>> Reported by syzkaller:
>>>
>>>  BUG: unable to handle kernel NULL pointer dereference at 00000000000001c8
>>>  PGD 80000003ec4da067 P4D 80000003ec4da067 PUD 3f7bfa067 PMD 0
>>>  Oops: 0000 [#1] PREEMPT SMP PTI
>>>  CPU: 7 PID: 5059 Comm: debug Tainted: G           OE     4.19.0-rc5 #16
>>>  RIP: 0010:__lock_acquire+0x1a6/0x1990
>>>  Call Trace:
>>>   lock_acquire+0xdb/0x210
>>>   _raw_spin_lock+0x38/0x70
>>>   kvm_ioapic_scan_entry+0x3e/0x110 [kvm]
>>>   vcpu_enter_guest+0x167e/0x1910 [kvm]
>>>   kvm_arch_vcpu_ioctl_run+0x35c/0x610 [kvm]
>>>   kvm_vcpu_ioctl+0x3e9/0x6d0 [kvm]
>>>   do_vfs_ioctl+0xa5/0x690
>>>   ksys_ioctl+0x6d/0x80
>>>   __x64_sys_ioctl+0x1a/0x20
>>>   do_syscall_64+0x83/0x6e0
>>>   entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>>
>>> The reason is that the testcase writes hyperv synic HV_X64_MSR_SINT6 msr
>>> and triggers scan ioapic logic to load synic vectors into EOI exit bitmap.
>>> However, irqchip is not initialized by this simple testcase, ioapic/apic
>>> objects should not be accessed.
>>> This can be triggered by the following program:
>>>
>>>     #define _GNU_SOURCE
>>>
>>>     #include <endian.h>
>>>     #include <stdint.h>
>>>     #include <stdio.h>
>>>     #include <stdlib.h>
>>>     #include <string.h>
>>>     #include <sys/syscall.h>
>>>     #include <sys/types.h>
>>>     #include <unistd.h>
>>>
>>>     uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff};
>>>
>>>     int main(void)
>>>     {
>>>     	syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
>>>     	long res = 0;
>>>     	memcpy((void*)0x20000040, "/dev/kvm", 9);
>>>     	res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000040, 0, 0);
>>>     	if (res != -1)
>>>     		r[0] = res;
>>>     	res = syscall(__NR_ioctl, r[0], 0xae01, 0);
>>>     	if (res != -1)
>>>     		r[1] = res;
>>>     	res = syscall(__NR_ioctl, r[1], 0xae41, 0);
>>>     	if (res != -1)
>>>     		r[2] = res;
>>>     	memcpy(
>>>     			(void*)0x20000080,
>>>     			"\x01\x00\x00\x00\x00\x5b\x61\xbb\x96\x00\x00\x40\x00\x00\x00\x00\x01\x00"
>>>     			"\x08\x00\x00\x00\x00\x00\x0b\x77\xd1\x78\x4d\xd8\x3a\xed\xb1\x5c\x2e\x43"
>>>     			"\xaa\x43\x39\xd6\xff\xf5\xf0\xa8\x98\xf2\x3e\x37\x29\x89\xde\x88\xc6\x33"
>>>     			"\xfc\x2a\xdb\xb7\xe1\x4c\xac\x28\x61\x7b\x9c\xa9\xbc\x0d\xa0\x63\xfe\xfe"
>>>     			"\xe8\x75\xde\xdd\x19\x38\xdc\x34\xf5\xec\x05\xfd\xeb\x5d\xed\x2e\xaf\x22"
>>>     			"\xfa\xab\xb7\xe4\x42\x67\xd0\xaf\x06\x1c\x6a\x35\x67\x10\x55\xcb",
>>>     			106);
>>>     	syscall(__NR_ioctl, r[2], 0x4008ae89, 0x20000080);
>>>     	syscall(__NR_ioctl, r[2], 0xae80, 0);
>>>     	return 0;
>>>     }
>>>
>>> This patch fixes it by bailing out scan ioapic if ioapic is not initialized in
>>> kernel.
>>>
>>> Reported-by: Wei Wu <ww9210@gmail.com>
>>> Cc: Paolo Bonzini <pbonzini@redhat.com>
>>> Cc: Radim Krčmář <rkrcmar@redhat.com>
>>> Cc: Wei Wu <ww9210@gmail.com>
>>> Signed-off-by: Wanpeng Li <wanpengli@tencent.com>
>>> Cc: stable@vger.kernel.org
>>> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
>> Empty line here please.
> Um, why? This has never been a requirement, and it's not what is
> produced by 'git cherry-pick -x'. I personally don't want to have to go
> in and hand-edit the commit message to add a blank line here every time
> I cherry pick a patch.
>
>
I guess what Juerg meant with the output of 'git cherry-pick -x' is that
it adds the line in the format:

(cherry picked from commit ...)

where the "commit" word was missing on the original patch. And this is
strictly needed since it is the pattern matched by our tools.


Thanks,

Kleber
Seth Forshee Dec. 6, 2018, 1:54 p.m. UTC | #6 
On Thu, Dec 06, 2018 at 08:47:33AM +0100, Kleber Souza wrote:
> On 12/5/18 3:06 PM, Seth Forshee wrote:
> > On Tue, Dec 04, 2018 at 12:14:08PM +0100, Juerg Haefliger wrote:
> >> On Mon,  3 Dec 2018 21:22:38 -0500
> >> Khalid Elmously <khalid.elmously@canonical.com> wrote:
> >>
> >>> From: Wanpeng Li <wanpengli@tencent.com>
> >>>
> >>> CVE-2018-19407
> >>>
> >>> Reported by syzkaller:
> >>>
> >>>  BUG: unable to handle kernel NULL pointer dereference at 00000000000001c8
> >>>  PGD 80000003ec4da067 P4D 80000003ec4da067 PUD 3f7bfa067 PMD 0
> >>>  Oops: 0000 [#1] PREEMPT SMP PTI
> >>>  CPU: 7 PID: 5059 Comm: debug Tainted: G           OE     4.19.0-rc5 #16
> >>>  RIP: 0010:__lock_acquire+0x1a6/0x1990
> >>>  Call Trace:
> >>>   lock_acquire+0xdb/0x210
> >>>   _raw_spin_lock+0x38/0x70
> >>>   kvm_ioapic_scan_entry+0x3e/0x110 [kvm]
> >>>   vcpu_enter_guest+0x167e/0x1910 [kvm]
> >>>   kvm_arch_vcpu_ioctl_run+0x35c/0x610 [kvm]
> >>>   kvm_vcpu_ioctl+0x3e9/0x6d0 [kvm]
> >>>   do_vfs_ioctl+0xa5/0x690
> >>>   ksys_ioctl+0x6d/0x80
> >>>   __x64_sys_ioctl+0x1a/0x20
> >>>   do_syscall_64+0x83/0x6e0
> >>>   entry_SYSCALL_64_after_hwframe+0x49/0xbe
> >>>
> >>> The reason is that the testcase writes hyperv synic HV_X64_MSR_SINT6 msr
> >>> and triggers scan ioapic logic to load synic vectors into EOI exit bitmap.
> >>> However, irqchip is not initialized by this simple testcase, ioapic/apic
> >>> objects should not be accessed.
> >>> This can be triggered by the following program:
> >>>
> >>>     #define _GNU_SOURCE
> >>>
> >>>     #include <endian.h>
> >>>     #include <stdint.h>
> >>>     #include <stdio.h>
> >>>     #include <stdlib.h>
> >>>     #include <string.h>
> >>>     #include <sys/syscall.h>
> >>>     #include <sys/types.h>
> >>>     #include <unistd.h>
> >>>
> >>>     uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff};
> >>>
> >>>     int main(void)
> >>>     {
> >>>     	syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
> >>>     	long res = 0;
> >>>     	memcpy((void*)0x20000040, "/dev/kvm", 9);
> >>>     	res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000040, 0, 0);
> >>>     	if (res != -1)
> >>>     		r[0] = res;
> >>>     	res = syscall(__NR_ioctl, r[0], 0xae01, 0);
> >>>     	if (res != -1)
> >>>     		r[1] = res;
> >>>     	res = syscall(__NR_ioctl, r[1], 0xae41, 0);
> >>>     	if (res != -1)
> >>>     		r[2] = res;
> >>>     	memcpy(
> >>>     			(void*)0x20000080,
> >>>     			"\x01\x00\x00\x00\x00\x5b\x61\xbb\x96\x00\x00\x40\x00\x00\x00\x00\x01\x00"
> >>>     			"\x08\x00\x00\x00\x00\x00\x0b\x77\xd1\x78\x4d\xd8\x3a\xed\xb1\x5c\x2e\x43"
> >>>     			"\xaa\x43\x39\xd6\xff\xf5\xf0\xa8\x98\xf2\x3e\x37\x29\x89\xde\x88\xc6\x33"
> >>>     			"\xfc\x2a\xdb\xb7\xe1\x4c\xac\x28\x61\x7b\x9c\xa9\xbc\x0d\xa0\x63\xfe\xfe"
> >>>     			"\xe8\x75\xde\xdd\x19\x38\xdc\x34\xf5\xec\x05\xfd\xeb\x5d\xed\x2e\xaf\x22"
> >>>     			"\xfa\xab\xb7\xe4\x42\x67\xd0\xaf\x06\x1c\x6a\x35\x67\x10\x55\xcb",
> >>>     			106);
> >>>     	syscall(__NR_ioctl, r[2], 0x4008ae89, 0x20000080);
> >>>     	syscall(__NR_ioctl, r[2], 0xae80, 0);
> >>>     	return 0;
> >>>     }
> >>>
> >>> This patch fixes it by bailing out scan ioapic if ioapic is not initialized in
> >>> kernel.
> >>>
> >>> Reported-by: Wei Wu <ww9210@gmail.com>
> >>> Cc: Paolo Bonzini <pbonzini@redhat.com>
> >>> Cc: Radim Krčmář <rkrcmar@redhat.com>
> >>> Cc: Wei Wu <ww9210@gmail.com>
> >>> Signed-off-by: Wanpeng Li <wanpengli@tencent.com>
> >>> Cc: stable@vger.kernel.org
> >>> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> >> Empty line here please.
> > Um, why? This has never been a requirement, and it's not what is
> > produced by 'git cherry-pick -x'. I personally don't want to have to go
> > in and hand-edit the commit message to add a blank line here every time
> > I cherry pick a patch.
> >
> >
> I guess what Juerg meant with the output of 'git cherry-pick -x' is that
> it adds the line in the format:
> 
> (cherry picked from commit ...)
> 
> where the "commit" word was missing on the original patch. And this is
> strictly needed since it is the pattern matched by our tools.

Yes, I understand that. My question was about requiring an empty line
before that line, since git cherry-pick does not add one and we have
never required it in the past.
Kleber Sacilotto de Souza Dec. 18, 2018, 12:37 p.m. UTC | #7 
On 12/4/18 3:22 AM, Khalid Elmously wrote:
> From: Wanpeng Li <wanpengli@tencent.com>
>
> CVE-2018-19407
>
> Reported by syzkaller:
>
>  BUG: unable to handle kernel NULL pointer dereference at 00000000000001c8
>  PGD 80000003ec4da067 P4D 80000003ec4da067 PUD 3f7bfa067 PMD 0
>  Oops: 0000 [#1] PREEMPT SMP PTI
>  CPU: 7 PID: 5059 Comm: debug Tainted: G           OE     4.19.0-rc5 #16
>  RIP: 0010:__lock_acquire+0x1a6/0x1990
>  Call Trace:
>   lock_acquire+0xdb/0x210
>   _raw_spin_lock+0x38/0x70
>   kvm_ioapic_scan_entry+0x3e/0x110 [kvm]
>   vcpu_enter_guest+0x167e/0x1910 [kvm]
>   kvm_arch_vcpu_ioctl_run+0x35c/0x610 [kvm]
>   kvm_vcpu_ioctl+0x3e9/0x6d0 [kvm]
>   do_vfs_ioctl+0xa5/0x690
>   ksys_ioctl+0x6d/0x80
>   __x64_sys_ioctl+0x1a/0x20
>   do_syscall_64+0x83/0x6e0
>   entry_SYSCALL_64_after_hwframe+0x49/0xbe
>
> The reason is that the testcase writes hyperv synic HV_X64_MSR_SINT6 msr
> and triggers scan ioapic logic to load synic vectors into EOI exit bitmap.
> However, irqchip is not initialized by this simple testcase, ioapic/apic
> objects should not be accessed.
> This can be triggered by the following program:
>
>     #define _GNU_SOURCE
>
>     #include <endian.h>
>     #include <stdint.h>
>     #include <stdio.h>
>     #include <stdlib.h>
>     #include <string.h>
>     #include <sys/syscall.h>
>     #include <sys/types.h>
>     #include <unistd.h>
>
>     uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff};
>
>     int main(void)
>     {
>     	syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
>     	long res = 0;
>     	memcpy((void*)0x20000040, "/dev/kvm", 9);
>     	res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000040, 0, 0);
>     	if (res != -1)
>     		r[0] = res;
>     	res = syscall(__NR_ioctl, r[0], 0xae01, 0);
>     	if (res != -1)
>     		r[1] = res;
>     	res = syscall(__NR_ioctl, r[1], 0xae41, 0);
>     	if (res != -1)
>     		r[2] = res;
>     	memcpy(
>     			(void*)0x20000080,
>     			"\x01\x00\x00\x00\x00\x5b\x61\xbb\x96\x00\x00\x40\x00\x00\x00\x00\x01\x00"
>     			"\x08\x00\x00\x00\x00\x00\x0b\x77\xd1\x78\x4d\xd8\x3a\xed\xb1\x5c\x2e\x43"
>     			"\xaa\x43\x39\xd6\xff\xf5\xf0\xa8\x98\xf2\x3e\x37\x29\x89\xde\x88\xc6\x33"
>     			"\xfc\x2a\xdb\xb7\xe1\x4c\xac\x28\x61\x7b\x9c\xa9\xbc\x0d\xa0\x63\xfe\xfe"
>     			"\xe8\x75\xde\xdd\x19\x38\xdc\x34\xf5\xec\x05\xfd\xeb\x5d\xed\x2e\xaf\x22"
>     			"\xfa\xab\xb7\xe4\x42\x67\xd0\xaf\x06\x1c\x6a\x35\x67\x10\x55\xcb",
>     			106);
>     	syscall(__NR_ioctl, r[2], 0x4008ae89, 0x20000080);
>     	syscall(__NR_ioctl, r[2], 0xae80, 0);
>     	return 0;
>     }
>
> This patch fixes it by bailing out scan ioapic if ioapic is not initialized in
> kernel.
>
> Reported-by: Wei Wu <ww9210@gmail.com>
> Cc: Paolo Bonzini <pbonzini@redhat.com>
> Cc: Radim Krčmář <rkrcmar@redhat.com>
> Cc: Wei Wu <ww9210@gmail.com>
> Signed-off-by: Wanpeng Li <wanpengli@tencent.com>
> Cc: stable@vger.kernel.org
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> (cherry-picked from e97f852fd4561e77721bb9a4e0ea9d98305b1e93)
(cherry picked from commit e97f852fd4561e77721bb9a4e0ea9d98305b1e93)
> Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>

With the cherry-pick line above fixed:

Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>

> ---
>  arch/x86/kvm/x86.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
> index c98ffb0e6b47..a3b6f780ad99 100644
> --- a/arch/x86/kvm/x86.c
> +++ b/arch/x86/kvm/x86.c
> @@ -7225,7 +7225,8 @@ static void vcpu_scan_ioapic(struct kvm_vcpu *vcpu)
>  	else {
>  		if (vcpu->arch.apicv_active)
>  			kvm_x86_ops->sync_pir_to_irr(vcpu);
> -		kvm_ioapic_scan_entry(vcpu, vcpu->arch.ioapic_handled_vectors);
> +		if (ioapic_in_kernel(vcpu->kvm))
> +			kvm_ioapic_scan_entry(vcpu, vcpu->arch.ioapic_handled_vectors);
>  	}
>  
>  	if (is_guest_mode(vcpu))
Stefan Bader Jan. 7, 2019, 6:14 p.m. UTC | #8 
On 18.12.18 13:37, Kleber Souza wrote:
> On 12/4/18 3:22 AM, Khalid Elmously wrote:
>> From: Wanpeng Li <wanpengli@tencent.com>
>>
>> CVE-2018-19407
>>
>> Reported by syzkaller:
>>
>>  BUG: unable to handle kernel NULL pointer dereference at 00000000000001c8
>>  PGD 80000003ec4da067 P4D 80000003ec4da067 PUD 3f7bfa067 PMD 0
>>  Oops: 0000 [#1] PREEMPT SMP PTI
>>  CPU: 7 PID: 5059 Comm: debug Tainted: G           OE     4.19.0-rc5 #16
>>  RIP: 0010:__lock_acquire+0x1a6/0x1990
>>  Call Trace:
>>   lock_acquire+0xdb/0x210
>>   _raw_spin_lock+0x38/0x70
>>   kvm_ioapic_scan_entry+0x3e/0x110 [kvm]
>>   vcpu_enter_guest+0x167e/0x1910 [kvm]
>>   kvm_arch_vcpu_ioctl_run+0x35c/0x610 [kvm]
>>   kvm_vcpu_ioctl+0x3e9/0x6d0 [kvm]
>>   do_vfs_ioctl+0xa5/0x690
>>   ksys_ioctl+0x6d/0x80
>>   __x64_sys_ioctl+0x1a/0x20
>>   do_syscall_64+0x83/0x6e0
>>   entry_SYSCALL_64_after_hwframe+0x49/0xbe
>>
>> The reason is that the testcase writes hyperv synic HV_X64_MSR_SINT6 msr
>> and triggers scan ioapic logic to load synic vectors into EOI exit bitmap.
>> However, irqchip is not initialized by this simple testcase, ioapic/apic
>> objects should not be accessed.
>> This can be triggered by the following program:
>>
>>     #define _GNU_SOURCE
>>
>>     #include <endian.h>
>>     #include <stdint.h>
>>     #include <stdio.h>
>>     #include <stdlib.h>
>>     #include <string.h>
>>     #include <sys/syscall.h>
>>     #include <sys/types.h>
>>     #include <unistd.h>
>>
>>     uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff};
>>
>>     int main(void)
>>     {
>>     	syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
>>     	long res = 0;
>>     	memcpy((void*)0x20000040, "/dev/kvm", 9);
>>     	res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000040, 0, 0);
>>     	if (res != -1)
>>     		r[0] = res;
>>     	res = syscall(__NR_ioctl, r[0], 0xae01, 0);
>>     	if (res != -1)
>>     		r[1] = res;
>>     	res = syscall(__NR_ioctl, r[1], 0xae41, 0);
>>     	if (res != -1)
>>     		r[2] = res;
>>     	memcpy(
>>     			(void*)0x20000080,
>>     			"\x01\x00\x00\x00\x00\x5b\x61\xbb\x96\x00\x00\x40\x00\x00\x00\x00\x01\x00"
>>     			"\x08\x00\x00\x00\x00\x00\x0b\x77\xd1\x78\x4d\xd8\x3a\xed\xb1\x5c\x2e\x43"
>>     			"\xaa\x43\x39\xd6\xff\xf5\xf0\xa8\x98\xf2\x3e\x37\x29\x89\xde\x88\xc6\x33"
>>     			"\xfc\x2a\xdb\xb7\xe1\x4c\xac\x28\x61\x7b\x9c\xa9\xbc\x0d\xa0\x63\xfe\xfe"
>>     			"\xe8\x75\xde\xdd\x19\x38\xdc\x34\xf5\xec\x05\xfd\xeb\x5d\xed\x2e\xaf\x22"
>>     			"\xfa\xab\xb7\xe4\x42\x67\xd0\xaf\x06\x1c\x6a\x35\x67\x10\x55\xcb",
>>     			106);
>>     	syscall(__NR_ioctl, r[2], 0x4008ae89, 0x20000080);
>>     	syscall(__NR_ioctl, r[2], 0xae80, 0);
>>     	return 0;
>>     }
>>
>> This patch fixes it by bailing out scan ioapic if ioapic is not initialized in
>> kernel.
>>
>> Reported-by: Wei Wu <ww9210@gmail.com>
>> Cc: Paolo Bonzini <pbonzini@redhat.com>
>> Cc: Radim Krčmář <rkrcmar@redhat.com>
>> Cc: Wei Wu <ww9210@gmail.com>
>> Signed-off-by: Wanpeng Li <wanpengli@tencent.com>
>> Cc: stable@vger.kernel.org
>> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
>> (cherry-picked from e97f852fd4561e77721bb9a4e0ea9d98305b1e93)
> (cherry picked from commit e97f852fd4561e77721bb9a4e0ea9d98305b1e93)
>> Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>
> 
> With the cherry-pick line above fixed:
> 
> Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
> 
>> ---

+1 to fix cherry pick line.

>>  arch/x86/kvm/x86.c | 3 ++-
>>  1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
>> index c98ffb0e6b47..a3b6f780ad99 100644
>> --- a/arch/x86/kvm/x86.c
>> +++ b/arch/x86/kvm/x86.c
>> @@ -7225,7 +7225,8 @@ static void vcpu_scan_ioapic(struct kvm_vcpu *vcpu)
>>  	else {
>>  		if (vcpu->arch.apicv_active)
>>  			kvm_x86_ops->sync_pir_to_irr(vcpu);
>> -		kvm_ioapic_scan_entry(vcpu, vcpu->arch.ioapic_handled_vectors);
>> +		if (ioapic_in_kernel(vcpu->kvm))
>> +			kvm_ioapic_scan_entry(vcpu, vcpu->arch.ioapic_handled_vectors);
>>  	}
>>  
>>  	if (is_guest_mode(vcpu))
> 
> 
>
diff mbox series

Patch

diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index c98ffb0e6b47..a3b6f780ad99 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -7225,7 +7225,8 @@  static void vcpu_scan_ioapic(struct kvm_vcpu *vcpu)
 	else {
 		if (vcpu->arch.apicv_active)
 			kvm_x86_ops->sync_pir_to_irr(vcpu);
-		kvm_ioapic_scan_entry(vcpu, vcpu->arch.ioapic_handled_vectors);
+		if (ioapic_in_kernel(vcpu->kvm))
+			kvm_ioapic_scan_entry(vcpu, vcpu->arch.ioapic_handled_vectors);
 	}
 
 	if (is_guest_mode(vcpu))