| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <e0e127c8-1515-2ebf-f473-acc38d60a122@gmail.com>
Date: Fri, 25 Mar 2022 21:11:03 +0300
From: Pavel Skripkin <paskripkin@...il.com>
To: Paolo Bonzini <pbonzini@...hat.com>, seanjc@...gle.com,
vkuznets@...hat.com, wanpengli@...cent.com, jmattson@...gle.com
Cc: x86@...nel.org, kvm@...r.kernel.org, linux-kernel@...r.kernel.org,
syzbot+717ed82268812a643b28@...kaller.appspotmail.com
Subject: Re: [RFC PATCH] KVM: x86/mmu: fix general protection fault in
kvm_mmu_uninit_tdp_mmu
Hi Paolo,
On 3/25/22 19:50, Paolo Bonzini wrote:
> On 3/25/22 17:38, Pavel Skripkin wrote:
>> Syzbot reported GPF in kvm_mmu_uninit_tdp_mmu(), which is caused by
>> passing NULL pointer to flush_workqueue().
>>
>> tdp_mmu_zap_wq is allocated via alloc_workqueue() which may fail. There
>> is no error hanling and kvm_mmu_uninit_tdp_mmu() return value is simply
>> ignored. Even all kvm_*_init_vm() functions are void, so the easiest
>> solution is to check that tdp_mmu_zap_wq is valid pointer before passing
>> it somewhere.
>
> Thanks for the analysis, but not scheduling the work item in
> tdp_mmu_schedule_zap_root is broken; you can't just let the roots
> survive (KVM uses its own workqueue because it needs to work item to
> complete has to flush it before kvm_mmu_zap_all_fast returns).
>
Ah, I see, thanks for explanation.
I thought about propagating an error up to callers, but
kvm_mmu_uninit_tdp_mmu() returns false with config disabled, so I
decided to implement easiest fix w/o digging into details
sorry about that
With regards,
Pavel Skripkin
Powered by blists - more mailing lists