| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Z5P97NyK9Rb_cU1z@kbusch-mbp> Date: Fri, 24 Jan 2025 13:54:04 -0700 From: Keith Busch <kbusch@...nel.org> To: Sean Christopherson <seanjc@...gle.com> Cc: Keith Busch <kbusch@...a.com>, kvm@...r.kernel.org, x86@...nel.org, linux-kernel@...r.kernel.org, Vlad Poenaru <thevlad@...a.com>, tj@...nel.org, Paolo Bonzini <pbonzini@...hat.com>, Alyssa Ross <hi@...ssa.is> Subject: Re: [PATCH] kvm: defer huge page recovery vhost task to later On Fri, Jan 24, 2025 at 12:07:24PM -0800, Sean Christopherson wrote: > This is broken. If the module param is toggled before the first KVM_RUN, KVM > will hit a NULL pointer deref due to trying to start a non-existent vhost task: > > BUG: kernel NULL pointer dereference, address: 0000000000000040 > #PF: supervisor read access in kernel mode > #PF: error_code(0x0000) - not-present page > PGD 0 P4D 0 > Oops: Oops: 0000 [#1] SMP > CPU: 16 UID: 0 PID: 1190 Comm: bash Not tainted 6.13.0-rc3-9bb02e874121-x86/xen_msr_fixes-vm #2382 > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 > RIP: 0010:vhost_task_wake+0x5/0x10 > Call Trace: > <TASK> > set_nx_huge_pages+0xcc/0x1e0 [kvm] Thanks for pointing out this gap. It looks like we'd have to hold the kvm_lock in kvm_mmu_post_init_vm(), and add NULL checks in set_nx_huge_pages() and set_nx_huge_pages_recovery_param() to prevent the NULL deref. Is that okay?
Powered by blists - more mailing lists