Revision - e8fd5e9 - kvm: fix crash in kvm_vcpu_reload_apic_access_page - origin: https://github.com/torvalds/linux

visit type:

https://github.com/torvalds/linux

05 April 2024, 19:05:47 UTC

Revision e8fd5e9e9984675f45b9a5485909c143fbde248f authored by Andrea Arcangeli on 08 May 2015, 12:32:56 UTC, committed by Paolo Bonzini on 20 May 2015, 10:30:06 UTC

kvm: fix crash in kvm_vcpu_reload_apic_access_page

memslot->userfault_addr is set by the kernel with a mmap executed
from the kernel but the userland can still munmap it and lead to the
below oops after memslot->userfault_addr points to a host virtual
address that has no vma or mapping.

[  327.538306] BUG: unable to handle kernel paging request at fffffffffffffffe
[  327.538407] IP: [<ffffffff811a7b55>] put_page+0x5/0x50
[  327.538474] PGD 1a01067 PUD 1a03067 PMD 0
[  327.538529] Oops: 0000 [#1] SMP
[  327.538574] Modules linked in: macvtap macvlan xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT iptable_filter ip_tables tun bridge stp llc rpcsec_gss_krb5 nfsv4 dns_resolver nfs fscache xprtrdma ib_isert iscsi_target_mod ib_iser libiscsi scsi_transport_iscsi ib_srpt target_core_mod ib_srp scsi_transport_srp scsi_tgt ib_ipoib rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm ipmi_devintf iTCO_wdt iTCO_vendor_support intel_powerclamp coretemp dcdbas intel_rapl kvm_intel kvm crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper cryptd pcspkr sb_edac edac_core ipmi_si ipmi_msghandler acpi_pad wmi acpi_power_meter lpc_ich mfd_core mei_me
[  327.539488]  mei shpchp nfsd auth_rpcgss nfs_acl lockd grace sunrpc mlx4_ib ib_sa ib_mad ib_core mlx4_en vxlan ib_addr ip_tunnel xfs libcrc32c sd_mod crc_t10dif crct10dif_common crc32c_intel mgag200 syscopyarea sysfillrect sysimgblt i2c_algo_bit drm_kms_helper ttm drm ahci i2c_core libahci mlx4_core libata tg3 ptp pps_core megaraid_sas ntb dm_mirror dm_region_hash dm_log dm_mod
[  327.539956] CPU: 3 PID: 3161 Comm: qemu-kvm Not tainted 3.10.0-240.el7.userfault19.4ca4011.x86_64.debug #1
[  327.540045] Hardware name: Dell Inc. PowerEdge R420/0CN7CM, BIOS 2.1.2 01/20/2014
[  327.540115] task: ffff8803280ccf00 ti: ffff880317c58000 task.ti: ffff880317c58000
[  327.540184] RIP: 0010:[<ffffffff811a7b55>]  [<ffffffff811a7b55>] put_page+0x5/0x50
[  327.540261] RSP: 0018:ffff880317c5bcf8  EFLAGS: 00010246
[  327.540313] RAX: 00057ffffffff000 RBX: ffff880616a20000 RCX: 0000000000000000
[  327.540379] RDX: 0000000000002014 RSI: 00057ffffffff000 RDI: fffffffffffffffe
[  327.540445] RBP: ffff880317c5bd10 R08: 0000000000000103 R09: 0000000000000000
[  327.540511] R10: 0000000000000000 R11: 0000000000000000 R12: fffffffffffffffe
[  327.540576] R13: 0000000000000000 R14: ffff880317c5bd70 R15: ffff880317c5bd50
[  327.540643] FS:  00007fd230b7f700(0000) GS:ffff880630800000(0000) knlGS:0000000000000000
[  327.540717] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  327.540771] CR2: fffffffffffffffe CR3: 000000062a2c3000 CR4: 00000000000427e0
[  327.540837] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  327.540904] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[  327.540974] Stack:
[  327.541008]  ffffffffa05d6d0c ffff880616a20000 0000000000000000 ffff880317c5bdc0
[  327.541093]  ffffffffa05ddaa2 0000000000000000 00000000002191bf 00000042f3feab2d
[  327.541177]  00000042f3feab2d 0000000000000002 0000000000000001 0321000000000000
[  327.541261] Call Trace:
[  327.541321]  [<ffffffffa05d6d0c>] ? kvm_vcpu_reload_apic_access_page+0x6c/0x80 [kvm]
[  327.543615]  [<ffffffffa05ddaa2>] vcpu_enter_guest+0x3f2/0x10f0 [kvm]
[  327.545918]  [<ffffffffa05e2f10>] kvm_arch_vcpu_ioctl_run+0x2b0/0x5a0 [kvm]
[  327.548211]  [<ffffffffa05e2d02>] ? kvm_arch_vcpu_ioctl_run+0xa2/0x5a0 [kvm]
[  327.550500]  [<ffffffffa05ca845>] kvm_vcpu_ioctl+0x2b5/0x680 [kvm]
[  327.552768]  [<ffffffff810b8d12>] ? creds_are_invalid.part.1+0x12/0x50
[  327.555069]  [<ffffffff810b8d71>] ? creds_are_invalid+0x21/0x30
[  327.557373]  [<ffffffff812d6066>] ? inode_has_perm.isra.49.constprop.65+0x26/0x80
[  327.559663]  [<ffffffff8122d985>] do_vfs_ioctl+0x305/0x530
[  327.561917]  [<ffffffff8122dc51>] SyS_ioctl+0xa1/0xc0
[  327.564185]  [<ffffffff816de829>] system_call_fastpath+0x16/0x1b
[  327.566480] Code: 0b 31 f6 4c 89 e7 e8 4b 7f ff ff 0f 0b e8 24 fd ff ff e9 a9 fd ff ff 66 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00 66 66 66 66 90 <48> f7 07 00 c0 00 00 55 48 89 e5 75 2a 8b 47 1c 85 c0 74 1e f0

Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

1 parent 0be0226

Files
Changes

Permalinks

Tip revision: e8fd5e9e9984675f45b9a5485909c143fbde248f authored by Andrea Arcangeli on 08 May 2015, 12:32:56 UTC
kvm: fix crash in kvm_vcpu_reload_apic_access_page

Tip revision: e8fd5e9

File	Mode	Size
kasan
Kconfig	-rw-r--r--	21.3 KB
Kconfig.debug	-rw-r--r--	1.2 KB
Makefile	-rw-r--r--	2.6 KB
backing-dev.c	-rw-r--r--	15.4 KB
balloon_compaction.c	-rw-r--r--	6.8 KB
bootmem.c	-rw-r--r--	20.8 KB
cleancache.c	-rw-r--r--	9.9 KB
cma.c	-rw-r--r--	12.1 KB
cma.h	-rw-r--r--	508 bytes
cma_debug.c	-rw-r--r--	4.4 KB
compaction.c	-rw-r--r--	47.3 KB
debug-pagealloc.c	-rw-r--r--	2.6 KB
debug.c	-rw-r--r--	6.5 KB
dmapool.c	-rw-r--r--	13.7 KB
early_ioremap.c	-rw-r--r--	5.4 KB
fadvise.c	-rw-r--r--	3.7 KB
failslab.c	-rw-r--r--	1.3 KB
filemap.c	-rw-r--r--	69.8 KB
frontswap.c	-rw-r--r--	13.4 KB
gup.c	-rw-r--r--	39.0 KB
highmem.c	-rw-r--r--	11.8 KB
huge_memory.c	-rw-r--r--	79.1 KB
hugetlb.c	-rw-r--r--	102.9 KB
hugetlb_cgroup.c	-rw-r--r--	10.4 KB
hwpoison-inject.c	-rw-r--r--	3.3 KB
init-mm.c	-rw-r--r--	619 bytes
internal.h	-rw-r--r--	13.6 KB
interval_tree.c	-rw-r--r--	3.1 KB
kmemcheck.c	-rw-r--r--	2.9 KB
kmemleak-test.c	-rw-r--r--	3.2 KB
kmemleak.c	-rw-r--r--	53.3 KB
ksm.c	-rw-r--r--	63.3 KB
list_lru.c	-rw-r--r--	12.2 KB
maccess.c	-rw-r--r--	1.6 KB
madvise.c	-rw-r--r--	13.8 KB
memblock.c	-rw-r--r--	45.0 KB
memcontrol.c	-rw-r--r--	149.5 KB
memory-failure.c	-rw-r--r--	49.2 KB
memory.c	-rw-r--r--	103.7 KB
memory_hotplug.c	-rw-r--r--	51.1 KB
mempolicy.c	-rw-r--r--	70.4 KB
mempool.c	-rw-r--r--	13.9 KB
memtest.c	-rw-r--r--	3.0 KB
migrate.c	-rw-r--r--	46.7 KB
mincore.c	-rw-r--r--	6.6 KB
mlock.c	-rw-r--r--	19.5 KB
mm_init.c	-rw-r--r--	5.1 KB
mmap.c	-rw-r--r--	89.8 KB
mmu_context.c	-rw-r--r--	1.3 KB
mmu_notifier.c	-rw-r--r--	11.4 KB
mmzone.c	-rw-r--r--	2.3 KB
mprotect.c	-rw-r--r--	10.5 KB
mremap.c	-rw-r--r--	15.1 KB
msync.c	-rw-r--r--	2.6 KB
nobootmem.c	-rw-r--r--	10.7 KB
nommu.c	-rw-r--r--	53.7 KB
oom_kill.c	-rw-r--r--	23.1 KB
page-writeback.c	-rw-r--r--	74.3 KB
page_alloc.c	-rw-r--r--	183.3 KB
page_counter.c	-rw-r--r--	4.8 KB
page_ext.c	-rw-r--r--	10.3 KB
page_io.c	-rw-r--r--	9.4 KB
page_isolation.c	-rw-r--r--	8.7 KB
page_owner.c	-rw-r--r--	7.0 KB
pagewalk.c	-rw-r--r--	7.5 KB
percpu-km.c	-rw-r--r--	2.8 KB
percpu-vm.c	-rw-r--r--	10.0 KB
percpu.c	-rw-r--r--	66.1 KB
pgtable-generic.c	-rw-r--r--	5.1 KB
process_vm_access.c	-rw-r--r--	9.8 KB
quicklist.c	-rw-r--r--	2.4 KB
readahead.c	-rw-r--r--	15.6 KB
rmap.c	-rw-r--r--	43.5 KB
shmem.c	-rw-r--r--	89.2 KB
slab.c	-rw-r--r--	106.9 KB
slab.h	-rw-r--r--	10.4 KB
slab_common.c	-rw-r--r--	26.9 KB
slob.c	-rw-r--r--	15.7 KB
slub.c	-rw-r--r--	127.3 KB
sparse-vmemmap.c	-rw-r--r--	6.0 KB
sparse.c	-rw-r--r--	20.9 KB
swap.c	-rw-r--r--	32.1 KB
swap_cgroup.c	-rw-r--r--	4.6 KB
swap_state.c	-rw-r--r--	12.7 KB
swapfile.c	-rw-r--r--	77.0 KB
truncate.c	-rw-r--r--	23.5 KB
util.c	-rw-r--r--	10.9 KB
vmacache.c	-rw-r--r--	3.1 KB
vmalloc.c	-rw-r--r--	69.0 KB
vmpressure.c	-rw-r--r--	11.4 KB
vmscan.c	-rw-r--r--	109.1 KB
vmstat.c	-rw-r--r--	40.7 KB
workingset.c	-rw-r--r--	13.6 KB
zbud.c	-rw-r--r--	17.9 KB
zpool.c	-rw-r--r--	9.6 KB
zsmalloc.c	-rw-r--r--	45.4 KB
zswap.c	-rw-r--r--	24.9 KB

Showing with 0 additions and 0 deletions (0 / 0 diffs computed)

Computing file changes ...