From nobody Wed Apr 15 00:02:07 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4B6F8C04A68 for ; Thu, 28 Jul 2022 19:49:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231420AbiG1Ttj (ORCPT ); Thu, 28 Jul 2022 15:49:39 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33978 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229458AbiG1Tth (ORCPT ); Thu, 28 Jul 2022 15:49:37 -0400 Received: from mail-io1-xd2a.google.com (mail-io1-xd2a.google.com [IPv6:2607:f8b0:4864:20::d2a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C62651B7BE for ; Thu, 28 Jul 2022 12:49:35 -0700 (PDT) Received: by mail-io1-xd2a.google.com with SMTP id h145so2169213iof.9 for ; Thu, 28 Jul 2022 12:49:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=csp-edu.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc; bh=hNrqN7wUMWjrs6dVVTuGDTVJ+Qagz9kPXPbUwKiCccA=; b=4/hLevQ+OVFoShgowRXTnBTJZeVcb9IsOtoG7xEDtgjD+GemPnRjK7pGxGHonrEEDJ HrlumeJPKhTUfuAT5Qcc0Wd+vfRhfIB+e1LQrescrlZ/dTw+UPL+KSJjVuOmRz0/aMI+ wwvZ6K8WUytEF7Pp3VRbGwqfEbPC5NpyGa92Rt0JNdvCgfhELtuBSH73CAXzwJ+mYr9K 1LPOHDUHgu2Aawq2UPog7MdwmnwqZqo02CVxadVBYG0/88bK0mUto0BEmomb6QosYY97 gdYbkp5To2brnIGN7ztWxQ8evN5ra+gRvH9+R+/3uNZF0D++B/S4RmFXngvshKHMuAdw lWzg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc; bh=hNrqN7wUMWjrs6dVVTuGDTVJ+Qagz9kPXPbUwKiCccA=; b=S4ZVI6gC3kyUKqbtONK25LW+lhrH4sbmzN3Cj1cq+gdAx8XtYnyvB5eoLnMhShfrWL WbUjmlMKSwEfEMAhlOlpiW0GVtwKE/kNR43Xl1rSVtxZRt8BaL0stbTvfgs7ZST/17SI TKw25fj2ryZfFulReCj8khnp/AdxyGVr73Gcao16GbHm9kUd3dX5GpDJrotIRxNzEAHx j75mpmmSDYNaJ7CD4wzCINeR/spjucwYqlALVpwDJQPlaLOGIS+wvAN+Ps/Qfyoor6WU Qh75ddrGW1yg6xK2F0rGvhwLqFuH7DfUgAbsIe4lO6XIbcoqkaNkGO2vT2EOwi4FMsM3 DMzA== X-Gm-Message-State: AJIora9mikQkUOVtiAzh7Or5wCMSaQEDgQEIYO5egh3lWKE3a2axAbrj FhTN4ohEV/iuXnbatK6+EfMrZQ== X-Google-Smtp-Source: AGRyM1vYw2WcsBR2Cnaxt6yfwVR7SG0qg1zyCShe/bZ3GlR7JtB9v75m4gWtCzSuONqYwXq1j54WVg== X-Received: by 2002:a05:6602:3805:b0:67b:d39a:3c8b with SMTP id bb5-20020a056602380500b0067bd39a3c8bmr65060iob.51.1659037775255; Thu, 28 Jul 2022 12:49:35 -0700 (PDT) Received: from kernel-dev-1 (75-168-113-69.mpls.qwest.net. [75.168.113.69]) by smtp.gmail.com with ESMTPSA id i1-20020a0566022c8100b0067b74df7960sm682102iow.32.2022.07.28.12.49.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 28 Jul 2022 12:49:34 -0700 (PDT) From: Coleman Dietsch To: kvm@vger.kernel.org Cc: Sean Christopherson , Paolo Bonzini , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H . Peter Anvin" , linux-kernel@vger.kernel.org, skhan@linuxfoundation.org, Pavel Skripkin , linux-kernel-mentees@lists.linuxfoundation.org, Coleman Dietsch , syzbot+e54f930ed78eb0f85281@syzkaller.appspotmail.com Subject: [PATCH] KVM: x86/xen: Fix bug in kvm_xen_vcpu_set_attr() Date: Thu, 28 Jul 2022 14:47:37 -0500 Message-Id: <20220728194736.383727-1-dietschc@csp.edu> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" This crash appears to be happening when vcpu->arch.xen.timer is already set= and kvm_xen_init_timer(vcpu) is called. During testing with the syzbot reproducer code it seemed apparent that the = else if statement in the KVM_XEN_VCPU_ATTR_TYPE_TIMER switch case was not b= eing reached, which is where the kvm_xen_stop_timer(vcpu) call is located. Link: https://syzkaller.appspot.com/bug?id=3D8234a9dfd3aafbf092cc5a7cd9842e= 3ebc45fc42 Reported-and-tested-by: syzbot+e54f930ed78eb0f85281@syzkaller.appspotmail.c= om Signed-off-by: Coleman Dietsch Acked-by: David Woodhouse --- arch/x86/kvm/xen.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/arch/x86/kvm/xen.c b/arch/x86/kvm/xen.c index 610beba35907..4b4b985813c5 100644 --- a/arch/x86/kvm/xen.c +++ b/arch/x86/kvm/xen.c @@ -707,6 +707,12 @@ int kvm_xen_vcpu_set_attr(struct kvm_vcpu *vcpu, struc= t kvm_xen_vcpu_attr *data) break; =20 case KVM_XEN_VCPU_ATTR_TYPE_TIMER: + /* Stop current timer if it is enabled */ + if (kvm_xen_timer_enabled(vcpu)) { + kvm_xen_stop_timer(vcpu); + vcpu->arch.xen.timer_virq =3D 0; + } + if (data->u.timer.port) { if (data->u.timer.priority !=3D KVM_IRQ_ROUTING_XEN_EVTCHN_PRIO_2LEVEL)= { r =3D -EINVAL; @@ -720,9 +726,6 @@ int kvm_xen_vcpu_set_attr(struct kvm_vcpu *vcpu, struct= kvm_xen_vcpu_attr *data) kvm_xen_start_timer(vcpu, data->u.timer.expires_ns, data->u.timer.expires_ns - get_kvmclock_ns(vcpu->kvm)); - } else if (kvm_xen_timer_enabled(vcpu)) { - kvm_xen_stop_timer(vcpu); - vcpu->arch.xen.timer_virq =3D 0; } =20 r =3D 0; --=20 2.34.1