diff mbox series

hw/hyperv: fix NULL dereference with pure-kvm SynIC

Message ID 20181126152836.25379-1-rkagan@virtuozzo.com (mailing list archive)
State New, archived
Headers show
Series hw/hyperv: fix NULL dereference with pure-kvm SynIC | expand

Commit Message

Roman Kagan Nov. 26, 2018, 3:28 p.m. UTC 
When started in compat configuration of SynIC, e.g.

qemu-system-x86_64 -machine pc-i440fx-2.10,accel=kvm \
 -cpu host,-vmx,hv-relaxed,hv_spinlocks=0x1fff,hv-vpindex,hv-synic

or explicitly

qemu-system-x86_64 -enable-kvm -cpu host,hv-synic,x-hv-synic-kvm-only=on

QEMU crashes in hyperv_synic_reset() trying to access the non-present
qobject for SynIC.

Add the missing check for NULL.

Reported-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Reported-by: Igor Mammedov <imammedo@redhat.com>
Fixes: 9b4cf107b09d18ac30f46fd1c4de8585ccba030c
Fixes: 4a93722f9c279184e95b1e1ad775c01deec05065
Signed-off-by: Roman Kagan <rkagan@virtuozzo.com>
---
 hw/hyperv/hyperv.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

Comments

Philippe Mathieu-Daudé Nov. 26, 2018, 4:04 p.m. UTC | #1 
On 26/11/18 16:28, Roman Kagan wrote:
> When started in compat configuration of SynIC, e.g.
> 
> qemu-system-x86_64 -machine pc-i440fx-2.10,accel=kvm \
>  -cpu host,-vmx,hv-relaxed,hv_spinlocks=0x1fff,hv-vpindex,hv-synic
> 
> or explicitly
> 
> qemu-system-x86_64 -enable-kvm -cpu host,hv-synic,x-hv-synic-kvm-only=on
> 
> QEMU crashes in hyperv_synic_reset() trying to access the non-present
> qobject for SynIC.
> 
> Add the missing check for NULL.
> 
> Reported-by: Vitaly Kuznetsov <vkuznets@redhat.com>
> Reported-by: Igor Mammedov <imammedo@redhat.com>
> Fixes: 9b4cf107b09d18ac30f46fd1c4de8585ccba030c
> Fixes: 4a93722f9c279184e95b1e1ad775c01deec05065
> Signed-off-by: Roman Kagan <rkagan@virtuozzo.com>

Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>

> ---
>  hw/hyperv/hyperv.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/hw/hyperv/hyperv.c b/hw/hyperv/hyperv.c
> index a28e7249d8..8758635227 100644
> --- a/hw/hyperv/hyperv.c
> +++ b/hw/hyperv/hyperv.c
> @@ -136,7 +136,11 @@ void hyperv_synic_add(CPUState *cs)
>  
>  void hyperv_synic_reset(CPUState *cs)
>  {
> -    device_reset(DEVICE(get_synic(cs)));
> +    SynICState *synic = get_synic(cs);
> +
> +    if (synic) {
> +        device_reset(DEVICE(synic));
> +    }
>  }
>  
>  static const TypeInfo synic_type_info = {
>
Paolo Bonzini Nov. 26, 2018, 5:13 p.m. UTC | #2 
On 26/11/18 16:28, Roman Kagan wrote:
> When started in compat configuration of SynIC, e.g.
> 
> qemu-system-x86_64 -machine pc-i440fx-2.10,accel=kvm \
>  -cpu host,-vmx,hv-relaxed,hv_spinlocks=0x1fff,hv-vpindex,hv-synic
> 
> or explicitly
> 
> qemu-system-x86_64 -enable-kvm -cpu host,hv-synic,x-hv-synic-kvm-only=on
> 
> QEMU crashes in hyperv_synic_reset() trying to access the non-present
> qobject for SynIC.
> 
> Add the missing check for NULL.
> 
> Reported-by: Vitaly Kuznetsov <vkuznets@redhat.com>
> Reported-by: Igor Mammedov <imammedo@redhat.com>
> Fixes: 9b4cf107b09d18ac30f46fd1c4de8585ccba030c
> Fixes: 4a93722f9c279184e95b1e1ad775c01deec05065
> Signed-off-by: Roman Kagan <rkagan@virtuozzo.com>
> ---
>  hw/hyperv/hyperv.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/hw/hyperv/hyperv.c b/hw/hyperv/hyperv.c
> index a28e7249d8..8758635227 100644
> --- a/hw/hyperv/hyperv.c
> +++ b/hw/hyperv/hyperv.c
> @@ -136,7 +136,11 @@ void hyperv_synic_add(CPUState *cs)
>  
>  void hyperv_synic_reset(CPUState *cs)
>  {
> -    device_reset(DEVICE(get_synic(cs)));
> +    SynICState *synic = get_synic(cs);
> +
> +    if (synic) {
> +        device_reset(DEVICE(synic));
> +    }
>  }
>  
>  static const TypeInfo synic_type_info = {
> 

Queued, thanks.

Paolo
Eduardo Habkost Nov. 26, 2018, 9 p.m. UTC | #3 
On Mon, Nov 26, 2018 at 06:13:49PM +0100, Paolo Bonzini wrote:
> On 26/11/18 16:28, Roman Kagan wrote:
> > When started in compat configuration of SynIC, e.g.
> > 
> > qemu-system-x86_64 -machine pc-i440fx-2.10,accel=kvm \
> >  -cpu host,-vmx,hv-relaxed,hv_spinlocks=0x1fff,hv-vpindex,hv-synic
> > 
> > or explicitly
> > 
> > qemu-system-x86_64 -enable-kvm -cpu host,hv-synic,x-hv-synic-kvm-only=on
> > 
> > QEMU crashes in hyperv_synic_reset() trying to access the non-present
> > qobject for SynIC.
> > 
> > Add the missing check for NULL.
> > 
> > Reported-by: Vitaly Kuznetsov <vkuznets@redhat.com>
> > Reported-by: Igor Mammedov <imammedo@redhat.com>
> > Fixes: 9b4cf107b09d18ac30f46fd1c4de8585ccba030c
> > Fixes: 4a93722f9c279184e95b1e1ad775c01deec05065
> > Signed-off-by: Roman Kagan <rkagan@virtuozzo.com>
> > ---
> >  hw/hyperv/hyperv.c | 6 +++++-
> >  1 file changed, 5 insertions(+), 1 deletion(-)
> > 
> > diff --git a/hw/hyperv/hyperv.c b/hw/hyperv/hyperv.c
> > index a28e7249d8..8758635227 100644
> > --- a/hw/hyperv/hyperv.c
> > +++ b/hw/hyperv/hyperv.c
> > @@ -136,7 +136,11 @@ void hyperv_synic_add(CPUState *cs)
> >  
> >  void hyperv_synic_reset(CPUState *cs)
> >  {
> > -    device_reset(DEVICE(get_synic(cs)));
> > +    SynICState *synic = get_synic(cs);
> > +
> > +    if (synic) {
> > +        device_reset(DEVICE(synic));
> > +    }
> >  }
> >  
> >  static const TypeInfo synic_type_info = {
> > 
> 
> Queued, thanks.

Oops, I had queued it earlier today and just submitted a pull
request.
Paolo Bonzini Nov. 27, 2018, 9:02 a.m. UTC | #4 
On 26/11/18 22:00, Eduardo Habkost wrote:
> On Mon, Nov 26, 2018 at 06:13:49PM +0100, Paolo Bonzini wrote:
>> On 26/11/18 16:28, Roman Kagan wrote:
>>> When started in compat configuration of SynIC, e.g.
>>>
>>> qemu-system-x86_64 -machine pc-i440fx-2.10,accel=kvm \
>>>  -cpu host,-vmx,hv-relaxed,hv_spinlocks=0x1fff,hv-vpindex,hv-synic
>>>
>>> or explicitly
>>>
>>> qemu-system-x86_64 -enable-kvm -cpu host,hv-synic,x-hv-synic-kvm-only=on
>>>
>>> QEMU crashes in hyperv_synic_reset() trying to access the non-present
>>> qobject for SynIC.
>>>
>>> Add the missing check for NULL.
>>>
>>> Reported-by: Vitaly Kuznetsov <vkuznets@redhat.com>
>>> Reported-by: Igor Mammedov <imammedo@redhat.com>
>>> Fixes: 9b4cf107b09d18ac30f46fd1c4de8585ccba030c
>>> Fixes: 4a93722f9c279184e95b1e1ad775c01deec05065
>>> Signed-off-by: Roman Kagan <rkagan@virtuozzo.com>
>>> ---
>>>  hw/hyperv/hyperv.c | 6 +++++-
>>>  1 file changed, 5 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/hw/hyperv/hyperv.c b/hw/hyperv/hyperv.c
>>> index a28e7249d8..8758635227 100644
>>> --- a/hw/hyperv/hyperv.c
>>> +++ b/hw/hyperv/hyperv.c
>>> @@ -136,7 +136,11 @@ void hyperv_synic_add(CPUState *cs)
>>>  
>>>  void hyperv_synic_reset(CPUState *cs)
>>>  {
>>> -    device_reset(DEVICE(get_synic(cs)));
>>> +    SynICState *synic = get_synic(cs);
>>> +
>>> +    if (synic) {
>>> +        device_reset(DEVICE(synic));
>>> +    }
>>>  }
>>>  
>>>  static const TypeInfo synic_type_info = {
>>>
>>
>> Queued, thanks.
> 
> Oops, I had queued it earlier today and just submitted a pull
> request.

No big deal, it will be included twice. :)

Paolo
diff mbox series

Patch

diff --git a/hw/hyperv/hyperv.c b/hw/hyperv/hyperv.c
index a28e7249d8..8758635227 100644
--- a/hw/hyperv/hyperv.c
+++ b/hw/hyperv/hyperv.c
@@ -136,7 +136,11 @@  void hyperv_synic_add(CPUState *cs)
 
 void hyperv_synic_reset(CPUState *cs)
 {
-    device_reset(DEVICE(get_synic(cs)));
+    SynICState *synic = get_synic(cs);
+
+    if (synic) {
+        device_reset(DEVICE(synic));
+    }
 }
 
 static const TypeInfo synic_type_info = {