[0/3] KVM: kvm_create_vm() bug fixes and cleanup

Message

Sean Christopherson Aug. 16, 2022, 5:39 a.m. UTC

Fix two (embarassing) bugs in kvm_create_vm() where KVM fails to properly
unwind VM creation, which most often manifests as a not-present page fault
due to use-after-free when walking the global vm_list (VM is added and
freed, but never removed from the list).  Patch 3 is a loosely related
clean up.

I discovered the try_get_module() bug by inspection[*].  syzkaller found
the debugfs around the same time.

The try_get_module() bug is especially bad/amusing.  The "rmmod --wait"
behavior KVM is trying to handle was removed ~9 years ago...

[*] https://lore.kernel.org/all/YvU+6fdkHaqQiKxp@google.com

Sean Christopherson (3):
  KVM: Properly unwind VM creation if creating debugfs fails
  KVM: Unconditionally get a ref to /dev/kvm module when creating a VM
  KVM: Move coalesced MMIO initialization (back) into kvm_create_vm()

 virt/kvm/kvm_main.c | 39 +++++++++++++++++----------------------
 1 file changed, 17 insertions(+), 22 deletions(-)


base-commit: 19a7cc817a380f7a412d7d76e145e9e2bc47e52f

Comments

Paolo Bonzini Aug. 17, 2022, 9:47 a.m. UTC | #1

Queued, thanks (with the arm/s390 confusion fixed in the last
commit message).

Paolo