From patchwork Wed Aug 15 20:30:19 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Shier <pshier@google.com>
X-Patchwork-Id: 10566797
Return-Path: <kvm-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E9B0B109C
	for <patchwork-kvm@patchwork.kernel.org>;
 Wed, 15 Aug 2018 20:30:26 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AD2B02B00D
	for <patchwork-kvm@patchwork.kernel.org>;
 Wed, 15 Aug 2018 20:30:26 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id A1BAA2B024; Wed, 15 Aug 2018 20:30:26 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-15.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI,
	USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 51CDD2B00D
	for <patchwork-kvm@patchwork.kernel.org>;
 Wed, 15 Aug 2018 20:30:26 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727365AbeHOXYG (ORCPT
        <rfc822;patchwork-kvm@patchwork.kernel.org>);
        Wed, 15 Aug 2018 19:24:06 -0400
Received: from mail-qt0-f201.google.com ([209.85.216.201]:42031 "EHLO
        mail-qt0-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1725989AbeHOXYG (ORCPT <rfc822;kvm@vger.kernel.org>);
        Wed, 15 Aug 2018 19:24:06 -0400
Received: by mail-qt0-f201.google.com with SMTP id w7-v6so1899209qto.9
        for <kvm@vger.kernel.org>; Wed, 15 Aug 2018 13:30:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=date:message-id:mime-version:subject:from:to:cc;
        bh=/Jl1YGJdsWSnh9GTaCvMrF1QL6n+IfT9q9q+xlm8dlA=;
        b=K8bfBgEvGOGsBxtFwEGna/1SgwLs/CiOL0AnWNSxztV758byAHaBN4wANstfmHmqRd
         RjKZsxG2fsd2LUTtT947cSpKFGHZkDka2xhkCKmQJ081v6+biioVnJme5TCnYv7qeQy1
         WQYEa6NcrxBV2Mt4POnB8a5Ul5Xe7gE6p1f/h7ANo6eboherp+pcEH7c4bQwwBvsCTbH
         Pqth3+pL4C1J37MafUFmMxrypskgoGaa4u9DyvFuhdRtR51PtjjeRcsqUARyD0v8x09u
         ee2gAjDakiJ/9olpv+fU1e5GsqVjdVrTYJ2D+1tQGow1rtdCSlW6m9ekoRCXMGVX1pTn
         z3hg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc;
        bh=/Jl1YGJdsWSnh9GTaCvMrF1QL6n+IfT9q9q+xlm8dlA=;
        b=D5z6VROCnDO8BnJ8p7EZ6aGzaZOGAkKxOlVmHagK4Frpn6NFiLmutqqlj9EMqWUyiF
         0wblAqUbx5yL8K9eTyDqw/C2wetIe3xKSR+mQsAWHQQEvYek0MB7RV9aD92UhUrxHKW0
         AklZFd4S24FwwOZ89RYJSVqKf2FFuvNrI42PSZgdQyWLcX7AXmtOroluzTKqIFk74BYp
         lPtHZRILo18hzb1nYcIaXpWZ1xdlx3W2iz6gYRZ8dAO1uAz34cIVakmTVkuVBPt+04zh
         Q7ky9L8zyu/nqRpktO4QRR1OmrL+hJBgtsqimqSmZk0+oUTZ5KdyxJ04z35tHMHIVNTJ
         ANGA==
X-Gm-Message-State: AOUpUlGqtEO0hVSz/j6tGdz0U7cD3HipidqCtfhR3t/wnJOs0wsfoyg4
        mgvhF5X6RuJQ5owAJJRGNRZoNnxFbYh64qikkSo9NsNiz84/nAU46TGW49FHZExt70pkZEHNfL0
        vUn0d2DYS50MHXmQtrnybtf1KmNUs+W2fUJjYq0l82cZxlMsx1iRHFjWPcw==
X-Google-Smtp-Source: 
 AA+uWPwgjdvoGZ1Ledpp4RxeHGtqXUlfJwM5lTIkb1HlUJtBk5XBSxV0BG9F4gkaEju9P1EbxLhzm9e1P94=
X-Received: by 2002:a0c:c3cd:: with SMTP id
 p13-v6mr14338284qvi.22.1534365023593;
 Wed, 15 Aug 2018 13:30:23 -0700 (PDT)
Date: Wed, 15 Aug 2018 13:30:19 -0700
Message-Id: <20180815203019.214901-1-pshier@google.com>
Mime-Version: 1.0
X-Mailer: git-send-email 2.18.0.865.gffc8e1a3cd6-goog
Subject: [PATCH] KVM: Remove CREATE_IRQCHIP/SET_PIT2 race
From: Peter Shier <pshier@google.com>
To: kvm@vger.kernel.org
Cc: Steve Rutherford <srutherford@google.com>,
        Peter Shier <pshier@google.com>,
        Jim Mattson <jmattson@google.com>
Sender: kvm-owner@vger.kernel.org
Precedence: bulk
List-ID: <kvm.vger.kernel.org>
X-Mailing-List: kvm@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Steve Rutherford <srutherford@google.com>

Fixes a NULL pointer dereference, caused by the PIT firing an interrupt
before the interrupt table has been initialized.

SET_PIT2 can race with the creation of the IRQchip. In particular,
if SET_PIT2 is called with a low PIT timer period (after the creation of
the IOAPIC, but before the instantiation of the irq routes), the PIT can
fire an interrupt at an uninitialized table.

Signed-off-by: Steve Rutherford <srutherford@google.com>
Signed-off-by: Peter Shier <pshier@google.com>
Signed-off-by: Jim Mattson <jmattson@google.com>
---
 arch/x86/kvm/x86.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 3c83711c0ebe1..953ac519fb984 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -4493,10 +4493,13 @@ long kvm_arch_vm_ioctl(struct file *filp,
 		r = -EFAULT;
 		if (copy_from_user(&u.ps, argp, sizeof u.ps))
 			goto out;
+		mutex_lock(&kvm->lock);
 		r = -ENXIO;
 		if (!kvm->arch.vpit)
-			goto out;
+			goto set_pit_out;
 		r = kvm_vm_ioctl_set_pit(kvm, &u.ps);
+set_pit_out:
+		mutex_unlock(&kvm->lock);
 		break;
 	}
 	case KVM_GET_PIT2: {
@@ -4516,10 +4519,13 @@ long kvm_arch_vm_ioctl(struct file *filp,
 		r = -EFAULT;
 		if (copy_from_user(&u.ps2, argp, sizeof(u.ps2)))
 			goto out;
+		mutex_lock(&kvm->lock);
 		r = -ENXIO;
 		if (!kvm->arch.vpit)
-			goto out;
+			goto set_pit2_out;
 		r = kvm_vm_ioctl_set_pit2(kvm, &u.ps2);
+set_pit2_out:
+		mutex_unlock(&kvm->lock);
 		break;
 	}
 	case KVM_REINJECT_CONTROL: {