Re: [PATCH kernel] powerpc/powernv: Check if powernv_rng is initialized
Alexey Kardashevskiy writes:
> The powernv-rng driver has 2 users - the bare metal powernv platform and
> the KVM's H_RANDOM hcall. The hcall handler works fine when it is L0 KVM
> but fails in L1 KVM as there is no support for the HW registers in L1 VMs
> and such support is not advertised either (== no "ibm,power-rng" in
> the FDT). So when a nested VM tries H_RANDOM, the L1 KVM crashes on
> in_be64(rng->regs).
>
> This checks the pointers and returns an error if the feature is not
> set up.
>
> Signed-off-by: Alexey Kardashevskiy
> ---
>
>
> Randomly randomized H_RANDOM:
>
> 00:00:45 executing program 10:
> r0 = openat$kvm(0xff9c, &(0x7f00), 0x0, 0x0)
> r1 = ioctl$KVM_CREATE_VM(r0, 0x2000ae01, 0x0)
> r2 = ioctl$KVM_CREATE_VCPU(r1, 0x2000ae41, 0x0)
> ioctl$KVM_SET_REGS(r2, 0x8188ae82, &(0x7f0001c0)={[0x0, 0x0,
> 0xffe1, 0x0, 0x0, 0x20953, 0x0, 0xfffe, 0x0, 0x0,
> 0x2], 0x2000})
> syz_kvm_setup_cpu$ppc64(0x, r2,
> &(0x7fe8/0x18)=nil, 0x0, 0x0, 0x0, 0x0, 0x0)
> r3 = openat$kvm(0xff9c, &(0x7f000100), 0x0, 0x0)
> syz_kvm_setup_cpu$ppc64(r1, r2, &(0x7fe7/0x18)=nil,
> &(0x7f80)=[{0x0,
> &(0x7f000280)="e03d0080ef61e403ef79ef650900ef61647b007ce03fff63e403ff7bff679952ff6370e63f7e603c6360e403637863640003636018a8803c28bf8460e4038478ef97846436888460b6f6a03c88d6a560e403a5781beda564d879a5602665c03cb08dc660e403c67806b3c664966fc660d53fe03cddf1e760e403e7785c41e7646623e7602244463fb1f2803e00809462e403947a946604009462a6a6607f4abb4c13603f7b63e4037b7b7b679a367b6332d9c17c201c994f7201004cbb7a603f72047b63e4037b7b955f7b6799947b636401607f",
> 0xf0}], 0x1, 0x0, &(0x7fc0)=[@featur2={0x1, 0x1000}], 0x1)
>
>
> cpu 0xd: Vector: 300 (Data Access) at [c0001599f590]
> pc: c011d2bc: powernv_get_random_long+0x4c/0xc0
> lr: c011d298: powernv_get_random_long+0x28/0xc0
> sp: c0001599f830
>msr: 8280b033
>dar: 0
> dsisr: 4000
> current = 0xc000614c7f80
> paca= 0xc000fff81700 irqmask: 0x03 irq_happened: 0x01
> pid = 31576, comm = syz-executor.10
>
> Linux version 5.14.0-rc2-le_f29cf1ff9a23_a+fstn1 (aik@fstn1-p1) (gcc (Ubuntu
> 10.3.0-1ubuntu1) 10.3.0, GNU ld (GNU Binutils for Ubuntu) 2.36.1) #263 SMP
> Thu Jul 29 17:56:12 AEST 2021
> enter ? for help
> [c0001599f860] c01e45f8 kvmppc_pseries_do_hcall+0x5d8/0x2190
> [c0001599f8f0] c01ea2dc kvmppc_vcpu_run_hv+0x31c/0x14d0
> [c0001599f9c0] c01bd518 kvmppc_vcpu_run+0x48/0x60
> [c0001599f9f0] c01b74b0 kvm_arch_vcpu_ioctl_run+0x580/0x7d0
> [c0001599fa90] c019e6f8 kvm_vcpu_ioctl+0x418/0xd00
> [c0001599fc70] c079d8c4 sys_ioctl+0xb44/0x2100
> [c0001599fd90] c003b704 system_call_exception+0x224/0x410
> [c0001599fe10] c000c0e8 system_call_vectored_common+0xe8/0x278
There would be no bug if KVM was using arch_get_random_seed_long(),
because that defers to ppc_md, which is only populated when the RNG is
setup correctly. That seems like a better fix?
cheers
[PATCH kernel] powerpc/powernv: Check if powernv_rng is initialized
The powernv-rng driver has 2 users - the bare metal powernv platform and
the KVM's H_RANDOM hcall. The hcall handler works fine when it is L0 KVM
but fails in L1 KVM as there is no support for the HW registers in L1 VMs
and such support is not advertised either (== no "ibm,power-rng" in
the FDT). So when a nested VM tries H_RANDOM, the L1 KVM crashes on
in_be64(rng->regs).
This checks the pointers and returns an error if the feature is not
set up.
Signed-off-by: Alexey Kardashevskiy
---
Randomly randomized H_RANDOM:
00:00:45 executing program 10:
r0 = openat$kvm(0xff9c, &(0x7f00), 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0x2000ae01, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0x2000ae41, 0x0)
ioctl$KVM_SET_REGS(r2, 0x8188ae82, &(0x7f0001c0)={[0x0, 0x0,
0xffe1, 0x0, 0x0, 0x20953, 0x0, 0xfffe, 0x0, 0x0,
0x2], 0x2000})
syz_kvm_setup_cpu$ppc64(0x, r2, &(0x7fe8/0x18)=nil,
0x0, 0x0, 0x0, 0x0, 0x0)
r3 = openat$kvm(0xff9c, &(0x7f000100), 0x0, 0x0)
syz_kvm_setup_cpu$ppc64(r1, r2, &(0x7fe7/0x18)=nil,
&(0x7f80)=[{0x0,
&(0x7f000280)="e03d0080ef61e403ef79ef650900ef61647b007ce03fff63e403ff7bff679952ff6370e63f7e603c6360e403637863640003636018a8803c28bf8460e4038478ef97846436888460b6f6a03c88d6a560e403a5781beda564d879a5602665c03cb08dc660e403c67806b3c664966fc660d53fe03cddf1e760e403e7785c41e7646623e7602244463fb1f2803e00809462e403947a946604009462a6a6607f4abb4c13603f7b63e4037b7b7b679a367b6332d9c17c201c994f7201004cbb7a603f72047b63e4037b7b955f7b6799947b636401607f",
0xf0}], 0x1, 0x0, &(0x7fc0)=[@featur2={0x1, 0x1000}], 0x1)
cpu 0xd: Vector: 300 (Data Access) at [c0001599f590]
pc: c011d2bc: powernv_get_random_long+0x4c/0xc0
lr: c011d298: powernv_get_random_long+0x28/0xc0
sp: c0001599f830
msr: 8280b033
dar: 0
dsisr: 4000
current = 0xc000614c7f80
paca= 0xc000fff81700 irqmask: 0x03 irq_happened: 0x01
pid = 31576, comm = syz-executor.10
Linux version 5.14.0-rc2-le_f29cf1ff9a23_a+fstn1 (aik@fstn1-p1) (gcc (Ubuntu
10.3.0-1ubuntu1) 10.3.0, GNU ld (GNU Binutils for Ubuntu) 2.36.1) #263 SMP Thu
Jul 29 17:56:12 AEST 2021
enter ? for help
[c0001599f860] c01e45f8 kvmppc_pseries_do_hcall+0x5d8/0x2190
[c0001599f8f0] c01ea2dc kvmppc_vcpu_run_hv+0x31c/0x14d0
[c0001599f9c0] c01bd518 kvmppc_vcpu_run+0x48/0x60
[c0001599f9f0] c01b74b0 kvm_arch_vcpu_ioctl_run+0x580/0x7d0
[c0001599fa90] c019e6f8 kvm_vcpu_ioctl+0x418/0xd00
[c0001599fc70] c079d8c4 sys_ioctl+0xb44/0x2100
[c0001599fd90] c003b704 system_call_exception+0x224/0x410
[c0001599fe10] c000c0e8 system_call_vectored_common+0xe8/0x278
---
arch/powerpc/platforms/powernv/rng.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/powerpc/platforms/powernv/rng.c
b/arch/powerpc/platforms/powernv/rng.c
index 72c25295c1c2..070d0963995d 100644
--- a/arch/powerpc/platforms/powernv/rng.c
+++ b/arch/powerpc/platforms/powernv/rng.c
@@ -105,6 +105,8 @@ int powernv_get_random_long(unsigned long *v)
struct powernv_rng *rng;
rng = get_cpu_var(powernv_rng);
+ if (!rng || !rng->regs)
+ return 0;
*v = rng_whiten(rng, in_be64(rng->regs));
--
2.30.2
