When creating a new vCPU, kvm_vm_ioctl_create_vcpu() will call kvm_arch_vcpu_postcreate() after the file descriptor for the new vCPU has been created. The new file descriptor has not been returned yet, but a malicious userspace program could try to guess it. If a malicious userspace program manages to start the newly created vCPU before kvm_arch_vcpu_postcreate() is called, __vcpu_run() will try to dereference vcpu->arch.gmap and trigger a NULL pointer dereference. Fix this by moving the initialization of vcpu->arch.gmap into kvm_arch_vcpu_create(), which is called before the file descriptor for the vCPU is created. Fixes: dafd032a15f8 ("KVM: s390: move vcpu specific initalization to a later point") Fixes: e38c884df921 ("KVM: s390: Switch to new gmap") Signed-off-by: Claudio Imbrenda --- arch/s390/kvm/kvm-s390.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c index 23c817595e28..4a6d903e3523 100644 --- a/arch/s390/kvm/kvm-s390.c +++ b/arch/s390/kvm/kvm-s390.c @@ -3604,10 +3604,8 @@ void kvm_arch_vcpu_postcreate(struct kvm_vcpu *vcpu) vcpu->arch.sie_block->epdx = vcpu->kvm->arch.epdx; preempt_enable(); mutex_unlock(&vcpu->kvm->lock); - if (!kvm_is_ucontrol(vcpu->kvm)) { - vcpu->arch.gmap = vcpu->kvm->arch.gmap; + if (!kvm_is_ucontrol(vcpu->kvm)) sca_add_vcpu(vcpu); - } if (test_kvm_facility(vcpu->kvm, 74) || vcpu->kvm->arch.user_instr0 || vcpu->kvm->arch.user_operexec) vcpu->arch.sie_block->ictl |= ICTL_OPEREXC; @@ -3850,6 +3848,8 @@ int kvm_arch_vcpu_create(struct kvm_vcpu *vcpu) vcpu->arch.gmap = gmap_new_child(vcpu->kvm->arch.gmap, -1UL); if (!vcpu->arch.gmap) goto out_free_sie_block; + } else { + vcpu->arch.gmap = vcpu->kvm->arch.gmap; } VM_EVENT(vcpu->kvm, 3, "create cpu %d at 0x%p, sie block at 0x%p", -- 2.55.0