commit f4bad090b04406abddeca7b02c3e5538a4ce9b02
Author: Wanpeng Li <wanpengli@tencent.com>
Date:   Tue Nov 20 16:34:18 2018 +0800

    ms/KVM: X86: Fix scan ioapic use-before-initialization
    Reported by syzkaller:
     BUG: unable to handle kernel NULL pointer dereference at 00000000000001c8
     PGD 80000003ec4da067 P4D 80000003ec4da067 PUD 3f7bfa067 PMD 0
     Oops: 0000 [#1] PREEMPT SMP PTI
     CPU: 7 PID: 5059 Comm: debug Tainted: G           OE     4.19.0-rc5 #16
     RIP: 0010:__lock_acquire+0x1a6/0x1990
     Call Trace:
      kvm_ioapic_scan_entry+0x3e/0x110 [kvm]
      vcpu_enter_guest+0x167e/0x1910 [kvm]
      kvm_arch_vcpu_ioctl_run+0x35c/0x610 [kvm]
      kvm_vcpu_ioctl+0x3e9/0x6d0 [kvm]
    The reason is that the testcase writes hyperv synic HV_X64_MSR_SINT6 msr
    and triggers scan ioapic logic to load synic vectors into EOI exit bitmap.
    However, irqchip is not initialized by this simple testcase, ioapic/apic
    objects should not be accessed.
    This can be triggered by the following program:
        #define _GNU_SOURCE
        #include <endian.h>
        #include <stdint.h>
        #include <stdio.h>
        #include <stdlib.h>
        #include <string.h>
        #include <sys/syscall.h>
        #include <sys/types.h>
        #include <unistd.h>
        uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff};
        int main(void)
            syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
            long res = 0;
            memcpy((void*)0x20000040, "/dev/kvm", 9);
            res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000040, 0, 0);
            if (res != -1)
                    r[0] = res;
            res = syscall(__NR_ioctl, r[0], 0xae01, 0);
            if (res != -1)
                    r[1] = res;
            res = syscall(__NR_ioctl, r[1], 0xae41, 0);
            if (res != -1)
                    r[2] = res;
            syscall(__NR_ioctl, r[2], 0x4008ae89, 0x20000080);
            syscall(__NR_ioctl, r[2], 0xae80, 0);
            return 0;
    This patch fixes it by bailing out scan ioapic if ioapic is not initialized in
    Reported-by: Wei Wu <ww9210@gmail.com>
    Cc: Paolo Bonzini <pbonzini@redhat.com>
    Cc: Radim Krčmář <rkrcmar@redhat.com>
    Cc: Wei Wu <ww9210@gmail.com>
    Signed-off-by: Wanpeng Li <wanpengli@tencent.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    (cherry picked from commit e97f852fd4561e77721bb9a4e0ea9d98305b1e93)
    Signed-off-by: Konstantin Khorenko <khorenko@virtuozzo.com>
    Backport notes: RHEL7 kernel has not splitted oapic-handled and EOI exit
    bitmaps yet: ms commit
      6308630bd3db ("kvm/x86: split ioapic-handled and EOI exit bitmaps").
 arch/x86/kvm/x86.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index e71742b865f8..64f8876a2571 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -6616,10 +6616,13 @@  static void vcpu_scan_ioapic(struct kvm_vcpu *vcpu)
 	else {
 		if (kvm_x86_ops->sync_pir_to_irr && vcpu->arch.apicv_active)
-		kvm_ioapic_scan_entry(vcpu, vcpu->arch.eoi_exit_bitmap);
-		bitmap_or((ulong*)vcpu->arch.eoi_exit_bitmap,
-			  (ulong*)vcpu->arch.eoi_exit_bitmap,
-			  vcpu_to_synic(vcpu)->vec_bitmap, 256);
+		if (ioapic_in_kernel(vcpu->kvm)) {
+			kvm_ioapic_scan_entry(vcpu, vcpu->arch.eoi_exit_bitmap);
+			bitmap_or((ulong*)vcpu->arch.eoi_exit_bitmap,
+				  (ulong*)vcpu->arch.eoi_exit_bitmap,
+				  vcpu_to_synic(vcpu)->vec_bitmap, 256);
+		}