Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753266AbdFQWkP (ORCPT ); Sat, 17 Jun 2017 18:40:15 -0400 Received: from omzsmtpe03.verizonbusiness.com ([199.249.25.208]:14451 "EHLO omzsmtpe03.verizonbusiness.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753154AbdFQWZZ (ORCPT ); Sat, 17 Jun 2017 18:25:25 -0400 X-IronPort-Anti-Spam-Filtered: false From: "Levin, Alexander (Sasha Levin)" Cc: Dmitry Vyukov , Paolo Bonzini , =?utf-8?B?UmFkaW0gS3LEjW3DocWZ?= , Wanpeng Li , "kvm@vger.kernel.org" , "syzkaller@googlegroups.com" , "Levin, Alexander (Sasha Levin)" X-IronPort-AV: E=Sophos;i="5.39,316,1493683200"; d="scan'208";a="1468716707" X-Host: ranger.odc.vzwcorp.com To: "stable@vger.kernel.org" , "linux-kernel@vger.kernel.org" Subject: [PATCH for v4.9 LTS 14/86] KVM: x86: fix fixing of hypercalls Thread-Topic: [PATCH for v4.9 LTS 14/86] KVM: x86: fix fixing of hypercalls Thread-Index: AQHS57h9NhsomWGrCU6vLpscBwoE6Q== Date: Sat, 17 Jun 2017 22:24:31 +0000 Message-ID: <20170617222420.19316-14-alexander.levin@verizon.com> References: <20170617222420.19316-1-alexander.levin@verizon.com> In-Reply-To: <20170617222420.19316-1-alexander.levin@verizon.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.144.60.250] Content-Type: text/plain; charset="utf-8" Content-ID: MIME-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by mail.home.local id v5HMecDd023429 Content-Length: 1986 Lines: 52 From: Dmitry Vyukov [ Upstream commit ce2e852ecc9a42e4b8dabb46025cfef63209234a ] emulator_fix_hypercall() replaces hypercall with vmcall instruction, but it does not handle GP exception properly when writes the new instruction. It can return X86EMUL_PROPAGATE_FAULT without setting exception information. This leads to incorrect emulation and triggers WARN_ON(ctxt->exception.vector > 0x1f) in x86_emulate_insn() as discovered by syzkaller fuzzer: WARNING: CPU: 2 PID: 18646 at arch/x86/kvm/emulate.c:5558 Call Trace: warn_slowpath_null+0x2c/0x40 kernel/panic.c:582 x86_emulate_insn+0x16a5/0x4090 arch/x86/kvm/emulate.c:5572 x86_emulate_instruction+0x403/0x1cc0 arch/x86/kvm/x86.c:5618 emulate_instruction arch/x86/include/asm/kvm_host.h:1127 [inline] handle_exception+0x594/0xfd0 arch/x86/kvm/vmx.c:5762 vmx_handle_exit+0x2b7/0x38b0 arch/x86/kvm/vmx.c:8625 vcpu_enter_guest arch/x86/kvm/x86.c:6888 [inline] vcpu_run arch/x86/kvm/x86.c:6947 [inline] Set exception information when write in emulator_fix_hypercall() fails. Signed-off-by: Dmitry Vyukov Cc: Paolo Bonzini Cc: Radim Krčmář Cc: Wanpeng Li Cc: kvm@vger.kernel.org Cc: syzkaller@googlegroups.com Signed-off-by: Radim Krčmář Signed-off-by: Sasha Levin --- arch/x86/kvm/x86.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 62cde4f67c72..ab3f00399cbb 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -6111,7 +6111,8 @@ static int emulator_fix_hypercall(struct x86_emulate_ctxt *ctxt) kvm_x86_ops->patch_hypercall(vcpu, instruction); - return emulator_write_emulated(ctxt, rip, instruction, 3, NULL); + return emulator_write_emulated(ctxt, rip, instruction, 3, + &ctxt->exception); } static int dm_request_for_irq_injection(struct kvm_vcpu *vcpu) -- 2.11.0