Received: by 10.223.176.5 with SMTP id f5csp280846wra;
        Tue, 6 Feb 2018 22:26:40 -0800 (PST)
X-Google-Smtp-Source: AH8x225JLQeV3mff7DopNHakDXIopLH4NS2BIypZC/QiBNVpx0RQE/mL+P3baGjL+I7BaP0URwDo
X-Received: by 2002:a17:902:d83:: with SMTP id 3-v6mr4950811plv.82.1517984799940;
        Tue, 06 Feb 2018 22:26:39 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1517984799; cv=none;
        d=google.com; s=arc-20160816;
        b=h6rH5/3QS3gJLaVGg+qzkpEJdxuwkBzhbVOkuSxvbDMn1voHhYNOTnly/fUtbkzlLK
         At0jAhkeK3qnmsKc5vbEelTPt8S34YxBV3LfrpCHBer2h5GqcPgOUT2v+OLDuMCU0mT+
         hcw98VcwzrRe/gfEbAfoMD0wQ5a3zaDrND38fFs7l6w9qo0RcCtXZ2jHVDe5y1KtY2qo
         MF9tNSIW+h0V6EuW7YRjk8egvIS1bHxk6GMu+8u35+B6lSSFM4Q29RTE5yjWWAYK0Gyt
         nQEvFg3PBCLPSKfQKNb6KODC5KQcHxdhXLlhQbEsNHL2TxW6g03wkRj7xEGIv6C3+4q7
         WaeA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature
         :arc-authentication-results;
        bh=INss/GVgiJfCJqsn3+vQ3B2U6Ul1ScEhf9EMB1poXoY=;
        b=stJLYXQn5+5R4pYmIbUQrpoo+6/Q8vH8wo4sr1BDcAd9wpusiY15l8cq0pcGaZ9LSI
         QZhqfU8iPzBv0DoIKJXATgW3q/hBMbrfpWmVW6q3t3DiB5YGez695ECj+ixYMMjOJhfI
         v96izYQuV8OV6I2M9P51ASOgiP/1JHPIkQw8ARftD4yewBOoV1LC+8hNy7q2fF4b82Op
         FGaibqdoTi9RFbBKVkfi1VheW16ZMRpJsCXxhXglDKb+qIhFeXyp/hKU5DUKJonk+jEz
         xrl57Hkf0CCV/eC4mgYZfmDw25oCr0/BIm9v/HGCgSZtzcpPa3gstZxUS0fqug6ozHvN
         spaA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=aAY9/efh;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id l11-v6si603662plt.622.2018.02.06.22.26.25;
        Tue, 06 Feb 2018 22:26:39 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=aAY9/efh;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751130AbeBGGZu (ORCPT <rfc822;shmalave.kernel@gmail.com>
        + 99 others); Wed, 7 Feb 2018 01:25:50 -0500
Received: from mail-io0-f193.google.com ([209.85.223.193]:41665 "EHLO
        mail-io0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1750767AbeBGGZs (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 7 Feb 2018 01:25:48 -0500
Received: by mail-io0-f193.google.com with SMTP id f4so797541ioh.8;
        Tue, 06 Feb 2018 22:25:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=INss/GVgiJfCJqsn3+vQ3B2U6Ul1ScEhf9EMB1poXoY=;
        b=aAY9/efhn0ksEpc8fM19fV3h9866KHxaIy70pHSvt/co9leyVYyowYv2+i/3CLwNYs
         p3e0Yipqe94DfZtG1E6MumpmL3SH8UxZCPSlkdwsQhJEUl/GlvN8pEFwsNcF8QKpwQJg
         80FL4qra0biZArtRvsrVR7mabff7SxvztGRLDkNwMkUab7tYg6hQeAn5rQjDaelKRG8d
         UfdBr7gs51ljgP9CB6FUzDxejz+71X4xjF+KtbEGl1Y0Jisz1efn9wdpT50h0fYW+292
         JMP62RGL/Lt6vQbkAWs8+alz/oqfslUEFZPqiPPSEIdKQWKwn4RZL2G3zbGzMUOFELy8
         SQug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=INss/GVgiJfCJqsn3+vQ3B2U6Ul1ScEhf9EMB1poXoY=;
        b=jHufBptmoYE3gUTA1XSL2fwBlFg4KBylqbEXaj8eBCHOQIiW3ytXknG0It+TYFgMUt
         KfJUQ8cToeBzOSAR27oRt0WHtKryzWnBC6gHdd3ek1sVBZxcefKmgngnY3WckI3osSvt
         +wgMPBY41MsUtU/tThCGBgCITqjar8XwwUtRwjUdtd24/WglKCNTqx9nGzRMXEO9ryzo
         CBMw9N0oEqXt8S2SGSUyNOyCtgZumiv/2sgkwieJNCSXSZg7ak39s83QJ0QYAb+19+JH
         3A5/v7TLuvCoGcM5aP2gVndXV8SQu9XGipysGOD7Ovzk/SUSB9HbWsWQ4M0AqyZz9Rzk
         AkTA==
X-Gm-Message-State: APf1xPCTQJAzhkmI0326ctOXAyOYpECFHmAViV7A3HhON86I7pupEdyl
        UsTpABqRo4einY9mdumy7aR6mw==
X-Received: by 10.107.79.25 with SMTP id d25mr5853109iob.270.1517984747897;
        Tue, 06 Feb 2018 22:25:47 -0800 (PST)
Received: from localhost.localdomain ([203.205.141.123])
        by smtp.googlemail.com with ESMTPSA id r13sm680893ioa.4.2018.02.06.22.25.45
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
        Tue, 06 Feb 2018 22:25:47 -0800 (PST)
From:   Wanpeng Li <kernellwp@gmail.com>
X-Google-Original-From: Wanpeng Li <wanpengli@tencent.com>
To:     linux-kernel@vger.kernel.org, kvm@vger.kernel.org
Cc:     Paolo Bonzini <pbonzini@redhat.com>,
        =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>,
        Dmitry Vyukov <dvyukov@google.com>
Subject: [PATCH] KVM: X86: Fix SMRAM accessing even if VM is shutdown
Date:   Tue,  6 Feb 2018 22:25:06 -0800
Message-Id: <1517984706-47244-1-git-send-email-wanpengli@tencent.com>
X-Mailer: git-send-email 2.7.4
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Wanpeng Li <wanpengli@tencent.com>

Reported by syzkaller:

   WARNING: CPU: 6 PID: 2434 at arch/x86/kvm/vmx.c:6660 handle_ept_misconfig+0x54/0x1e0 [kvm_intel]
   CPU: 6 PID: 2434 Comm: repro_test Not tainted 4.15.0+ #4
   RIP: 0010:handle_ept_misconfig+0x54/0x1e0 [kvm_intel]
   Call Trace:
    vmx_handle_exit+0xbd/0xe20 [kvm_intel]
    kvm_arch_vcpu_ioctl_run+0xdaf/0x1d50 [kvm]
    kvm_vcpu_ioctl+0x3e9/0x720 [kvm]
    do_vfs_ioctl+0xa4/0x6a0
    SyS_ioctl+0x79/0x90
    entry_SYSCALL_64_fastpath+0x25/0x9c

The syzkaller creates a former thread to issue KVM_SMI ioctl, and then creates
a latter thread to mmap and operate on the same vCPU, rsm emulation will not be 
executed since there is no something like seabios which implements smi handler 
when running syzkaller directly. This triggers a race condition when running 
the testcase with multiple threads. Sometimes one thread exit w/ SHUTDOWN 
reason, another thread mmaps and operates on the same vCPU, it continues to 
use CS=0x30000, IP=0x8000 to access the address of SMI handler which results 
in the above ept misconfig. This patch fixes it by bailing out immediately if 
the vCPU is marked EXIT_SHUTDOWN reason.

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: Wanpeng Li <wanpengli@tencent.com>
---
 arch/x86/kvm/x86.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 786cd00..445e702 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -7458,6 +7458,11 @@ int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
 		goto out;
 	}
 
+	if (unlikely(vcpu->run->exit_reason == KVM_EXIT_SHUTDOWN)) {
+		r = -EINVAL;
+		goto out;
+	}
+
 	if (vcpu->run->kvm_dirty_regs) {
 		r = sync_regs(vcpu);
 		if (r != 0)
-- 
2.7.4