Received: by 10.223.176.5 with SMTP id f5csp1584818wra;
        Wed, 7 Feb 2018 23:33:46 -0800 (PST)
X-Google-Smtp-Source: AH8x224TO+YCco3N7jtroMXnaxKgMHUoGtwD3qsHR6SvsLiuqHG8+pioDZK/ctLvtfRJxjiVUr16
X-Received: by 2002:a17:902:7887:: with SMTP id q7-v6mr8791693pll.385.1518075226655;
        Wed, 07 Feb 2018 23:33:46 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1518075226; cv=none;
        d=google.com; s=arc-20160816;
        b=iOAgyd1ou99/kcJR2d6TBOc09prfHVSnSXRfAwomxrwTFjyOQdwiZtOO/CKM4vSjBN
         8SaajXDcHxDFUBF08Qtl6/CdfzcgVwS9YTMY9Y/nwdBfSSrf8I0t7M6u6TE6PYVm8Q3z
         IzmI3btxtY8uA/pUlj8MtDO35cgM5R7P9VPMdMTl8Ac81HgvTV/G/DxgX/subq2OtwDQ
         bKFqYuQG50u1fx+5TeXgs5+V/l694X2EqZ97XUQd4MCQrin0SP2TaZdN0oka7RtDRSyg
         LB5iW4dpzb/zVOVa75ACICScNzeeHyd+D2aiRzRUCywLHrDXWX+OkvhgNjd9b7UKfe4c
         M4fQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature
         :arc-authentication-results;
        bh=syXyV7K5T412LKbBem6TAXkiJtkbc3RmozU9qewO3Y0=;
        b=oZEi+2akwHgq0psCggglGUn2TobLQydoXuox3GWPW0GNeYRAgwuSBR9nJArYacUW1L
         7hOnBIeX1m5KFr4vcBizpMwUbA8fp1BjHnSTLiX78aznghwHKcty+I1seJwhFmY8e9xF
         A2AfXBmCBoWK5BIUUaYVaZw0T2fDXYcGiiwPWHSxvBcIYtZYzVqt3oPHC+VZ1tMXwmem
         UxX7zXMP8fIoaq9c7bWyPv6zPnb9+rYJmabT3xdrMsvsi2N2RphBJBj3NcvDAHzPol0i
         OPDwgbhmPixS74S5cWs4E6Ya9DUOvPieKswIEncYuXmwE4wX6vY2uHbV6kMjTVGdwTsi
         xpZQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=LVe9pW3R;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id d9-v6si2455712pli.623.2018.02.07.23.33.31;
        Wed, 07 Feb 2018 23:33:46 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=LVe9pW3R;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1750954AbeBHHcw (ORCPT <rfc822;luizmacielfranco@gmail.com>
        + 99 others); Thu, 8 Feb 2018 02:32:52 -0500
Received: from mail-pg0-f65.google.com ([74.125.83.65]:36854 "EHLO
        mail-pg0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1750749AbeBHHcu (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 8 Feb 2018 02:32:50 -0500
Received: by mail-pg0-f65.google.com with SMTP id j9so253445pgv.3;
        Wed, 07 Feb 2018 23:32:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=syXyV7K5T412LKbBem6TAXkiJtkbc3RmozU9qewO3Y0=;
        b=LVe9pW3RrtbDmKFz+L1KnvqlCTo6YNNQzgJF1tQq/csKU2kFvy/NrVkByXYhaE974q
         Awzc9c2BlI7EEZGfOjKXxR+HL0BSqLBgS+5bOvMBUCDCCQtZK0Rjiq3OZQQCmv9Kdc+O
         qMmDWk8Ll6kDd+SSzbWNZQmkRSpz+PWG4lnGyNCM7qGTr1y5f/uc5DJm9g6zlpzGKG6y
         rdsg+mf+9Bfi7LcEdJRE0oC9K/FDRZO3VVW3aQKAzcjzgesRLzkQ6vYAuKfiIgKHfmSE
         u9/3hP5jXA0V4MgrkVmnVnBkS6rtGgyfWJU6GzN49bgYOKoChfO7P2ppM/tbHlvhdZ5r
         Zgaw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=syXyV7K5T412LKbBem6TAXkiJtkbc3RmozU9qewO3Y0=;
        b=FqTYXMzUqp0EyvvoaM0B5O62WOCRZvPCF+t7/pMgAeG+BPVr0fbCEyMy/RSUWc/A3+
         hxg9eoyKbikcpBW5HBCjWJW0Es2qGtJCA1iuOxWISf0phpC00Fx4k8n3Axsxsougkl+Q
         P8OJ8R811+ElwCCh1Gb8psC9JFe8AONRvemJAkIJrCY/Z/K/VlQwX3BI/ivLaYKO7ydP
         qLcfxohZJSyjgR1CQENzcBOwJVQanKBSZHaAmydOGUuDUnmvkj+/68+wEGntHaPd0O1p
         fonoVff5mg2bvQ2u4ZrUyVwuz7RcczzUGnOa1VXKtRY2xIbZu5DIvn/qXYDt0Obp2scx
         nsOg==
X-Gm-Message-State: APf1xPAMg9/QGUmz8c7rIxxGacX9KgLEq/sQ9KpuVW13ioQ0Pn0Cy4q7
        rdJBQjPQS2qreZwXgnD9EIWqRQ==
X-Received: by 10.98.197.68 with SMTP id j65mr8470118pfg.93.1518075169780;
        Wed, 07 Feb 2018 23:32:49 -0800 (PST)
Received: from localhost.localdomain ([203.205.141.123])
        by smtp.googlemail.com with ESMTPSA id r26sm8893757pfi.72.2018.02.07.23.32.48
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
        Wed, 07 Feb 2018 23:32:49 -0800 (PST)
From:   Wanpeng Li <kernellwp@gmail.com>
X-Google-Original-From: Wanpeng Li <wanpengli@tencent.com>
To:     linux-kernel@vger.kernel.org, kvm@vger.kernel.org
Cc:     Paolo Bonzini <pbonzini@redhat.com>,
        =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>
Subject: [PATCH v2] KVM: X86: Fix SMRAM accessing even if VM is shutdown
Date:   Thu,  8 Feb 2018 15:32:45 +0800
Message-Id: <1518075165-5376-1-git-send-email-wanpengli@tencent.com>
X-Mailer: git-send-email 2.7.4
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Wanpeng Li <wanpengli@tencent.com>

Reported by syzkaller:

   WARNING: CPU: 6 PID: 2434 at arch/x86/kvm/vmx.c:6660 handle_ept_misconfig+0x54/0x1e0 [kvm_intel]
   CPU: 6 PID: 2434 Comm: repro_test Not tainted 4.15.0+ #4
   RIP: 0010:handle_ept_misconfig+0x54/0x1e0 [kvm_intel]
   Call Trace:
    vmx_handle_exit+0xbd/0xe20 [kvm_intel]
    kvm_arch_vcpu_ioctl_run+0xdaf/0x1d50 [kvm]
    kvm_vcpu_ioctl+0x3e9/0x720 [kvm]
    do_vfs_ioctl+0xa4/0x6a0
    SyS_ioctl+0x79/0x90
    entry_SYSCALL_64_fastpath+0x25/0x9c

The syzkaller creates a former thread to issue KVM_SMI ioctl, and then creates
a latter thread to mmap and operate on the same vCPU, rsm emulation will not be 
executed since there is no something like seabios which implements smi handler 
when running syzkaller directly. This triggers a race condition when running 
the testcase with multiple threads. Sometimes one thread exit w/ SHUTDOWN 
reason, another thread mmaps and operates on the same vCPU, it continues to 
use CS=0x30000, IP=0x8000 to access the address of SMI handler which results 
in the above ept misconfig. This patch fixes it by returning RET_PF_EMULATE
in kvm_handle_bad_page() which would cause an emulation failure and then an 
exit with KVM_EXIT_INTERNAL_ERROR, the VM will stop instead of resetting and 
be taken advantage of.

Reported-by: syzbot+c1d9517cab094dae65e446c0c5b4de6c40f4dc58@syzkaller.appspotmail.com
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: Wanpeng Li <wanpengli@tencent.com>
---
v1 -> v2:
 * return RET_PF_EMULATE

 arch/x86/kvm/mmu.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
index 8eca1d0..6c5a82c 100644
--- a/arch/x86/kvm/mmu.c
+++ b/arch/x86/kvm/mmu.c
@@ -3029,7 +3029,7 @@ static int kvm_handle_bad_page(struct kvm_vcpu *vcpu, gfn_t gfn, kvm_pfn_t pfn)
 		return RET_PF_RETRY;
 	}
 
-	return -EFAULT;
+	return RET_PF_EMULATE;
 }
 
 static void transparent_hugepage_adjust(struct kvm_vcpu *vcpu,
-- 
2.7.4