Received: by 10.223.176.5 with SMTP id f5csp1726069wra; Thu, 8 Feb 2018 02:25:25 -0800 (PST) X-Google-Smtp-Source: AH8x2252CPnkWHl6EYeD+GCLW/j6ywIri1fGOrD7Ns6ShSaRkXORwUCttxG+Hw33piD7sIaceFcT X-Received: by 2002:a17:902:7e85:: with SMTP id c5-v6mr212751plm.110.1518085524898; Thu, 08 Feb 2018 02:25:24 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518085524; cv=none; d=google.com; s=arc-20160816; b=wvMgsiTrgNZxPkoFoXMZPoKxuhn7tNc5gKSMgYxQ8Hf3RZXIQPv3OnN8vVIM/KIm0+ FvatGSRVCnD+nEim0PlrJkQOeQ/gbhSNOJEPXaOsqLjWpq6JffHEqVEPluuEjCDNV+ct 4gZzBxiVDkoMz834khLSyeW1iVE7R7hzwpklWYTEl5tucaO1KmMLdTNlUA619JrzvPul BUh+5kxfbsE9M59eb7GwnDiT0tc6MOledkkts5QTl+1voNIH+xpD4nbaBEnMmHx9JKln dCOTCmSdEfKDajfz2sZIdcAkI7k0IJA2Xyxc1nJZ5aM8WTWBq+7X1ZCTrL3o5OSr90GA iaRQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:arc-authentication-results; bh=rtiKFSoVe6OGI56WyXk+/1CyfGbaS02da/iqOqUIKvA=; b=kXxhUS+B5bD5VByAKj6UQgmG8e2hv61frsYgwXvXg54PHx0R50ZAtKDe5GYUDddxzO JjwDHSdztTkvywvB7lMJaVfIifb8ggysy4VSiBfELB+AxfPGN3WBgcNFJmyLEzgfiKvg JBvu4nxmBO2VfLHwJA6JlqY6qE/idfaOHdPGoXN9QE8oRibemYpMC0mjydmErt8FStMv M2Vq83zYV299r+AUwc2B9rXuj7RZnmbK6bIcNTK2rqx30SZM+zYy+WcY+ciT2KRMTyiZ EPVVy4SXf6hQgpEfV8FDIArIeCecdS2l1UVmZu0g6FJ8NcNbdzcZrMjz8FKoo9Gt4GWo 0Oaw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b24si2585371pfd.321.2018.02.08.02.25.10; Thu, 08 Feb 2018 02:25:24 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751317AbeBHKYa (ORCPT + 99 others); Thu, 8 Feb 2018 05:24:30 -0500 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:57358 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1750749AbeBHKY3 (ORCPT ); Thu, 8 Feb 2018 05:24:29 -0500 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 9816D87AD2; Thu, 8 Feb 2018 10:24:28 +0000 (UTC) Received: from [10.36.116.177] (ovpn-116-177.ams2.redhat.com [10.36.116.177]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 00F902024CA5; Thu, 8 Feb 2018 10:24:26 +0000 (UTC) Subject: Re: [PATCH v2] KVM: X86: Fix SMRAM accessing even if VM is shutdown To: Wanpeng Li , linux-kernel@vger.kernel.org, kvm@vger.kernel.org Cc: =?UTF-8?B?UmFkaW0gS3LEjW3DocWZ?= References: <1518075165-5376-1-git-send-email-wanpengli@tencent.com> From: Paolo Bonzini Message-ID: <75e8bfd0-6133-aabf-e1d0-d2e256d62994@redhat.com> Date: Thu, 8 Feb 2018 11:24:18 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.2 MIME-Version: 1.0 In-Reply-To: <1518075165-5376-1-git-send-email-wanpengli@tencent.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Thu, 08 Feb 2018 10:24:28 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Thu, 08 Feb 2018 10:24:28 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'pbonzini@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 08/02/2018 08:32, Wanpeng Li wrote: > From: Wanpeng Li > > Reported by syzkaller: > > WARNING: CPU: 6 PID: 2434 at arch/x86/kvm/vmx.c:6660 handle_ept_misconfig+0x54/0x1e0 [kvm_intel] > CPU: 6 PID: 2434 Comm: repro_test Not tainted 4.15.0+ #4 > RIP: 0010:handle_ept_misconfig+0x54/0x1e0 [kvm_intel] > Call Trace: > vmx_handle_exit+0xbd/0xe20 [kvm_intel] > kvm_arch_vcpu_ioctl_run+0xdaf/0x1d50 [kvm] > kvm_vcpu_ioctl+0x3e9/0x720 [kvm] > do_vfs_ioctl+0xa4/0x6a0 > SyS_ioctl+0x79/0x90 > entry_SYSCALL_64_fastpath+0x25/0x9c > > The syzkaller creates a former thread to issue KVM_SMI ioctl, and then creates > a latter thread to mmap and operate on the same vCPU, rsm emulation will not be > executed since there is no something like seabios which implements smi handler > when running syzkaller directly. This triggers a race condition when running > the testcase with multiple threads. Sometimes one thread exit w/ SHUTDOWN > reason, another thread mmaps and operates on the same vCPU, it continues to > use CS=0x30000, IP=0x8000 to access the address of SMI handler which results > in the above ept misconfig. This patch fixes it by returning RET_PF_EMULATE > in kvm_handle_bad_page() which would cause an emulation failure and then an > exit with KVM_EXIT_INTERNAL_ERROR, the VM will stop instead of resetting and > be taken advantage of. > > Reported-by: syzbot+c1d9517cab094dae65e446c0c5b4de6c40f4dc58@syzkaller.appspotmail.com > Cc: Paolo Bonzini > Cc: Radim Krčmář > Signed-off-by: Wanpeng Li > --- > v1 -> v2: > * return RET_PF_EMULATE > > arch/x86/kvm/mmu.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c > index 8eca1d0..6c5a82c 100644 > --- a/arch/x86/kvm/mmu.c > +++ b/arch/x86/kvm/mmu.c > @@ -3029,7 +3029,7 @@ static int kvm_handle_bad_page(struct kvm_vcpu *vcpu, gfn_t gfn, kvm_pfn_t pfn) > return RET_PF_RETRY; > } > > - return -EFAULT; > + return RET_PF_EMULATE; > } > > static void transparent_hugepage_adjust(struct kvm_vcpu *vcpu, > Reviewed-by: Paolo Bonzini