Received: by 2002:a25:e74b:0:0:0:0:0 with SMTP id e72csp155149ybh; Tue, 14 Jul 2020 21:20:40 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx0bRHgcRcTGw2Qv8fyXBnYRearb9hw4JQD4dprAxdMSdovBy28LtHuKoM+jC3oDkEmnUfi X-Received: by 2002:a17:907:1051:: with SMTP id oy17mr7783564ejb.394.1594786840588; Tue, 14 Jul 2020 21:20:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1594786840; cv=none; d=google.com; s=arc-20160816; b=xPChohUPlyNctSWXP66ysWfFsk4x6V4N7vnDbtBe1A3FYooR+2Qt3l1O+GWr3/KloC oKIMnpoITEZctW8VDelIB+zUttDOoiTHjAF/MW5GvHsC7Xmq5LMb8aec4af5Fpi32Ixj +/sX4wJna1EqL9FmVKZBgfwD6zXjooEdJyAM8b5tObPJ04bVh44B66L9tVlKqgC4ree9 ZR1/uGEmhIVcmPq2ABuZ3UUrty6FEkl9/srsaVqO4eS/57w/0gqUdJ8tlY4gXLs1+t0N WU6PUuAV2IolWzZ679s541d6YkFjN89x5bTYaUQz6KKRTChqYXtun2lGhbUrbq0S6SDb XvWA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :ironport-sdr:ironport-sdr; bh=87gSbPLbI0yCyGgWsuWn6JrjBxtIKMofTgs/TpFob88=; b=pEE6lLGNbsPDOfoj5oayZCETtX0EmH3VsZ5xu2qJnSeaQxfXweK7YY2lWTE8B+VvSi CsUk3CR//AR356SbxOHcgq0ZLCdpBEQ8waouJrREP8hEw2qsKc3drVYOY9XhwFRCJDVl G7vNtjs110+nVYbPLwJzrRj34+tIak6fBzl8Kq1a6kgelx7MRXsdtL1S2l7rWGeRBa1K hholkmwkPRssMSwXllupzMzCECobDq8ptYQ1d/ktvgRyt7kAbclh/MYHllcKHb2fbbEP LvemkNWXQqyH5VYVW3JwFba4vJF9KvUbjEqlOYd0HVfaoKH+WDZeeDvLWI1qPriGMAy8 vFcA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id dt20si650389ejc.24.2020.07.14.21.20.17; Tue, 14 Jul 2020 21:20:40 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728368AbgGOEG3 (ORCPT + 99 others); Wed, 15 Jul 2020 00:06:29 -0400 Received: from mga17.intel.com ([192.55.52.151]:16670 "EHLO mga17.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725916AbgGOEGD (ORCPT ); Wed, 15 Jul 2020 00:06:03 -0400 IronPort-SDR: ewqDVWYm/bKfgZAMVkHy/hNbO8+RCEHg0ojOO9qIl4huHBdAzbR2eHTg1QkAR/UgZjd0qTECN0 hfVO8KKXhMFg== X-IronPort-AV: E=McAfee;i="6000,8403,9682"; a="129167484" X-IronPort-AV: E=Sophos;i="5.75,353,1589266800"; d="scan'208";a="129167484" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by fmsmga107.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 14 Jul 2020 21:06:02 -0700 IronPort-SDR: SEOjMc0bIN3O1+ATeg3OlT4+KKnZ9ViTaGXOrsu4KzXFmbmdj6Zk8TwBs2jE8Z9XQ9xv6De86Y B8u4Vd2kpTZQ== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.75,353,1589266800"; d="scan'208";a="485587024" Received: from sjchrist-coffee.jf.intel.com ([10.54.74.152]) by fmsmga006.fm.intel.com with ESMTP; 14 Jul 2020 21:06:02 -0700 From: Sean Christopherson To: Paolo Bonzini Cc: Sean Christopherson , Vitaly Kuznetsov , Wanpeng Li , Jim Mattson , Joerg Roedel , kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Dan Cross , Peter Shier Subject: [PATCH 5/7] KVM: nVMX: Ensure vmcs01 is the loaded VMCS when freeing nested state Date: Tue, 14 Jul 2020 21:05:55 -0700 Message-Id: <20200715040557.5889-6-sean.j.christopherson@intel.com> X-Mailer: git-send-email 2.26.0 In-Reply-To: <20200715040557.5889-1-sean.j.christopherson@intel.com> References: <20200715040557.5889-1-sean.j.christopherson@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Add a WARN in free_nested() to ensure vmcs01 is loaded prior to freeing vmcs02 and friends, and explicitly switch to vmcs01 if it's not. KVM is supposed to keep is_guest_mode() and loaded_vmcs==vmcs02 synchronized, but bugs happen and freeing vmcs02 while it's in use will escalate a KVM error to a use-after-free and potentially crash the kernel. Do the WARN and switch even in the !vmxon case to help detect latent bugs. free_nested() is not a hot path, and the check is cheap. Signed-off-by: Sean Christopherson --- arch/x86/kvm/vmx/nested.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c index e9b27c6478da3..5734bff1a5907 100644 --- a/arch/x86/kvm/vmx/nested.c +++ b/arch/x86/kvm/vmx/nested.c @@ -279,6 +279,9 @@ static void free_nested(struct kvm_vcpu *vcpu) { struct vcpu_vmx *vmx = to_vmx(vcpu); + if (WARN_ON_ONCE(vmx->loaded_vmcs != &vmx->vmcs01)) + vmx_switch_vmcs(vcpu, &vmx->vmcs01); + if (!vmx->nested.vmxon && !vmx->nested.smm.vmxon) return; -- 2.26.0