Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp631469pxk; Wed, 23 Sep 2020 11:47:31 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxFIbgYzxl5iCSxnA2o9haCJJCn9mMMLwsg9cTrOE5N0tPtJGUTGBg8L9rYG06evQLH0LLT X-Received: by 2002:a17:907:377:: with SMTP id rs23mr1012247ejb.415.1600886850796; Wed, 23 Sep 2020 11:47:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1600886850; cv=none; d=google.com; s=arc-20160816; b=Cm8FuzKLs1LfaxLQRo41zrfei2jlKKKJytZPc64cpyq2TDPm87tN5EqGv2rlwYrzJC bxvCgiy+bEIN2/hibD+dc9O2CWSyB0wW9zS1ix1NhIVllNOWgM4w5BfF1MAexj5nG+QX wiBY7kFfFlN/9UrYW3m6h/Kmz54J7PxLs1ToXtgzxY0ZW7bphzigvAFyPKsANsvjJSVD hUEmwLlVvXGae9r5JHU8Ex3ov5Ae0fDPwHMc1Tg8Vu5UR1zORcXhfTr1GxOOAsQmt08V CDLMjm1vzni+M3LMUEjPHBuYvjoLGgXNyCHYX5XoApPPZF/W/fZmtN9sUfDM0+0Kd3ln KFfg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :ironport-sdr:ironport-sdr; bh=UIHUDkgRbNs4uQr974EwJIUlkurGZ+ZYsTJgVy8gZIY=; b=f5D0e63/vHy+Oi5xw0A7+6BxG9C6cNfb9zWK4W6fwWMDLu+B32UdNAYk7x+L+uFSqV 9uLehxHp11c2yeNdhsOu1Y+wWb9WA9kL9mfh+DzEvLc+b3d4Hk5i2ykN65yLeoXJEHcP K0miPx45gc/WeUd9xDqcFalDCuR+T44z3A4lM9GJv9jqLygfSD9nhqmaAv0zHa3pPV1c cRXLbOZYnotQhmsDmO+jdJDYh0puOV5YYzU2nDa+VNCSiz7fV6ClqYgd87lkM7EOudi9 MrjFamEZvl1Dcs8kbKfJb0/yv78BEYD9+Z/UUblmtnI0Vh4tFPvtLmpQ2cFH6e3rzE7p UUyw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id gu16si487010ejb.218.2020.09.23.11.47.07; Wed, 23 Sep 2020 11:47:30 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726819AbgIWSpQ (ORCPT + 99 others); Wed, 23 Sep 2020 14:45:16 -0400 Received: from mga07.intel.com ([134.134.136.100]:14510 "EHLO mga07.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726572AbgIWSo4 (ORCPT ); Wed, 23 Sep 2020 14:44:56 -0400 IronPort-SDR: 0cYw9OYCf+6zlqPkwLqvWwvdGxaKTq0yHAhWzSAboqTvXaXUUoFs4tNkeKPPNc4INHuLWU239C l18iXaHHXTAg== X-IronPort-AV: E=McAfee;i="6000,8403,9753"; a="225124482" X-IronPort-AV: E=Sophos;i="5.77,293,1596524400"; d="scan'208";a="225124482" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by orsmga105.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 23 Sep 2020 11:44:55 -0700 IronPort-SDR: nBFUT/ClqmT7X9z4IaAId7lj3ZBhyGA+jG+t8fWea2uO7jw1PqrAKy/7uyw9MDFLcdC974eTpW ohTPvmS1Jgnw== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.77,293,1596524400"; d="scan'208";a="347457664" Received: from sjchrist-coffee.jf.intel.com ([10.54.74.160]) by FMSMGA003.fm.intel.com with ESMTP; 23 Sep 2020 11:44:55 -0700 From: Sean Christopherson To: Paolo Bonzini Cc: Sean Christopherson , Vitaly Kuznetsov , Wanpeng Li , Jim Mattson , Joerg Roedel , kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Dan Cross , Peter Shier Subject: [PATCH v2 5/7] KVM: nVMX: Ensure vmcs01 is the loaded VMCS when freeing nested state Date: Wed, 23 Sep 2020 11:44:50 -0700 Message-Id: <20200923184452.980-6-sean.j.christopherson@intel.com> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200923184452.980-1-sean.j.christopherson@intel.com> References: <20200923184452.980-1-sean.j.christopherson@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Add a WARN in free_nested() to ensure vmcs01 is loaded prior to freeing vmcs02 and friends, and explicitly switch to vmcs01 if it's not. KVM is supposed to keep is_guest_mode() and loaded_vmcs==vmcs02 synchronized, but bugs happen and freeing vmcs02 while it's in use will escalate a KVM error to a use-after-free and potentially crash the kernel. Do the WARN and switch even in the !vmxon case to help detect latent bugs. free_nested() is not a hot path, and the check is cheap. Signed-off-by: Sean Christopherson --- arch/x86/kvm/vmx/nested.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c index 03dddf1b6009..3e6cc0d7090e 100644 --- a/arch/x86/kvm/vmx/nested.c +++ b/arch/x86/kvm/vmx/nested.c @@ -279,6 +279,9 @@ static void free_nested(struct kvm_vcpu *vcpu) { struct vcpu_vmx *vmx = to_vmx(vcpu); + if (WARN_ON_ONCE(vmx->loaded_vmcs != &vmx->vmcs01)) + vmx_switch_vmcs(vcpu, &vmx->vmcs01); + if (!vmx->nested.vmxon && !vmx->nested.smm.vmxon) return; -- 2.28.0