Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp5218459pxj; Wed, 9 Jun 2021 12:00:39 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzDqouzcxNf9qhv4cmYeQN+HEioEeNkM5RczCfbvTco6COj0v8pK010ynHsjxSdlZroisbh X-Received: by 2002:a17:906:27d6:: with SMTP id k22mr1193823ejc.323.1623265239039; Wed, 09 Jun 2021 12:00:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1623265239; cv=none; d=google.com; s=arc-20160816; b=KEVYrvBabpIZ/kwitoatvcHpnKHejHp1j4IWNl68K/n02hZJsXM9Yb9nleL033QdSV j/YpvWC47lfi8yMG4PrzXBIiHHzJ7iMeOX6mI4mdGj43+ptGpMp0GV3j15UT7SlzB7Ye pH2y3lV1WQZwAalfH3EVVIE4Xciw0/8Zm/hH2Np+rWfjAQkfwxfZATl+z8DOUFs+eDAD H9zygARZ79dIj/wkpRG+MRhOLYyEjYzbC2Uw2keKSjkoe0e8arKlj2IDc+zJNK+bFwg+ 20w0fENmjtcGSkjWr6enNaKNW+b4GOVURYTljg182BPdfoMtC153JySPn/QzyxlPbamj dPDA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:mime-version:message-id:date :reply-to:dkim-signature; bh=9Ta4e4/TJDLA01JqUO5pruLWLZ3Bol4XK6b4bxWUzqQ=; b=GagFndDJnATDPXM9WKoLFqaNPvJwpPg0/HIxLBQf4iLn+2tOfM40FuUkkzEnp1MWFV VIBlYHgAXaRRUJ/8PHW57VgPDV3BZB+6YZCXMME5VhBBG2ooNxbkkk+sVsqOwcDL8miU s6VJe1rHiQ1yWvsmG/qqUsqk/5/poh3SupX+eBwi4p/0JW64ZB0EkASPAGuF/VHIJWqm +2aui3cmk5yOocapmpFxBjqldmzPPt6cGQH48Gd9jqXy8bVM+qrhrUApbn6F0l55Aimj EKJmKV2lQmF2zMWao7F5S38jfK1KM17O1cA+xAwLgujEb8GDrX9FTmbKeP3ymfQ7e0BA 02PA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=YJnXxzDl; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a15si409690edr.192.2021.06.09.12.00.14; Wed, 09 Jun 2021 12:00:39 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=YJnXxzDl; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230190AbhFIS7k (ORCPT + 99 others); Wed, 9 Jun 2021 14:59:40 -0400 Received: from mail-qt1-f201.google.com ([209.85.160.201]:45939 "EHLO mail-qt1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230223AbhFIS7j (ORCPT ); Wed, 9 Jun 2021 14:59:39 -0400 Received: by mail-qt1-f201.google.com with SMTP id c17-20020a05622a0591b0290249aef9a5d5so2104671qtb.12 for ; Wed, 09 Jun 2021 11:57:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=reply-to:date:message-id:mime-version:subject:from:to:cc; bh=9Ta4e4/TJDLA01JqUO5pruLWLZ3Bol4XK6b4bxWUzqQ=; b=YJnXxzDl4pi23RrNFK2eDoU54ZqtkFj1nQHZ+3Yt/ozWjyChgxPpctDzKNLgx5xkYT O5NxBdDcdED+4Z8RhFH1OhdDg3h9Zl0mjFYjuxLjtj8oB0KZ6dKNDxU6OvjeXEHcM102 Yn3uwvIBnBQafroppL4HvSjeey+zHt5uXcJmWsRBLDQ8dnPM6Bw6VCMOHhsox3h6OJVc ejQsaUtkx8xmPu1O/4Tx2Gl8olM+Qo57JlgWnEt6wFQuhYwbGP+2Cxa483L5b6AjSr1E cvD0OBOF9cKVXwIPL+HkrLclje0/lzMCi/QZH+GyLdHALjy0ZC2DPwvwVynX/Sjkq+3H TmIQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:reply-to:date:message-id:mime-version:subject :from:to:cc; bh=9Ta4e4/TJDLA01JqUO5pruLWLZ3Bol4XK6b4bxWUzqQ=; b=aSSr0QQJvhBbqlorNKDd8UBcgwDM5foDxZetA8Tf83gvWx8U38Qjvf4KZkUQyA6R7y /5GGycyg/nk5oN//VVOAtSWGbfgTNSUY7lqCumWqgAGTKk+cSXH5pSQcKFPpxhahuEW1 G11lXkFQB3vegYahpua5a4Ww+iUSTA1fH1tf3QFbhkhkizI4lA0Cj2qWwUBlp5BzL4cP M/Bxe8sPpp6E5cwKjTNNLqUKsxQakCYisJc0E0Jn+0+gcyj4T2ElN7rVzXoHENEfhhkg /rVOBOYPg78d1zZgx1fxaVnoSSoT8RU/YlAYisJpa2tKyTGs1qkzgbnE9Pv7waozxAQY h1Jw== X-Gm-Message-State: AOAM5318Bvw6oQky/5AnvQNTM+2Gqo5/5E4YRBVMtuM1bi1KpVlV89lH KbPOrctfpXOZ1XLrtmFqG4qJqmYEvis= X-Received: from seanjc798194.pdx.corp.google.com ([2620:15c:f:10:bfdc:c2e5:77b1:8ef3]) (user=seanjc job=sendgmr) by 2002:ad4:4e47:: with SMTP id eb7mr1527372qvb.40.1623264991162; Wed, 09 Jun 2021 11:56:31 -0700 (PDT) Reply-To: Sean Christopherson Date: Wed, 9 Jun 2021 11:56:10 -0700 Message-Id: <20210609185619.992058-1-seanjc@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.32.0.rc1.229.g3e70b5a671-goog Subject: [PATCH 0/9] KVM: x86: Fix NULL pointer #GP due to RSM bug From: Sean Christopherson To: Paolo Bonzini Cc: Sean Christopherson , Vitaly Kuznetsov , Wanpeng Li , Jim Mattson , Joerg Roedel , kvm@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+fb0b6a7e8713aeb0319c@syzkaller.appspotmail.com Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Fix a NULL pointer dereference in gfn_to_rmap() that occurs if RSM fails, reported by syzbot. The immediate problem is that the MMU context's role gets out of sync because KVM clears the SMM flag in the vCPU at the start of RSM emulation, but only resets the MMU context if RSM succeeds. The divergence in vCPU vs. MMU role with respect to the SMM flag causes explosions if the non-SMM memslots have gfn ranges that are not present in the SMM memslots, because the MMU expects that the memslot for a shadow page cannot magically disappear. The other obvious problem is that KVM doesn't emulate triple fault on RSM failure, e.g. it keeps running the vCPU in a frankenstate instead of exiting to userspace. Fixing that would squash the syzbot repro, but would not fix the underlying issue because nothing prevents userspace from calling KVM_RUN on a vCPU that hit shutdown (yay lack of a shutdown state). But, it's easy to fix and definitely worth doing. Everything after the two bug fixes is cleanup. Ben Gardon has an internal patch or two that guards against the NULL pointer dereference in gfn_to_rmap(). I'm planning on getting that functionality posted (needs a little massaging) so that these types of snafus don't crash the host (this isn't the first time I've introduced a bug that broke gfn_to_rmap(), though thankfully it's the first time such a bug has made it upstream, knock on wood). Amusingly, adding gfn_to_rmap() NULL memslot checks might even be a performance improvement. Because gfn_to_rmap() doesn't check the memslot before using it, and because the compiler can see the search_memslots() returns NULL/0, gcc often/always generates dedicated (and hilarious) code for NULL, e.g. this #GP was caused by an explicit load from 0: 48 8b 14 25 00 00 00 00 mov 0x0,%rdx Sean Christopherson (9): KVM: x86: Immediately reset the MMU context when the SMM flag is cleared KVM: x86: Emulate triple fault shutdown if RSM emulation fails KVM: x86: Replace .set_hflags() with dedicated .exiting_smm() helper KVM: x86: Invoke kvm_smm_changed() immediately after clearing SMM flag KVM: x86: Move (most) SMM hflags modifications into kvm_smm_changed() KVM: x86: Move "entering SMM" tracepoint into kvm_smm_changed() KVM: x86: Rename SMM tracepoint to make it reflect reality KVM: x86: Drop .post_leave_smm(), i.e. the manual post-RSM MMU reset KVM: x86: Drop "pre_" from enter/leave_smm() helpers arch/x86/include/asm/kvm-x86-ops.h | 4 +-- arch/x86/include/asm/kvm_host.h | 4 +-- arch/x86/kvm/emulate.c | 31 ++++++++++------- arch/x86/kvm/kvm_emulate.h | 7 ++-- arch/x86/kvm/svm/svm.c | 8 ++--- arch/x86/kvm/trace.h | 2 +- arch/x86/kvm/vmx/vmx.c | 8 ++--- arch/x86/kvm/x86.c | 53 +++++++++++++++--------------- 8 files changed, 61 insertions(+), 56 deletions(-) -- 2.32.0.rc1.229.g3e70b5a671-goog