Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp520718pxj;
        Thu, 10 Jun 2021 06:32:23 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzfIbvYMW2uj7ivbwamz/igQVyvyW+gU2Ck7uLm9TyhFZdm3hO9wqYxCR+GiupPTvIFvX1f
X-Received: by 2002:a17:906:d0c9:: with SMTP id bq9mr4470834ejb.313.1623331942923;
        Thu, 10 Jun 2021 06:32:22 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1623331942; cv=none;
        d=google.com; s=arc-20160816;
        b=zLzY3CEKdgih732Tikazl8mbUO84jb8a61htiGJu5p7TRNPIxuzvtCsGS6gD4mvjm5
         wluiyGP/vRHJ7XKXZD415vlfRvVm5yFI3fJGElhWudk+YDeery0lCRWPEXOVT5hY6GoQ
         EMYUs0KNud+AHwit4xphyjLdo1diC15A3QLN5gyhys4rh7YZ0LqLuO2Y333iJTAfW0Ag
         yQpQaYUUjQQlVenQAj96Z0OKzyg/Yy3H/HTCxn7kOWEu30EtiZgIqo01TXb6GkKBazd1
         tuxn8EjFdzr+2aKNP0p7GOXZhdgGfsB7ymaQ3+XrPxydqF1VutGoglYdTgp+BbrGCtTO
         nDdA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:content-language
         :in-reply-to:mime-version:user-agent:date:message-id:from:references
         :cc:to:subject:dkim-signature;
        bh=PlqPawYArazO4EePzETjFqSxt008hDP9xscnSm3Mc0w=;
        b=uGg1fTV+DJUsoeb0EzZdwtgzLwGbJM5L108EaksUrbseTBXUVm1TA5OcFpdpRZ4SNV
         +b5dGFer66k80J4gaw2hxxXGRUnH3u9fKA0Vp9YSJpmGYyY/byodhNv7xQIFyYWOfXkd
         LjQo/fzDxWM+Foq3NZF1OEcJbvpD7nGaEcBTZ7nD3NOxcWSYCaH0CAbDlSj1E+nqcojz
         i9+bDTaOOrANdzqrN9DEeba6IHaryXXfgrYFEoMyOrpytnM3QKSlwgbj7YwsYumxmRMH
         kNX4l7ehqiD0W/EzQa68km6IT2WaBobF4QtShh0B/9t7jsAxmz76n4vs8aL6dJjc/+Xf
         x/PA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=dKPIxFJ6;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id m9si2291379eds.467.2021.06.10.06.31.58;
        Thu, 10 Jun 2021 06:32:22 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=dKPIxFJ6;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230511AbhFJNa4 (ORCPT <rfc822;lyj496332184@gmail.com>
        + 99 others); Thu, 10 Jun 2021 09:30:56 -0400
Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:32721 "EHLO
        us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S230410AbhFJNaz (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 10 Jun 2021 09:30:55 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
        s=mimecast20190719; t=1623331739;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:content-type:content-type:
         content-transfer-encoding:content-transfer-encoding:
         in-reply-to:in-reply-to:references:references;
        bh=PlqPawYArazO4EePzETjFqSxt008hDP9xscnSm3Mc0w=;
        b=dKPIxFJ6BRoY81iV9SeeAUBLpKBJZHNpT6Q64+YZ8eJbsYqlqjiz29gSSiddlUsyJBVRnB
        A0+V2OJacPXk/9GXfpPIeDTqd+jyGw8YZwQgxxZ8SaA/BF026BeHZbknMaTe+SmSY+Nnjy
        2Xar5aewRylPtsL/YUloniBHsQ2YsN4=
Received: from mail-wr1-f70.google.com (mail-wr1-f70.google.com
 [209.85.221.70]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-501-HgVcy08jOPOIqj91I9t1pQ-1; Thu, 10 Jun 2021 09:28:57 -0400
X-MC-Unique: HgVcy08jOPOIqj91I9t1pQ-1
Received: by mail-wr1-f70.google.com with SMTP id g14-20020a5d698e0000b0290117735bd4d3so886476wru.13
        for <linux-kernel@vger.kernel.org>; Thu, 10 Jun 2021 06:28:57 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:cc:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=PlqPawYArazO4EePzETjFqSxt008hDP9xscnSm3Mc0w=;
        b=qLwaaVedWyZkh7bbtKdusbqlcfbmIP7jJcNAdmAAHNvw5rYVDkSgU3wWsHas847tvN
         Q1Ovs7M7knZVE4tbMQb/7PmPVPVtT/3tgvxZ+ob6LLgAN2K76CbM6qG9kT47dHrgdH0t
         N0Kz8+e7hoJZ7S+7WlgFcGMQaUTAYa47GOP6DLBDYJG6zHrEaFA9aIJJXs1uGGoQgiE4
         0BOXBxMrvHm04NwoK1NTai3DxhYqfON2pkUAfS70FGjzJbpDRq8g5p0fNxdeAxJ0N/Tb
         3Emwu+wUVMy0HqwPV2QEtMqU696Uz0BRpnWWXEbhSZ0UF+pOTwxkCj05n+O+xvRmenkz
         nYIg==
X-Gm-Message-State: AOAM530W5+yosxdlUy+/SVWC9xn1jk5KMqNxeZOLN1qT2eotzeFTzAfd
        GHKSOZFCgtrYnitPSjoxK018uita/ZFs0rPm7cBgK97o9Ic94pkVb9NMaDEK7Fk+lP44or+DKrT
        QjXQbYIX7HUD8sFZ10Jeka95+
X-Received: by 2002:a05:6000:1889:: with SMTP id a9mr5575599wri.288.1623331736723;
        Thu, 10 Jun 2021 06:28:56 -0700 (PDT)
X-Received: by 2002:a05:6000:1889:: with SMTP id a9mr5575578wri.288.1623331736489;
        Thu, 10 Jun 2021 06:28:56 -0700 (PDT)
Received: from ?IPv6:2001:b07:6468:f312:63a7:c72e:ea0e:6045? ([2001:b07:6468:f312:63a7:c72e:ea0e:6045])
        by smtp.gmail.com with ESMTPSA id v132sm10354950wmb.14.2021.06.10.06.28.55
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Thu, 10 Jun 2021 06:28:55 -0700 (PDT)
Subject: Re: [PATCH 0/9] KVM: x86: Fix NULL pointer #GP due to RSM bug
To:     Sean Christopherson <seanjc@google.com>
Cc:     Vitaly Kuznetsov <vkuznets@redhat.com>,
        Wanpeng Li <wanpengli@tencent.com>,
        Jim Mattson <jmattson@google.com>,
        Joerg Roedel <joro@8bytes.org>, kvm@vger.kernel.org,
        linux-kernel@vger.kernel.org,
        syzbot+fb0b6a7e8713aeb0319c@syzkaller.appspotmail.com
References: <20210609185619.992058-1-seanjc@google.com>
From:   Paolo Bonzini <pbonzini@redhat.com>
Message-ID: <685b11c1-54a6-3a52-8157-4a10a95251ca@redhat.com>
Date:   Thu, 10 Jun 2021 15:28:54 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.10.1
MIME-Version: 1.0
In-Reply-To: <20210609185619.992058-1-seanjc@google.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 09/06/21 20:56, Sean Christopherson wrote:
> Fix a NULL pointer dereference in gfn_to_rmap() that occurs if RSM fails,
> reported by syzbot.
> 
> The immediate problem is that the MMU context's role gets out of sync
> because KVM clears the SMM flag in the vCPU at the start of RSM emulation,
> but only resets the MMU context if RSM succeeds.  The divergence in vCPU
> vs. MMU role with respect to the SMM flag causes explosions if the non-SMM
> memslots have gfn ranges that are not present in the SMM memslots, because
> the MMU expects that the memslot for a shadow page cannot magically
> disappear.
> 
> The other obvious problem is that KVM doesn't emulate triple fault on RSM
> failure, e.g. it keeps running the vCPU in a frankenstate instead of
> exiting to userspace.  Fixing that would squash the syzbot repro, but
> would not fix the underlying issue because nothing prevents userspace from
> calling KVM_RUN on a vCPU that hit shutdown (yay lack of a shutdown state).
> But, it's easy to fix and definitely worth doing.
> 
> Everything after the two bug fixes is cleanup.
> 
> Ben Gardon has an internal patch or two that guards against the NULL
> pointer dereference in gfn_to_rmap().  I'm planning on getting that
> functionality posted (needs a little massaging) so that these types of
> snafus don't crash the host (this isn't the first time I've introduced a
> bug that broke gfn_to_rmap(), though thankfully it's the first time such
> a bug has made it upstream, knock on wood).
> 
> Amusingly, adding gfn_to_rmap() NULL memslot checks might even be a
> performance improvement.  Because gfn_to_rmap() doesn't check the memslot
> before using it, and because the compiler can see the search_memslots()
> returns NULL/0, gcc often/always generates dedicated (and hilarious) code
> for NULL, e.g. this #GP was caused by an explicit load from 0:
> 
>    48 8b 14 25 00 00 00 00	mov    0x0,%rdx
> 
> 
> Sean Christopherson (9):
>    KVM: x86: Immediately reset the MMU context when the SMM flag is
>      cleared
>    KVM: x86: Emulate triple fault shutdown if RSM emulation fails
>    KVM: x86: Replace .set_hflags() with dedicated .exiting_smm() helper
>    KVM: x86: Invoke kvm_smm_changed() immediately after clearing SMM flag
>    KVM: x86: Move (most) SMM hflags modifications into kvm_smm_changed()
>    KVM: x86: Move "entering SMM" tracepoint into kvm_smm_changed()
>    KVM: x86: Rename SMM tracepoint to make it reflect reality
>    KVM: x86: Drop .post_leave_smm(), i.e. the manual post-RSM MMU reset
>    KVM: x86: Drop "pre_" from enter/leave_smm() helpers
> 
>   arch/x86/include/asm/kvm-x86-ops.h |  4 +--
>   arch/x86/include/asm/kvm_host.h    |  4 +--
>   arch/x86/kvm/emulate.c             | 31 ++++++++++-------
>   arch/x86/kvm/kvm_emulate.h         |  7 ++--
>   arch/x86/kvm/svm/svm.c             |  8 ++---
>   arch/x86/kvm/trace.h               |  2 +-
>   arch/x86/kvm/vmx/vmx.c             |  8 ++---
>   arch/x86/kvm/x86.c                 | 53 +++++++++++++++---------------
>   8 files changed, 61 insertions(+), 56 deletions(-)
> 

Queued 2-9 too for 5.14, with Vitaly's suggested change for patch 2.

Paolo