Received: by 2002:a05:6a10:7420:0:0:0:0 with SMTP id hk32csp1541568pxb; Fri, 18 Feb 2022 09:51:23 -0800 (PST) X-Google-Smtp-Source: ABdhPJw2RHF7FoZwx97QuVC/b1LO3A6wcGHERpvqaoHZ0rov63pYlCrypilob+XCbESBHCwEw4Ry X-Received: by 2002:a17:906:3a15:b0:6cf:ea4e:a1cc with SMTP id z21-20020a1709063a1500b006cfea4ea1ccmr7295153eje.753.1645206683439; Fri, 18 Feb 2022 09:51:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1645206683; cv=none; d=google.com; s=arc-20160816; b=RsBd9+e8tjO+wIZTZVc4i72xeE6ANZ9zQR4zuK5CYU5ckWEScopGPMLdWBKpebpoZk taJFGxi4xKgNu7+mu2oR5Ck2XqE+MblwXkZj3/JAtaNmw/NfsyLu7sGJXhYrkkEOx4BL BvGyB3wmngUKQ0A0iXsmWr126YznHskYxEp6Ri/K8mwcPiim2TfsjrRCTNaFXK2Sv27d H7Z5HxYeIDP/bCS1hSonVgucgo7o5nlAnu77S2c5yF7HeD6tNKX2+slWmft+TedlZKPP rXc8Xr47c893ImyPbbLWZmrL8jbDCdu3UHiDsCE4z/pn2JUO5KEgr73xe+OOQ/I/L96h Nypw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=IktHu5iN5JmjOfLB1UGUCckxpS+Vy4U9FOJp53Urqvs=; b=cmJV1YytYw2lgBikLxfgjP6pxWHWDfRHvWX1FqFiFW+u0vDYTXtl11jz/Cxpr3Ftmb JKFqL6ZIhWwOCvyYh/e7LCBlYpjEQdbqzpGWtIzLnW4AbC+rceEM35fEns/cDgKGRhqE zP6b9S4e9TtSgkBVTsz5NjZ2ftboencajrsj7kk+/elPE9cYGBr9peIY6s6y/4Bd6SCy wdNu2YpKCARpyO8iVqLeYXu/2+51CsfDvSG+7J2Qwyp4WmXK6Yp98NArXbjfXqJUgSer M09VsAICWoV75dMXwNhB0KoEMabP/O6mBJsRs0ikjHxATxvoAlHA2EfFzyhy3DCK6WoF gwZA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=dlF+yoeg; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id n8si6151796edr.233.2022.02.18.09.50.58; Fri, 18 Feb 2022 09:51:23 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=dlF+yoeg; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233766AbiBRQ6l (ORCPT + 99 others); Fri, 18 Feb 2022 11:58:41 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:40906 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234828AbiBRQ6j (ORCPT ); Fri, 18 Feb 2022 11:58:39 -0500 Received: from mail-pj1-x1034.google.com (mail-pj1-x1034.google.com [IPv6:2607:f8b0:4864:20::1034]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1319726B7A6 for ; Fri, 18 Feb 2022 08:58:23 -0800 (PST) Received: by mail-pj1-x1034.google.com with SMTP id y9so9119327pjf.1 for ; Fri, 18 Feb 2022 08:58:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=IktHu5iN5JmjOfLB1UGUCckxpS+Vy4U9FOJp53Urqvs=; b=dlF+yoegUj4oGGAbg6LQmwO98lpn3qy11LCBk+zYzd4+rgiFn3VQxq0u5ajuy/Zbiq GS8kHYvtOIjvdIdey3Qvt4VIeVAJay4pikewHsbB8VEU9jejEn5LtoHfFVwdHgXheo3F xXWySYGd4skxwWGA96mb6JCXDOQdI7x/yynyCOg5d/F45lOL8/f2mS21oa29d2YGm6Nk Dx9MeNtVbdNONahK5G/iguk6OzlATrl8wREhSqILunGDuNPtsu1BFK7ZM76WL6XhmDPm 4+jE2OoyAg478ERp70Kazu1tX7jGcnQtiLvB2wQGEXiBqN9ZQmuR/nm/H+PQDHKZaN12 MalA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=IktHu5iN5JmjOfLB1UGUCckxpS+Vy4U9FOJp53Urqvs=; b=qp7D1DuH2CDTjMv/tNLyMiOVHexzhDvTEqG+aH9HEGi+p17Y5/OvEKEm+BdOVC6ge2 W55LAjKgOJCwt+XEgZ/E+9xGkBHeicx6QwEpAQswOdUC91wcKHz7bbqNPE1HlaZ9t5o+ 85c8rQIzFu8jhTTjA7Eu5knD7X8jmXvXDBOQzWFwLU/4s/4ooFBxk28Ga8YiEUEiifWE i984n73T4nE1cJzwzk9Gt7pYzx6JbwCPEyS8Sl0jeWeTDj5qsQGGHjrWDz+a/7q3QaK5 9T7otj36pB22mUM/XIDzZX0Zv/woBpCsHHsE9USR7Fn6vUwNWpqrlOBGcaeLKqUXKK4b YTuw== X-Gm-Message-State: AOAM531m0NFsiTyR/RaAtUEdOlN6JKY+7N6x00udfLrt18sKk+XcepNk 5xCv6kozmnbZV6RWv+iZaBPerA== X-Received: by 2002:a17:90a:fd10:b0:1bb:8ad7:b351 with SMTP id cv16-20020a17090afd1000b001bb8ad7b351mr13577169pjb.208.1645203502332; Fri, 18 Feb 2022 08:58:22 -0800 (PST) Received: from google.com (157.214.185.35.bc.googleusercontent.com. [35.185.214.157]) by smtp.gmail.com with ESMTPSA id d8sm3883727pfv.84.2022.02.18.08.58.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 18 Feb 2022 08:58:21 -0800 (PST) Date: Fri, 18 Feb 2022 16:58:18 +0000 From: Sean Christopherson To: Tadeusz Struk Cc: Paolo Bonzini , Vitaly Kuznetsov , Wanpeng Li , Jim Mattson , Joerg Roedel , kvm@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+8112db3ab20e70d50c31@syzkaller.appspotmail.com Subject: Re: [PATCH] KVM: x86: Forcibly leave nested virt when SMM state is toggled Message-ID: References: <20220125220358.2091737-1-seanjc@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Feb 17, 2022, Tadeusz Struk wrote: > On 1/25/22 14:03, Sean Christopherson wrote: > > Forcibly leave nested virtualization operation if userspace toggles SMM > > state via KVM_SET_VCPU_EVENTS or KVM_SYNC_X86_EVENTS. If userspace > > forces the vCPU out of SMM while it's post-VMXON and then injects an SMI, > > vmx_enter_smm() will overwrite vmx->nested.smm.vmxon and end up with both > > vmxon=false and smm.vmxon=false, but all other nVMX state allocated. > > > > Don't attempt to gracefully handle the transition as (a) most transitions > > are nonsencial, e.g. forcing SMM while L2 is running, (b) there isn't > > sufficient information to handle all transitions, e.g. SVM wants access > > to the SMRAM save state, and (c) KVM_SET_VCPU_EVENTS must precede > > KVM_SET_NESTED_STATE during state restore as the latter disallows putting > > the vCPU into L2 if SMM is active, and disallows tagging the vCPU as > > being post-VMXON in SMM if SMM is not active. > > > > Abuse of KVM_SET_VCPU_EVENTS manifests as a WARN and memory leak in nVMX > > due to failure to free vmcs01's shadow VMCS, but the bug goes far beyond > > just a memory leak, e.g. toggling SMM on while L2 is active puts the vCPU > > in an architecturally impossible state. > > > > WARNING: CPU: 0 PID: 3606 at free_loaded_vmcs arch/x86/kvm/vmx/vmx.c:2665 [inline] > > WARNING: CPU: 0 PID: 3606 at free_loaded_vmcs+0x158/0x1a0 arch/x86/kvm/vmx/vmx.c:2656 > > Modules linked in: > > CPU: 1 PID: 3606 Comm: syz-executor725 Not tainted 5.17.0-rc1-syzkaller #0 > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 > > RIP: 0010:free_loaded_vmcs arch/x86/kvm/vmx/vmx.c:2665 [inline] > > RIP: 0010:free_loaded_vmcs+0x158/0x1a0 arch/x86/kvm/vmx/vmx.c:2656 > > Code: <0f> 0b eb b3 e8 8f 4d 9f 00 e9 f7 fe ff ff 48 89 df e8 92 4d 9f 00 > > Call Trace: > > > > kvm_arch_vcpu_destroy+0x72/0x2f0 arch/x86/kvm/x86.c:11123 > > kvm_vcpu_destroy arch/x86/kvm/../../../virt/kvm/kvm_main.c:441 [inline] > > kvm_destroy_vcpus+0x11f/0x290 arch/x86/kvm/../../../virt/kvm/kvm_main.c:460 > > kvm_free_vcpus arch/x86/kvm/x86.c:11564 [inline] > > kvm_arch_destroy_vm+0x2e8/0x470 arch/x86/kvm/x86.c:11676 > > kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:1217 [inline] > > kvm_put_kvm+0x4fa/0xb00 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1250 > > kvm_vm_release+0x3f/0x50 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1273 > > __fput+0x286/0x9f0 fs/file_table.c:311 > > task_work_run+0xdd/0x1a0 kernel/task_work.c:164 > > exit_task_work include/linux/task_work.h:32 [inline] > > do_exit+0xb29/0x2a30 kernel/exit.c:806 > > do_group_exit+0xd2/0x2f0 kernel/exit.c:935 > > get_signal+0x4b0/0x28c0 kernel/signal.c:2862 > > arch_do_signal_or_restart+0x2a9/0x1c40 arch/x86/kernel/signal.c:868 > > handle_signal_work kernel/entry/common.c:148 [inline] > > exit_to_user_mode_loop kernel/entry/common.c:172 [inline] > > exit_to_user_mode_prepare+0x17d/0x290 kernel/entry/common.c:207 > > __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline] > > syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300 > > do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 > > entry_SYSCALL_64_after_hwframe+0x44/0xae > > > > > > Cc: stable@vger.kernel.org > > Reported-by: syzbot+8112db3ab20e70d50c31@syzkaller.appspotmail.com > > Signed-off-by: Sean Christopherson > > Sean, > I can reliably reproduce my original issue [1] that this supposed to fix > on 5.17-rc4, with the same reproducer [2]. Here is a screen dump [3]. > Maybe we do still need my patch. It fixed the issue. This SMM-specific patch fixes something different, the bug that you are still hitting is the FNAME(cmpxchg_gpte) mess. The uaccess CMPXCHG series[*] that properly fixes that issue hasn't been merged yet. ================================================================== BUG: KASAN: use-after-free in ept_cmpxchg_gpte.constprop.0+0x3c3/0x590 Write of size 8 at addr ffff888010000000 by task repro/5633 [*] https://lore.kernel.org/all/20220202004945.2540433-1-seanjc@google.com > > [1] https://lore.kernel.org/all/3789ab35-6ede-34e8-b2d0-f50f4e0f1f15@linaro.org/ > [2] https://syzkaller.appspot.com/text?tag=ReproC&x=173085bdb00000 > [3] https://termbin.com/fkm8f > > -- > Thanks, > Tadeusz