Received: by 10.223.164.202 with SMTP id h10csp705762wrb; Wed, 22 Nov 2017 14:06:25 -0800 (PST) X-Google-Smtp-Source: AGs4zMbmb57hAsVlI/Il9SLFF7m0kU4lF91qzWPj7RojiWV5PpDHVCg5ECoM1arqq+vp5xy2BrJ4 X-Received: by 10.99.3.88 with SMTP id 85mr22573505pgd.111.1511388385379; Wed, 22 Nov 2017 14:06:25 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1511388385; cv=none; d=google.com; s=arc-20160816; b=yGVsCfFL9imr1POKBMhbIYbcXLup8D0PII4I1JPfeD56FlWbT7hnmaQ6v6a5fpSwRa roJ1J89esUCzUdT5tB4mTb5s4nUe9uvn3HLbBfVdmhqnZW/t76yHzqh2iW04Bsnyxmot TOAWoWse6CVmat7EmPmx0rlG8fXpya8shmp6tZUh738z6Aij7Osxsp5likKqZ3OmC94n WEFJpJGKgtIGtFtZmXxUycl71n/biZykdDpwWcYgjNBWOIlPH0tsRWhYkSIJiO74x9vb gY1JxCcd+EgVQGI/JcpM00zZBSn3aPxCi7qtKY/F//GABWdyzbXx6RTzF7139art77t1 C6Lg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=ZTfKoPcD/sowiYugkPAOVhWz+K5QUWBtdi0JmN+1s2Y=; b=nFnRmLCZsH2Q1/dZW3uWBhId8K6pTsasCVuEoYsX9Ffwmfdr8zkp9jJI1HaJiTMsEl Sq0Em6BgLsVRj4uygN/4RyYV92q1NTiY1mkvgpodOpKu4WrbAD6aC48gFvFWdPc+EAt+ 0dm0wgMFzo64V2tOPNgdyOHRiTD3CRjeEkbUwNQ+037YXCUUGdmqlMjceKy5cMimC7JY XlABDpf+VfPqc2OQh9mwf3ZKF1t/lb9YWoqJ5OPELT/i1FB8q0ROmttnjnWKFiePt8IA FFpWkkbhGYGFhHAk+tJ36g9WLld141gcDD+s0ycmxLdANbueCJ+N6g4rxlvDDeNXTw47 tfCQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=TFS0Nw/v; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 34si1203333pln.47.2017.11.22.14.06.08; Wed, 22 Nov 2017 14:06:25 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=TFS0Nw/v; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751566AbdKVWFY (ORCPT + 78 others); Wed, 22 Nov 2017 17:05:24 -0500 Received: from mail-pl0-f65.google.com ([209.85.160.65]:46001 "EHLO mail-pl0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751324AbdKVWFX (ORCPT ); Wed, 22 Nov 2017 17:05:23 -0500 Received: by mail-pl0-f65.google.com with SMTP id f6so1506818pln.12; Wed, 22 Nov 2017 14:05:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=ZTfKoPcD/sowiYugkPAOVhWz+K5QUWBtdi0JmN+1s2Y=; b=TFS0Nw/vc0MmcWtxXTc3z17S81JO2iz5BHFvhTMY69WlBL9aoayiU1qikJNaTji7Ct otpvpGzCFy0jLBTtJNkP65hi/YEJvN9pYosBycnD5j4Lmb2mSrCWkIswA0E797RaWhbW /JZEqy4vHcYoEdQV1b/MmSL3MEZwxl0o1zZ/toS9eFt3Y1VViAvRVXwLGJeNDNrDFdZC ecbgSM75yRLMx9g/kZccIOVazEbbgGyBazXFNf6sk9a2LIEAV4q9Juum7FUGS0EADBW9 hJly7wv3vCZDJ2RKT/mwQhEw0aSDMCk+lrkxGsVMOF660MsBPFE11M8seABLCge827ah DodA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=ZTfKoPcD/sowiYugkPAOVhWz+K5QUWBtdi0JmN+1s2Y=; b=RWWR5ZlqNSSTcl1qFtdtpOAvnDeqFldIwYTRbIEXQrsD2Ru5gbLJMgvqoMUQ5mPBy+ f5ZLa/AvqfOfpedLz74eSfq0sshOTbtpgtWh8nWr8XNLPml2qXPkj4QnENcf0IG6rAVU 720Gqs+XQKisw/S9UlBUX4dDSoVvSJ2rcMZxWDw5SAbRnm09Mgv2fUEAvAYytKVrSQBw O/rt9598iiqFKoFGWcU2k7U0jrZfE3/5fDCeX74swLbZfUZcaJ8XYnnpPAnbM2/066T2 8Z/9Lmuapc+be6E59gqBX4Ck/zo+70pm/Q8FwuO+O6wB5nJlNGxSn14zVOHhXZnor1pc d/wg== X-Gm-Message-State: AJaThX4AwrZ1fd1M0VOs62GZ3xssClIDNsX7ZRfN6d52Re4aXSNAdBQn z6dbCdKTRoTrMnvcTc35ks+51w== X-Received: by 10.84.242.145 with SMTP id d17mr23117550pll.127.1511388322496; Wed, 22 Nov 2017 14:05:22 -0800 (PST) Received: from localhost ([223.72.98.212]) by smtp.gmail.com with ESMTPSA id m8sm27592964pgc.64.2017.11.22.14.05.21 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 22 Nov 2017 14:05:21 -0800 (PST) From: Wanpeng Li X-Google-Original-From: Wanpeng Li To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org Cc: Paolo Bonzini , =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= , Wanpeng Li , Dmitry Vyukov Subject: [PATCH v2] KVM: VMX: Fix vmx->nested freeing when no SMI handler Date: Wed, 22 Nov 2017 14:04:00 -0800 Message-Id: <1511388240-3163-1-git-send-email-wanpeng.li@hotmail.com> X-Mailer: git-send-email 2.7.4 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Wanpeng Li Reported by syzkaller: ------------[ cut here ]------------ WARNING: CPU: 5 PID: 2939 at arch/x86/kvm/vmx.c:3844 free_loaded_vmcs+0x77/0x80 [kvm_intel] CPU: 5 PID: 2939 Comm: repro Not tainted 4.14.0+ #26 RIP: 0010:free_loaded_vmcs+0x77/0x80 [kvm_intel] Call Trace: vmx_free_vcpu+0xda/0x130 [kvm_intel] kvm_arch_destroy_vm+0x192/0x290 [kvm] kvm_put_kvm+0x262/0x560 [kvm] kvm_vm_release+0x2c/0x30 [kvm] __fput+0x190/0x370 task_work_run+0xa1/0xd0 do_exit+0x4d2/0x13e0 do_group_exit+0x89/0x140 get_signal+0x318/0xb80 do_signal+0x8c/0xb40 exit_to_usermode_loop+0xe4/0x140 syscall_return_slowpath+0x206/0x230 entry_SYSCALL_64_fastpath+0x98/0x9a The syzkaller testcase will execute VMXON/VMLAUCH instructions, so the vmx->nested stuff is populated, it will also issue KVM_SMI ioctl. However, the testcase is just a simple c program and not be lauched by something like seabios which implements smi_handler. Commit 05cade71cf (KVM: nSVM: fix SMI injection in guest mode) gets out of guest mode and set nested.vmxon to false for the duration of SMM according to SDM 34.14.1 "leave VMX operation" upon entering SMM. We can't alloc/free the vmx->nested stuff each time when entering/exiting SMM since it will induce more overhead. So the function vmx_pre_enter_smm() marks nested.vmxon false even if vmx->nested stuff is still populated. What it expected is em_rsm() can mark nested.vmxon to be true again. However, the smi_handler/rsm will not execute since there is no something like seabios in this scenario. The function free_nested() fails to free the vmx->nested stuff since the vmx->nested.vmxon is false which results in the above warning. This patch fixes it by also considering the no SMI handler case, luckily vmx->nested.smm.vmxon is marked according to the value of vmx->nested.vmxon in vmx_pre_enter_smm(), we can take advantage of it and free vmx->nested stuff when L1 goes down. Reported-by: Dmitry Vyukov Cc: Paolo Bonzini Cc: Radim Krčmář Cc: Dmitry Vyukov Reviewed-by: Liran Alon Fixes: 05cade71cf (KVM: nSVM: fix SMI injection in guest mode) Signed-off-by: Wanpeng Li --- v1 -> v2: * also clear nested.smm.vmxon flag arch/x86/kvm/vmx.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c index e1f4e29..a62e1af 100644 --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c @@ -7373,10 +7373,11 @@ static inline void nested_release_vmcs12(struct vcpu_vmx *vmx) */ static void free_nested(struct vcpu_vmx *vmx) { - if (!vmx->nested.vmxon) + if (!vmx->nested.vmxon && !vmx->nested.smm.vmxon) return; vmx->nested.vmxon = false; + vmx->nested.smm.vmxon = false; free_vpid(vmx->nested.vpid02); vmx->nested.posted_intr_nv = -1; vmx->nested.current_vmptr = -1ull; -- 2.7.4 From 1585454399596686363@xxx Thu Nov 30 01:59:00 +0000 2017 X-GM-THRID: 1585454399596686363 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread