Received: by 10.223.164.202 with SMTP id h10csp6264663wrb;
        Wed, 22 Nov 2017 01:44:06 -0800 (PST)
X-Google-Smtp-Source: AGs4zMbNLSRHAxKo3fw7bC77UD+P1chdsV0VJ7Puh7YRXKL+BWB4BOun+3CJBJWCTf6boATSeB3D
X-Received: by 10.159.247.15 with SMTP id d15mr18150013pls.88.1511343846154;
        Wed, 22 Nov 2017 01:44:06 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1511343846; cv=none;
        d=google.com; s=arc-20160816;
        b=DCG+1zQbEKqNgikzezARhs7HMxcYtVrE0Uox/sx2KBkMuxAcZoE4S6BJBwwSIeFFBe
         0HWqEzoCh7M40/iXchh2q3+hSPM8eJ0RECP01qxqGt/+b3fgPVxC5gg953jR5mMheQKh
         R3FgDpg4EqIDYaef8yzq4EdUINgzpm45s9I/vFjbDuywpdY/DiFGpDPrARHLVVgKDahP
         BlqNhydrKIQekpE2O/ATMXJXo8hWPyQu4HcRHYJI8t4obcdHF2XjHWzcS5gBGxGVRVJ4
         +EYwkEHaxbr4EpY4ktBK6JbrDSlOAhnYmNLUDRpwz4fmHj0W28REDYh787Eoe+u/v8YI
         2mzA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:in-reply-to
         :references:subject:cc:to:mime-version:user-agent:from:date
         :message-id:arc-authentication-results;
        bh=I7mmMuU5R6gE2+/7nvckDR3Nv1whlSbyQDMEpd1PFXo=;
        b=hZz/28C63/eJezBr78Zg8XhHh5K6P8ujqSi553QDtMVV4zXdw1zrMgEv9kCr1HOHEp
         eoB+u+r5OWqKQ2nduXPm802Hlvd2eV1DRemT3OVeqMymJJ+d8oBcsPhoCIhtP9XsBhGf
         g3anFhKM0qcHET8EVTIk7sytuKaXVfn/xqmlQk2sA7aN7Z18iUT39CiY4Sg7q5f/c1zz
         KaTOG5RMHOiVnYZPD7n086WOgiJPLEwYNHGAxVf/0mg2iq2GbOhoSYit8UMBjXYsdoxG
         hbsJrWxOceckSk+PN7LNpC36+/4TZh38jKcbX9ophQZYaVfJchx+zb0B+T4jMgF5FvbU
         4D3w==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=oracle.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id e10si12800941pgs.389.2017.11.22.01.43.54;
        Wed, 22 Nov 2017 01:44:06 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=oracle.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751876AbdKVJnR (ORCPT <rfc822;yuankui.zhao@gmail.com>
        + 76 others); Wed, 22 Nov 2017 04:43:17 -0500
Received: from aserp1040.oracle.com ([141.146.126.69]:19106 "EHLO
        aserp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751326AbdKVJnO (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 22 Nov 2017 04:43:14 -0500
Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233])
        by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id vAM9h9B2030031
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
        Wed, 22 Nov 2017 09:43:09 GMT
Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75])
        by aserv0021.oracle.com (8.14.4/8.14.4) with ESMTP id vAM9h8pF015269
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
        Wed, 22 Nov 2017 09:43:08 GMT
Received: from abhmp0013.oracle.com (abhmp0013.oracle.com [141.146.116.19])
        by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id vAM9h7UM013391;
        Wed, 22 Nov 2017 09:43:07 GMT
Received: from [10.0.2.119] (/213.57.127.2)
        by default (Oracle Beehive Gateway v4.0)
        with ESMTP ; Wed, 22 Nov 2017 01:43:07 -0800
Message-ID: <5A1546A7.4080506@ORACLE.COM>
Date:   Wed, 22 Nov 2017 11:43:03 +0200
From:   Liran Alon <LIRAN.ALON@ORACLE.COM>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To:     Wanpeng Li <kernellwp@gmail.com>
CC:     "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        kvm <kvm@vger.kernel.org>, Paolo Bonzini <pbonzini@redhat.com>,
        =?UTF-8?B?UmFkaW0gS3LEjW3DocWZ?= <rkrcmar@redhat.com>,
        Wanpeng Li <wanpeng.li@hotmail.com>,
        Dmitry Vyukov <dvyukov@google.com>
Subject: Re: [PATCH] KVM: VMX: Fix vmx->nested freeing when no SMI handler
References: <1511337410-8100-1-git-send-email-wanpeng.li@hotmail.com> <5A153926.7030004@ORACLE.COM> <5A153E5B.2060104@ORACLE.COM> <CANRm+CzMFizHBCNccFSDvSAaKOQQygx5mKkrB+4OKRYv-4ou2Q@mail.gmail.com>
In-Reply-To: <CANRm+CzMFizHBCNccFSDvSAaKOQQygx5mKkrB+4OKRYv-4ou2Q@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Source-IP: aserv0021.oracle.com [141.146.126.233]
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org



On 22/11/17 11:31, Wanpeng Li wrote:
> 2017-11-22 17:07 GMT+08:00 Liran Alon <LIRAN.ALON@oracle.com>:
>>
>>
>> On 22/11/17 10:45, Liran Alon wrote:
>>>
>>>
>>>
>>> On 22/11/17 09:56, Wanpeng Li wrote:
>>>>
>>>> From: Wanpeng Li <wanpeng.li@hotmail.com>
>>>>
>>>> Reported by syzkaller:
>>>>
>>>>      ------------[ cut here ]------------
>>>>      WARNING: CPU: 5 PID: 2939 at arch/x86/kvm/vmx.c:3844
>>>> free_loaded_vmcs+0x77/0x80 [kvm_intel]
>>>>      CPU: 5 PID: 2939 Comm: repro Not tainted 4.14.0+ #26
>>>>      RIP: 0010:free_loaded_vmcs+0x77/0x80 [kvm_intel]
>>>>      Call Trace:
>>>>       vmx_free_vcpu+0xda/0x130 [kvm_intel]
>>>>       kvm_arch_destroy_vm+0x192/0x290 [kvm]
>>>>       kvm_put_kvm+0x262/0x560 [kvm]
>>>>       kvm_vm_release+0x2c/0x30 [kvm]
>>>>       __fput+0x190/0x370
>>>>       task_work_run+0xa1/0xd0
>>>>       do_exit+0x4d2/0x13e0
>>>>       do_group_exit+0x89/0x140
>>>>       get_signal+0x318/0xb80
>>>>       do_signal+0x8c/0xb40
>>>>       exit_to_usermode_loop+0xe4/0x140
>>>>       syscall_return_slowpath+0x206/0x230
>>>>       entry_SYSCALL_64_fastpath+0x98/0x9a
>>>>
>>>> The syzkaller testcase will execute VMXON/VMLAUCH instructions, so the
>>>> vmx->nested stuff is populated, it will also issue KVM_SMI ioctl.
>>>> However,
>>>> the testcase is just a simple c program and not be lauched by something
>>>> like seabios which implements smi_handler. Commit 05cade71cf (KVM: nSVM:
>>>> fix SMI injection in guest mode) gets out of guest mode and set
>>>> nested.vmxon
>>>> to false for the duration of SMM according to SDM 34.14.1 "leave VMX
>>>> operation" upon entering SMM. We can't alloc/free the vmx->nested stuff
>>>> each time when entering/exiting SMM since it will induce more
>>>> overhead. So
>>>> the function vmx_pre_enter_smm() marks nested.vmxon false even if
>>>> vmx->nested
>>>> stuff is still populated. What it expected is em_rsm() can mark
>>>> nested.vmxon
>>>> to be true again. However, the smi_handler/rsm will not execute since
>>>> there
>>>> is no something like seabios in this scenario. The function free_nested()
>>>> fails to free the vmx->nested stuff since the vmx->nested.vmxon is false
>>>> which results in the above warning.
>>>>
>>>> This patch fixes it by also considering the no SMI handler case, luckily
>>>> vmx->nested.smm.vmxon is marked according to the value of
>>>> vmx->nested.vmxon
>>>> in vmx_pre_enter_smm(), we can take advantage of it and free vmx->nested
>>>> stuff when L1 goes down.
>>>>
>>>> Reported-by: Dmitry Vyukov <dvyukov@google.com>
>>>> Cc: Paolo Bonzini <pbonzini@redhat.com>
>>>> Cc: Radim Krčmář <rkrcmar@redhat.com>
>>>> Cc: Dmitry Vyukov <dvyukov@google.com>
>>>> Fixes: 05cade71cf (KVM: nSVM: fix SMI injection in guest mode)
>>>> Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
>>>> ---
>>>>    arch/x86/kvm/vmx.c | 2 +-
>>>>    1 file changed, 1 insertion(+), 1 deletion(-)
>>>>
>>>> diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
>>>> index dccc0f7..ed22425 100644
>>>> --- a/arch/x86/kvm/vmx.c
>>>> +++ b/arch/x86/kvm/vmx.c
>>>> @@ -7372,7 +7372,7 @@ static inline void nested_release_vmcs12(struct
>>>> vcpu_vmx *vmx)
>>>>     */
>>>>    static void free_nested(struct vcpu_vmx *vmx)
>>>>    {
>>>> -    if (!vmx->nested.vmxon)
>>>> +    if (!vmx->nested.vmxon && !vmx->nested.smm.vmxon)
>>>>            return;
>>>>
>>>>        vmx->nested.vmxon = false;
>>>>
>>> Funny bug. Great analysis.
>>> Reviewed-by: Liran Alon <liran.alon@oracle.com>
>>
>> Actually, I would add one more thing to patch:
>> I think we should also set "vmx->nested.smm.vmxon = false;" after
>> "vmx->nested.vmxon = false;" to correctlyhandle the case VMXOFF is executed
>> from SMI handler. Otherwise, when SMI handler executes RSM, we will reach
>> vmx_pre_leave_smm() which will set again "vmx->nested.vmxon = true;" which I
>> think shouldn't happen.
>
> I didn't see a real scenario for this.
Actually I later saw that handle_vmoff() calls 
nested_vmx_check_permission() which indeed won't allow to continue 
executing if running from SMI because vmx->nested.vmxon=false; and 
therefore this will raise a #UD. So you are right. :)
>
> Regards,
> Wanpeng Li
>

From 1584758165742760813@xxx Wed Nov 22 09:32:40 +0000 2017
X-GM-THRID: 1584752194833300147
X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread