Received: by 10.223.164.202 with SMTP id h10csp6170541wrb; Tue, 21 Nov 2017 23:57:46 -0800 (PST) X-Google-Smtp-Source: AGs4zMbUQeB4At9qRWk1r9cf+5r5OzJFmjJystMeigMjgMhpAf2JiowCE3HEljTqfwgWZpAmpAEp X-Received: by 10.84.218.193 with SMTP id g1mr19135391plm.63.1511337465925; Tue, 21 Nov 2017 23:57:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1511337465; cv=none; d=google.com; s=arc-20160816; b=ga8r9kZ1aqynYGvCAoGthj3XKk35SyjNqcaLND4Mq4uHIZ26rgAXiz0AAZ/XBZEcw+ yWFzNRfphHVRwxXlV4oZnEBS1wHu8JP98LIv5BISnIfBfDdYz+w1AQN06FeEFHKGUABa IXJc1h6p9HnW2qNzcEctAoYv6nlLS+jV0Qy1xa+umyLrKzB+nkLIBMr2tKZDXYYsiDI4 MV4E0qxjsaJIuOT911i2mipFG8BXNlEoRjAKaDTfUG8xT80525i6g0/Sz5eC1rbeSst6 s4ZoBkoQ7BW6d5yhVJtCCP4Y2V32B1BqcdqMNgO4/k/b/oXsYyAucun7bRqhwzzUuN+0 xvyA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=J0pAzc/X/il+uTnWxpo7riQ6ltQbhKlxGP4RHxY4itM=; b=yt6XFK15oGoLraXvjpMryCAfe1gy4urZ3RRxjSkTdv3pftJ63IkrfF0oeTTK1enQBx 65sdsQWge4LP0UAb4xq8l1gyDlxSx3xrRgNVhYg8m/hmZEVmjkGDvoYQvIbD807oOQ5e GRHxxGHMYwmCdPDwEgTDQnkzEiM4lVexkRGBbTegONOPcYZ+HQWRQSupACz5yXseFY1X gLqX4WQigIXoIpHeITuWFS3ya496igp1Bn25phngV9f3MgWfar/GyST5ZomB4AE7EMM+ ldGIMT/JZRsBrCe5cEp2gdm+okRHikC+1wGBTMAdNwdMYLGeME65bXXx7sXZZZ+LbTD8 Td1Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=RhWopTvs; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w21si12643115pgc.800.2017.11.21.23.57.34; Tue, 21 Nov 2017 23:57:45 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=RhWopTvs; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751549AbdKVH45 (ORCPT + 76 others); Wed, 22 Nov 2017 02:56:57 -0500 Received: from mail-pl0-f68.google.com ([209.85.160.68]:44884 "EHLO mail-pl0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751438AbdKVH4z (ORCPT ); Wed, 22 Nov 2017 02:56:55 -0500 Received: by mail-pl0-f68.google.com with SMTP id v15so310439plk.11; Tue, 21 Nov 2017 23:56:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=J0pAzc/X/il+uTnWxpo7riQ6ltQbhKlxGP4RHxY4itM=; b=RhWopTvs8CagppJupUMpA4yz8fytECiKqMXkr/rRVI13Vc0tXesVPxPjDzsAAtI+fP JhiBpxOl/E+euYzJtJUSPT8S97WlLqOGLBLLU0qxjHlp8Zw/h1m2NRAAsgUfnbefMaKk i9QqR/c9hb937CKzVkuWQV9Fbz2rcYm0Y5ypZw8kvKrUiOrA3aRp8GYgxe+vza7vpPeh BBZm82ooR5ElGSIjcoeilYAPplp67/ebADyUeOCKbud19UFv1UeCNM6BUR3/04Ybxn/v DjMfNFVKZ3oDv1WUDthjn+i8BwC5BG0CkqUMllJpOzLPSowSZSX+zIlgmf7cljz5cisD KUNw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=J0pAzc/X/il+uTnWxpo7riQ6ltQbhKlxGP4RHxY4itM=; b=F5H2pviM+ctCB6ViATxGhWYSHEDUR1f/xMimhDZ/P7SkG9JRIBAyOMPdJctzytZ1ks ZcQmwI9Metn1jHFeSZUjUSntppraBNC3iNU976CcfOqqhQdIBL8zfFjEC/QyahYVwAal q7a3iRjJ+Uoz3jUfAg1GWgXIURcaoJrZJPG+G9NFbeqhwCMIJiBvUZYHvGJmzOpa6s1Z 1lvkfDK7U0cJh7QszyoWeKRdzjq1OrPfzfsNM6Dqc0twYEsZDJq0vcHPdNZ40O6ivrlZ bHf28sfvxM9jIYAThCxPP+EHejrdSi8KoRYjwjltb7+PcAp7HdRVlGP21pFMFBFZK8f8 PkpA== X-Gm-Message-State: AJaThX588kKlhakLKRDJEuUd7VgvEj1m4lg70yw71C3p+3vqfzHhcRHt KiSNKfgWBclkrcXydmIGZ3NpxQ== X-Received: by 10.159.255.70 with SMTP id u6mr20357174pls.372.1511337414803; Tue, 21 Nov 2017 23:56:54 -0800 (PST) Received: from localhost ([203.205.141.123]) by smtp.gmail.com with ESMTPSA id r90sm19536766pfj.148.2017.11.21.23.56.53 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 21 Nov 2017 23:56:54 -0800 (PST) From: Wanpeng Li X-Google-Original-From: Wanpeng Li To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org Cc: Paolo Bonzini , =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= , Wanpeng Li , Dmitry Vyukov Subject: [PATCH] KVM: VMX: Fix vmx->nested freeing when no SMI handler Date: Tue, 21 Nov 2017 23:56:50 -0800 Message-Id: <1511337410-8100-1-git-send-email-wanpeng.li@hotmail.com> X-Mailer: git-send-email 2.7.4 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Wanpeng Li Reported by syzkaller: ------------[ cut here ]------------ WARNING: CPU: 5 PID: 2939 at arch/x86/kvm/vmx.c:3844 free_loaded_vmcs+0x77/0x80 [kvm_intel] CPU: 5 PID: 2939 Comm: repro Not tainted 4.14.0+ #26 RIP: 0010:free_loaded_vmcs+0x77/0x80 [kvm_intel] Call Trace: vmx_free_vcpu+0xda/0x130 [kvm_intel] kvm_arch_destroy_vm+0x192/0x290 [kvm] kvm_put_kvm+0x262/0x560 [kvm] kvm_vm_release+0x2c/0x30 [kvm] __fput+0x190/0x370 task_work_run+0xa1/0xd0 do_exit+0x4d2/0x13e0 do_group_exit+0x89/0x140 get_signal+0x318/0xb80 do_signal+0x8c/0xb40 exit_to_usermode_loop+0xe4/0x140 syscall_return_slowpath+0x206/0x230 entry_SYSCALL_64_fastpath+0x98/0x9a The syzkaller testcase will execute VMXON/VMLAUCH instructions, so the vmx->nested stuff is populated, it will also issue KVM_SMI ioctl. However, the testcase is just a simple c program and not be lauched by something like seabios which implements smi_handler. Commit 05cade71cf (KVM: nSVM: fix SMI injection in guest mode) gets out of guest mode and set nested.vmxon to false for the duration of SMM according to SDM 34.14.1 "leave VMX operation" upon entering SMM. We can't alloc/free the vmx->nested stuff each time when entering/exiting SMM since it will induce more overhead. So the function vmx_pre_enter_smm() marks nested.vmxon false even if vmx->nested stuff is still populated. What it expected is em_rsm() can mark nested.vmxon to be true again. However, the smi_handler/rsm will not execute since there is no something like seabios in this scenario. The function free_nested() fails to free the vmx->nested stuff since the vmx->nested.vmxon is false which results in the above warning. This patch fixes it by also considering the no SMI handler case, luckily vmx->nested.smm.vmxon is marked according to the value of vmx->nested.vmxon in vmx_pre_enter_smm(), we can take advantage of it and free vmx->nested stuff when L1 goes down. Reported-by: Dmitry Vyukov Cc: Paolo Bonzini Cc: Radim Krčmář Cc: Dmitry Vyukov Fixes: 05cade71cf (KVM: nSVM: fix SMI injection in guest mode) Signed-off-by: Wanpeng Li --- arch/x86/kvm/vmx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c index dccc0f7..ed22425 100644 --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c @@ -7372,7 +7372,7 @@ static inline void nested_release_vmcs12(struct vcpu_vmx *vmx) */ static void free_nested(struct vcpu_vmx *vmx) { - if (!vmx->nested.vmxon) + if (!vmx->nested.vmxon && !vmx->nested.smm.vmxon) return; vmx->nested.vmxon = false; -- 2.7.4 From 1585295603812819641@xxx Tue Nov 28 07:55:01 +0000 2017 X-GM-THRID: 1585295603812819641 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread