Received: by 10.223.164.221 with SMTP id h29csp3845981wrb; Tue, 31 Oct 2017 05:54:03 -0700 (PDT) X-Google-Smtp-Source: ABhQp+SFTieDixzdDUAkv3RTDuhcmBv+2dWoph1ywHWrJIQDENRQaj/R71YSdydBawZCS3+4cIQX X-Received: by 10.98.7.85 with SMTP id b82mr1981325pfd.262.1509454443568; Tue, 31 Oct 2017 05:54:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1509454443; cv=none; d=google.com; s=arc-20160816; b=Bj5aIHsYBvZ5XYCoQfFb64nGpCA1a0iwnR5EbcefrH5GIKwJqrTUxkYrYlN1eP14Od WQGNA9oZ4uWdVD+WYBH70lHwLAvZomIcZMrExT49+Srj5rf8D72Vu6RhapjK1um31Klh yrKaIldRJSJXGyvwTe90q8OLZaCIeM6FQ1H8dY004gKeraGGyc9vpfDKKOqgqxU188zd 8M0LL5lhqDNsUJx4cpsRQqMTY4VVUrqRINgiANrMpv3vEpSM+Jrr4QWDCiNUsdA22C5Q P6Zq+bgW8InGSPAQ2hB/QAXLOxf/8zPnhywkQL96+nPsNQahFX9t8Tj4O+djjIwA9Qne eWfQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:mail-followup-to :message-id:subject:cc:to:from:date:arc-authentication-results; bh=S4ecG1aXSfKtk7YEda8+CErcxCiaG6x6tEmOQ2zyP8I=; b=BRLWj/2Tn7gCpc4HUOC4zilqgUeQy+4kddHMnk0MQvPFAsjFvbq0qj1buQ7dBLU9mn ykua8gWXnmor19ef2CUFPSRGhvDaEjdQbmRDtIYpfLov+aNE8JPU6uIIFKApPDjyvJdy 0lY+nBATM49GpySLI8FIImYNXhQejB2D6VJ7veWZaplztwSpPobwSQKNByZSCwPEYigL FfTjLDdbI1KuTvu+0ExAvCItVZh0D/QqVA3+YFwGYn7h7xD1f+u/OwLYcndWz7A0Jqhr ombGDUVmp++wG+hkEIENzaBpfQlL2kpt1M0dNG12tHGXk4G78xEzSL4OIlZKONu1Mw47 JZvg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f68si1590271pfb.395.2017.10.31.05.53.49; Tue, 31 Oct 2017 05:54:03 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753163AbdJaMw4 (ORCPT + 99 others); Tue, 31 Oct 2017 08:52:56 -0400 Received: from mga04.intel.com ([192.55.52.120]:18317 "EHLO mga04.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753033AbdJaMwy (ORCPT ); Tue, 31 Oct 2017 08:52:54 -0400 Received: from orsmga004.jf.intel.com ([10.7.209.38]) by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 31 Oct 2017 05:52:54 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.44,324,1505804400"; d="scan'208";a="144256738" Received: from hz-desktop.sh.intel.com (HELO localhost) ([10.239.159.142]) by orsmga004.jf.intel.com with ESMTP; 31 Oct 2017 05:52:51 -0700 Date: Tue, 31 Oct 2017 20:53:03 +0800 From: Haozhong Zhang To: Wanpeng Li Cc: Dmitry Vyukov , Paolo Bonzini , Radim =?utf-8?B?S3LEjW3DocWZ?= , KVM list , LKML , Xiao Guangrong , David Hildenbrand , syzkaller Subject: Re: kvm: GPF in native_write_cr4 Message-ID: <20171031125303.7sqrn4cs4k5c5tei@hz-desktop> Mail-Followup-To: Wanpeng Li , Dmitry Vyukov , Paolo Bonzini , Radim =?utf-8?B?S3LEjW3DocWZ?= , KVM list , LKML , Xiao Guangrong , David Hildenbrand , syzkaller References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20170714 (1.8.3) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Wanpeng, On 10/31/17 19:10 +0800, Wanpeng Li wrote: > 2017-10-31 17:59 GMT+08:00 Dmitry Vyukov : > > Hello, > > > > I am seeing the following crash on upstream > > 15f859ae5c43c7f0a064ed92d33f7a5bc5de6de0 (Oct 26). > > Reproducer: > > https://gist.githubusercontent.com/dvyukov/a9690f90c39c1e3b1b6c7acda2d5ef89/raw/33e07f3d6779005fc475764e0802e4a5aee8d0cf/gistfile1.txt > > I run qemu with -append "kvm-intel.nested=1" -enable-kvm -cpu host. My > > host cpu is E5-2690. > > > > I can't reproduce this w/ latest kvm/queue in both L0 and L1. In > addition, there is a commit tries to fix cr4 recently. > https://git.kernel.org/pub/scm/virt/kvm/kvm.git/commit/?id=8eb3f87d903168bdbd1222776a6b1e281f50513e The calltrace in this bug report is the same as what I got before above commit. In the previous bug, L0 KVM misused L2 CR4 as L1 CR4. When L1 KVM tried to clear L1 CR4.VMXE in L1 VM shutdown path, L0 KVM considered L1 intended to clear/set other bits as well (because of the wrong L2 CR4 was used by L0 KVM as L1 CR4), but changes to extra bits may not be allowed against other L1 states. In my previous fix, I tried to fix one place of such L1/L2 CR4 misuse. If there is no other places of CR4 misuse, you may have a look at the guest states checked by kvm_set_cr4() against guest CR4 changes, and check whether L1 and L2 versions of any of them are misused. It would make the debug easier if we can log which check fails in kvm_set_cr4() when the calltrace appears (e.g., by adding printk before return 1 in kvm_set_cr4()). Haozhong > The testcast is complex, if the below strace log is as you expected? > > execve("./a.out", ["./a.out"], [/* 32 vars */]) = 0 > uname({sysname="Linux", nodename="kernel", ...}) = 0 > brk(NULL) = 0x1d42000 > brk(0x1d431c0) = 0x1d431c0 > arch_prctl(ARCH_SET_FS, 0x1d42880) = 0 > readlink("/proc/self/exe", "/home/kernel/a.out", 4096) = 18 > brk(0x1d641c0) = 0x1d641c0 > brk(0x1d65000) = 0x1d65000 > access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) > mmap(0x20000000, 11481088, PROT_READ|PROT_WRITE, > MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 > openat(AT_FDCWD, "/dev/kvm", O_WRONLY) = 3 > ioctl(3, KVM_CREATE_VM or LOGGER_GET_LOG_BUF_SIZE, 0) = 4 > ioctl(4, KVM_CREATE_VCPU, 0) = 5 > ioctl(4, KVM_SET_USER_MEMORY_REGION, 0x7fff5e6c1230) = 0 > ioctl(4, KVM_SET_USER_MEMORY_REGION, 0x7fff5e6c1230) = 0 > ioctl(4, KVM_SET_USER_MEMORY_REGION, 0x7fff5e6c1230) = 0 > ioctl(4, KVM_SET_USER_MEMORY_REGION, 0x7fff5e6c1230) = 0 > ioctl(4, KVM_SET_USER_MEMORY_REGION, 0x7fff5e6c1230) = 0 > ioctl(4, KVM_SET_USER_MEMORY_REGION, 0x7fff5e6c1230) = 0 > ioctl(4, KVM_SET_USER_MEMORY_REGION, 0x7fff5e6c1230) = 0 > ioctl(4, KVM_SET_USER_MEMORY_REGION, 0x7fff5e6c1230) = 0 > ioctl(4, KVM_SET_USER_MEMORY_REGION, 0x7fff5e6c1230) = 0 > ioctl(4, KVM_SET_USER_MEMORY_REGION, 0x7fff5e6c1230) = 0 > ioctl(4, KVM_SET_USER_MEMORY_REGION, 0x7fff5e6c1230) = 0 > ioctl(4, KVM_SET_USER_MEMORY_REGION, 0x7fff5e6c1230) = 0 > ioctl(4, KVM_SET_USER_MEMORY_REGION, 0x7fff5e6c1230) = 0 > ioctl(4, KVM_SET_USER_MEMORY_REGION, 0x7fff5e6c1230) = 0 > ioctl(4, KVM_SET_USER_MEMORY_REGION, 0x7fff5e6c1230) = 0 > ioctl(4, KVM_SET_USER_MEMORY_REGION, 0x7fff5e6c1230) = 0 > ioctl(4, KVM_SET_USER_MEMORY_REGION, 0x7fff5e6c1230) = 0 > ioctl(4, KVM_SET_USER_MEMORY_REGION, 0x7fff5e6c1230) = 0 > ioctl(4, KVM_SET_USER_MEMORY_REGION, 0x7fff5e6c1230) = 0 > ioctl(4, KVM_SET_USER_MEMORY_REGION, 0x7fff5e6c1230) = 0 > ioctl(4, KVM_SET_USER_MEMORY_REGION, 0x7fff5e6c1230) = 0 > ioctl(4, KVM_SET_USER_MEMORY_REGION, 0x7fff5e6c1230) = 0 > ioctl(4, KVM_SET_USER_MEMORY_REGION, 0x7fff5e6c1230) = 0 > ioctl(4, KVM_SET_USER_MEMORY_REGION, 0x7fff5e6c1230) = 0 > ioctl(4, KVM_SET_USER_MEMORY_REGION, 0x7fff5e6c1170) = 0 > ioctl(5, KVM_GET_SREGS, 0x7fff5e6c1330) = 0 > open("/dev/kvm", O_RDWR) = 6 > ioctl(6, KVM_GET_SUPPORTED_CPUID, 0x7fff5e6c1470) = 0 > ioctl(5, KVM_SET_CPUID2, 0x7fff5e6c1470) = 0 > close(6) = 0 > ioctl(5, KVM_SET_MSRS, 0x7fff5e6c0c30) = 5 > ioctl(5, KVM_SET_SREGS, 0x7fff5e6c1330) = 0 > ioctl(5, KVM_SET_REGS, 0x7fff5e6c1230) = 0 > mremap(0x20998000, 4096, 16384, MREMAP_MAYMOVE|MREMAP_FIXED, > 0x200fa000) = 0x200fa000 > ioctl(5, KVM_RUN, 0) = 0 > mbind(0x20000000, 8192, MPOL_DEFAULT 0x20001ff8, 2, MPOL_MF_MOVE) = 0 > exit_group(0) = ? > +++ exited with 0 +++ > i > > Regards, > Wanpeng Li > > > general protection fault: 0000 [#1] SMP KASAN > > Modules linked in: > > CPU: 1 PID: 3064 Comm: a.out Not tainted 4.14.0-rc6+ #11 > > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 > > task: ffff880064c203c0 task.stack: ffff880066718000 > > RIP: 0010:native_write_cr4+0x4/0x10 arch/x86/include/asm/special_insns.h:75 > > RSP: 0018:ffff88006671f598 EFLAGS: 00010097 > > RAX: ffff880064c203c0 RBX: 00000000001606e0 RCX: 0000000000000000 > > RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000001606e0 > > RBP: ffff88006671f598 R08: 0000000000000006 R09: 0000000000000006 > > R10: ffff880064c203c0 R11: 0000000000000000 R12: 0000000000000001 > > R13: ffff88006ca94828 R14: ffff88006ca94850 R15: ffff88006ca80000 > > FS: 00000000019cd880(0000) GS:ffff88006ca80000(0000) knlGS:0000000000000000 > > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > > CR2: 0000000000000000 CR3: 0000000005a22001 CR4: 00000000001626e0 > > Call Trace: > > __write_cr4 arch/x86/include/asm/paravirt.h:76 [inline] > > cr4_clear_bits arch/x86/include/asm/tlbflush.h:197 [inline] > > kvm_cpu_vmxoff arch/x86/kvm/vmx.c:3571 [inline] > > hardware_disable+0x197/0x210 arch/x86/kvm/vmx.c:3577 > > kvm_arch_hardware_disable+0x35/0xd0 arch/x86/kvm/x86.c:7920 > > hardware_disable_nolock+0x30/0x40 > > arch/x86/kvm/../../../virt/kvm/kvm_main.c:3282 > > on_each_cpu+0xca/0x1b0 kernel/smp.c:604 > > hardware_disable_all_nolock+0x44/0x60 > > arch/x86/kvm/../../../virt/kvm/kvm_main.c:3300 > > hardware_disable_all arch/x86/kvm/../../../virt/kvm/kvm_main.c:3306 [inline] > > kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:735 [inline] > > kvm_put_kvm+0x887/0xe00 arch/x86/kvm/../../../virt/kvm/kvm_main.c:748 > > kvm_vm_release+0x42/0x50 arch/x86/kvm/../../../virt/kvm/kvm_main.c:759 > > __fput+0x301/0x7e0 fs/file_table.c:210 > > ____fput+0x15/0x20 fs/file_table.c:244 > > task_work_run+0x19e/0x250 kernel/task_work.c:112 > > exit_task_work include/linux/task_work.h:21 [inline] > > do_exit+0x99f/0x18b0 kernel/exit.c:865 > > do_group_exit+0x14b/0x3f0 kernel/exit.c:968 > > SYSC_exit_group kernel/exit.c:979 [inline] > > SyS_exit_group+0x1d/0x20 kernel/exit.c:977 > > entry_SYSCALL_64_fastpath+0x1f/0xbe > > RIP: 0033:0x443849 > > RSP: 002b:00007ffe58a95c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 > > RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000443849 > > RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 > > RBP: 0000000000000086 R08: 000000000000003c R09: 00000000000000e7 > > R10: ffffffffffffffc0 R11: 0000000000000246 R12: 0000000000000000 > > R13: 0000000000404800 R14: 0000000000404890 R15: 0000000000000000 > > Code: 0f 1f 80 00 00 00 00 55 48 89 e5 0f 20 d8 5d c3 0f 1f 80 00 00 > > 00 00 55 48 89 e5 0f 22 df 5d c3 0f 1f 80 00 00 00 00 55 48 89 e5 <0f> > > 22 e7 5d c3 0f 1f 80 00 00 00 00 55 48 89 e5 44 0f 20 c0 5d > > RIP: native_write_cr4+0x4/0x10 arch/x86/include/asm/special_insns.h:75 > > RSP: ffff88006671f598 > > ---[ end trace 6f9dbcc14aa47936 ]--- From 1582772219717865341@xxx Tue Oct 31 11:26:54 +0000 2017 X-GM-THRID: 1582766813846370990 X-Gmail-Labels: Inbox,Category Forums