From patchwork Wed Jul 6 09:49:34 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Wanpeng Li X-Patchwork-Id: 9215961 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id B784060467 for ; Wed, 6 Jul 2016 09:50:05 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A5E2F287DD for ; Wed, 6 Jul 2016 09:50:05 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 97BBF287DF; Wed, 6 Jul 2016 09:50:05 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED,FREEMAIL_FROM,RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2908B287DD for ; Wed, 6 Jul 2016 09:50:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753120AbcGFJtl (ORCPT ); Wed, 6 Jul 2016 05:49:41 -0400 Received: from mail-pa0-f67.google.com ([209.85.220.67]:33942 "EHLO mail-pa0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752932AbcGFJtk (ORCPT ); Wed, 6 Jul 2016 05:49:40 -0400 Received: by mail-pa0-f67.google.com with SMTP id us13so20643129pab.1; Wed, 06 Jul 2016 02:49:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=9Q00rS/slNbLC0zf60glYJHWJQGckudYFZLOu/egIs8=; b=qMP3ihpg96akTiBTIUOR/5jqptQVw37oRFtHxLrbthstYTgjf9DegLaM7sKi9lC1Wt XHtXYRUEIceX/Hm80VsNvmxiXCpuUTZnbFTggO3V9dWy6k0FlLVv9w+mF2IT4J42bqEV eV8LHqmWRdOdnBGQq+IOREwbiTiy78EjVcfD7KDtbDJlaQpnXKMdSIcEMtlHbSn7Y1qk 86f4jcaKKEuyjiKq051wH+RNTten5Muu0xcAUEhZwJpJt15sAXDEfMtEmXCXFvpuYDTp Vc63Gmile9U1wOx5+e2vQmMllMLkmu160D8VWK3NwOboPxNE/jppgubFmNfWHJ5qmJFc R6rQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=9Q00rS/slNbLC0zf60glYJHWJQGckudYFZLOu/egIs8=; b=WjZFzXqiv4a2WmSwpe+bZsKI1BnJRM2x04gYoP/UdFdFilPap2kz70fffBq/1Lh4K+ L/z2Jljm7024e7u8UOlXZeuuL2XVXybp366zWl6dRFQkXL1ebb15Epc3agisAP8V4HGC vKZfN63JSMIVq1Wq4xO0wCOAr6h0+MqerW2/0eZGS1DGP31vfEqQGBQk7AnO2oWBwS/1 Xx9GRMxylS0WDurlHGEutCaovDU05RMwRHZa2J9sqjVkJe3V+XlZ5CplDFJtEDJ9g98o WXD52y5vQUhzd6w3fdSpVKhTrQqBgssABrRsjs/fNzCZ/D07FihLHPfAsq8qMVobkeC4 dk3A== X-Gm-Message-State: ALyK8tI9K0FlHDOBvIWiwcjIZQ9I5WfxNjYCe26Up+yu4FfflYbAYZZ0H/jjxO52DC2O+w== X-Received: by 10.66.184.41 with SMTP id er9mr31441263pac.73.1467798579175; Wed, 06 Jul 2016 02:49:39 -0700 (PDT) Received: from kernel.kingsoft.cn ([114.255.44.132]) by smtp.gmail.com with ESMTPSA id 6sm3273388pfx.68.2016.07.06.02.49.36 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 06 Jul 2016 02:49:38 -0700 (PDT) From: Wanpeng Li X-Google-Original-From: Wanpeng Li To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org Cc: Wanpeng Li , Paolo Bonzini , =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= , Yunhong Jiang , Jan Kiszka , Haozhong Zhang Subject: [PATCH] KVM: nVMX: Fix preemption timer kernel NULL pointer dereference Date: Wed, 6 Jul 2016 17:49:34 +0800 Message-Id: <1467798574-3330-1-git-send-email-wanpeng.li@hotmail.com> X-Mailer: git-send-email 1.9.1 MIME-Version: 1.0 Sender: kvm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP BUG: unable to handle kernel NULL pointer dereference at (null) IP: [< (null)>] (null) PGD 0 Oops: 0010 [#1] SMP Call Trace: ? kvm_lapic_expired_hv_timer+0x47/0x90 [kvm] handle_preemption_timer+0xe/0x20 [kvm_intel] vmx_handle_exit+0x169/0x15a0 [kvm_intel] ? kvm_arch_vcpu_ioctl_run+0xd5d/0x19d0 [kvm] kvm_arch_vcpu_ioctl_run+0xdee/0x19d0 [kvm] ? kvm_arch_vcpu_ioctl_run+0xd5d/0x19d0 [kvm] ? vcpu_load+0x1c/0x60 [kvm] ? kvm_arch_vcpu_load+0x57/0x260 [kvm] kvm_vcpu_ioctl+0x2d3/0x7c0 [kvm] do_vfs_ioctl+0x96/0x6a0 ? __fget_light+0x2a/0x90 SyS_ioctl+0x79/0x90 do_syscall_64+0x68/0x180 entry_SYSCALL64_slow_path+0x25/0x25 Code: Bad RIP value. RIP [< (null)>] (null) RSP CR2: 0000000000000000 ---[ end trace 9c70c48b1a2bc66e ]--- This can be reproduced readily by preemption enabled on L0 and disabled on L1. Preemption timer for nested VMX is emulated by hrtimer which is started on L2 entry, stopped on L2 exit and evaluated via the check_nested_events hook. However, nested_vmx_exit_handled is always return true for preemption timer vmexit, then the L1 preemption timer vmexit is captured and be treated as a L2 preemption timer vmexit, incurr a nested vmexit dereference NULL pointer. This patch fix it by depending on check_nested_events to capture L2 preemption timer(emulated hrtimer) expire and nested vmexit. Cc: Paolo Bonzini Cc: Radim Krčmář Cc: Yunhong Jiang Cc: Jan Kiszka Cc: Haozhong Zhang Signed-off-by: Wanpeng Li --- arch/x86/kvm/vmx.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c index 85e2f0a..29c16a8 100644 --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c @@ -8041,6 +8041,8 @@ static bool nested_vmx_exit_handled(struct kvm_vcpu *vcpu) return nested_cpu_has2(vmcs12, SECONDARY_EXEC_XSAVES); case EXIT_REASON_PCOMMIT: return nested_cpu_has2(vmcs12, SECONDARY_EXEC_PCOMMIT); + case EXIT_REASON_PREEMPTION_TIMER: + return false; default: return true; }