From patchwork Wed Jul 6 10:29:58 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Wanpeng Li X-Patchwork-Id: 9216055 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 7DA0E60467 for ; Wed, 6 Jul 2016 10:30:38 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6F12728812 for ; Wed, 6 Jul 2016 10:30:38 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 63A5728810; Wed, 6 Jul 2016 10:30:38 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED,FREEMAIL_FROM,RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 45AED28810 for ; Wed, 6 Jul 2016 10:30:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751243AbcGFKaH (ORCPT ); Wed, 6 Jul 2016 06:30:07 -0400 Received: from mail-pa0-f65.google.com ([209.85.220.65]:35294 "EHLO mail-pa0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751108AbcGFKaF (ORCPT ); Wed, 6 Jul 2016 06:30:05 -0400 Received: by mail-pa0-f65.google.com with SMTP id dx3so4100632pab.2; Wed, 06 Jul 2016 03:30:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=tLuRUGx9jURNnPpk+LmqsAXHHvXxQYLY1jiLDsvWum8=; b=QQqeJWuHvd6mo6JTJOApAgaroflBZxsR2ajnguPAi/+iuXK4ZCoUpPDk2uVGp96+5E laX+mgNDMoe4rxialFBQUj9RTKogFluCvjiurYXR4dYHMksMz8t/NWXmETxQIh4ddQH7 s0W1vcTm0Tbr0fbAVpuUg0giHJMhHmpc/0T0ol8b8Va0CVn0UMzEb2wl5dajmmoZgq4k fWCqg/4WDxqrV4jl6938erJ6zp7oQSqe+z1E8CIdA0pUaotyLqTJ1FZiPgjzUV4yUtUQ kEmpcRbYaKRteMXL4IK+OXfhp8vWFFMJurDMSoLs49nfQds5rpnd5hGU1UQj7ckwbzUW X4og== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=tLuRUGx9jURNnPpk+LmqsAXHHvXxQYLY1jiLDsvWum8=; b=b/T9oclcXRk0U+bkU59L7BIrxNO6H+vimNJ/gDoPxdx30+ZA5QQ6qtSth13e4bjIdE Rycv4cqaOZku6babA58EjBUvWwp8AOKoCl1iGWvUeXb3RDGNTDy7fhKEL3h0oAOxopWM 8pqQWLPDBFPr9ejSf6K08usP/1ZKsD85Qj+IR1FxwhnHd+sRXu/LVVPoOiIgZ2EYO1W2 Yl0afOB87FFCRcNDoWJsGAhKg0voj8XpWdScaBSx0VeWs56FYrEoj/3ubSD8ViE7ChBq 0T7XEaTLbKlZXtXxl2RaCgZHTcpjF8vZozTlo5o9a4G7edL3ejLUjve9VgdTXUBDFoLf vLGg== X-Gm-Message-State: ALyK8tJcnlId3926p/zhmhnNSVqoEmG+kNAARAxie+B/pFti8BysJThP862gUBs35kIC2w== X-Received: by 10.66.255.42 with SMTP id an10mr23494805pad.57.1467801003587; Wed, 06 Jul 2016 03:30:03 -0700 (PDT) Received: from kernel.kingsoft.cn ([114.255.44.132]) by smtp.gmail.com with ESMTPSA id w27sm3283169pfa.54.2016.07.06.03.30.01 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 06 Jul 2016 03:30:02 -0700 (PDT) From: Wanpeng Li X-Google-Original-From: Wanpeng Li To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org Cc: Wanpeng Li , Paolo Bonzini , =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= , Yunhong Jiang , Jan Kiszka , Haozhong Zhang Subject: [PATCH v2] KVM: nVMX: Fix preemption timer kernel NULL pointer dereference Date: Wed, 6 Jul 2016 18:29:58 +0800 Message-Id: <1467800998-3790-1-git-send-email-wanpeng.li@hotmail.com> X-Mailer: git-send-email 1.9.1 MIME-Version: 1.0 Sender: kvm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Wanpeng Li BUG: unable to handle kernel NULL pointer dereference at (null) IP: [< (null)>] (null) PGD 0 Oops: 0010 [#1] SMP Call Trace: ? kvm_lapic_expired_hv_timer+0x47/0x90 [kvm] handle_preemption_timer+0xe/0x20 [kvm_intel] vmx_handle_exit+0x169/0x15a0 [kvm_intel] ? kvm_arch_vcpu_ioctl_run+0xd5d/0x19d0 [kvm] kvm_arch_vcpu_ioctl_run+0xdee/0x19d0 [kvm] ? kvm_arch_vcpu_ioctl_run+0xd5d/0x19d0 [kvm] ? vcpu_load+0x1c/0x60 [kvm] ? kvm_arch_vcpu_load+0x57/0x260 [kvm] kvm_vcpu_ioctl+0x2d3/0x7c0 [kvm] do_vfs_ioctl+0x96/0x6a0 ? __fget_light+0x2a/0x90 SyS_ioctl+0x79/0x90 do_syscall_64+0x68/0x180 entry_SYSCALL64_slow_path+0x25/0x25 Code: Bad RIP value. RIP [< (null)>] (null) RSP CR2: 0000000000000000 ---[ end trace 9c70c48b1a2bc66e ]--- This can be reproduced readily by preemption timer enabled on L0 and disabled on L1. Preemption timer for nested VMX is emulated by hrtimer which is started on L2 entry, stopped on L2 exit and evaluated via the check_nested_events hook. However, nested_vmx_exit_handled is always return true for preemption timer vmexit, then the L1 preemption timer vmexit is captured and be treated as a L2 preemption timer vmexit, incurr a nested vmexit dereference NULL pointer. This patch fix it by depending on check_nested_events to capture L2 preemption timer(emulated hrtimer) expire and nested vmexit. Cc: Paolo Bonzini Cc: Radim Krčmář Cc: Yunhong Jiang Cc: Jan Kiszka Cc: Haozhong Zhang Signed-off-by: Wanpeng Li --- v1 -> v2: * fix typo in patch description arch/x86/kvm/vmx.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c index 85e2f0a..29c16a8 100644 --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c @@ -8041,6 +8041,8 @@ static bool nested_vmx_exit_handled(struct kvm_vcpu *vcpu) return nested_cpu_has2(vmcs12, SECONDARY_EXEC_XSAVES); case EXIT_REASON_PCOMMIT: return nested_cpu_has2(vmcs12, SECONDARY_EXEC_PCOMMIT); + case EXIT_REASON_PREEMPTION_TIMER: + return false; default: return true; }