From patchwork Sat Mar 4 04:03:32 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Wanpeng Li X-Patchwork-Id: 9603775 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 371BB60414 for ; Sat, 4 Mar 2017 05:00:52 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 271D72861D for ; Sat, 4 Mar 2017 05:00:52 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 19FB028621; Sat, 4 Mar 2017 05:00:52 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C006D2861D for ; Sat, 4 Mar 2017 05:00:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750751AbdCDFAR (ORCPT ); Sat, 4 Mar 2017 00:00:17 -0500 Received: from mail-pf0-f194.google.com ([209.85.192.194]:34645 "EHLO mail-pf0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750708AbdCDFAQ (ORCPT ); Sat, 4 Mar 2017 00:00:16 -0500 Received: by mail-pf0-f194.google.com with SMTP id x66so11688192pfb.1; Fri, 03 Mar 2017 21:00:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=OCB+0IjG5grEZCoZuo9+osN86lqovSNQf3hiboh943U=; b=cA3ptFjKUnnLl3Pyejeq61r9ZUi+2d8BpJCa1RL0u5t1ADgXzK/tjdVLDoxHpx95l/ 6bZq4GfYoctSQiCdQzPjH5KTmqM105yB1T8Dyrt8R0IxPKmf9B32BzGmGY8X9wkL9zA9 F+MGGQbgQSDuaPQDMXbY0srIPSRQfiVDPJuNbdeZpd0MjW7r2beLNTOae/+ka57y0uL9 VHiGU/VC5oNEPPc7cuJvyQyEZAqfHjJXU04gDjZmFMKhPlJ+h87EvEnzH+WIm8G+ef+b 0duyqprGf6RwOMQulzifQBCa8xUll2uJj2Hrfh20J5SAI5dyhSl9AjXtnSRjVwet2pH3 sx7Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=OCB+0IjG5grEZCoZuo9+osN86lqovSNQf3hiboh943U=; b=uSzu73fVpbZYyjo3UgYDufDSpRM7xO2jF0NWdi7UpkEM1YsCErAtlxRiDacuGjO+Lg xLy891jT1VqNPJ/UwxGkptVnafVuW0k5s4OvwtNdaGmtPAXYGOsb4qZiz6i7NffP81QK eltjIgdDeus7abUk2YfpLQ20yFGHUNCCP738+vSlGzmducg67A77d5Qon8EfKI1tHQUh n30Cy01hNAqdLI4q/zWxu3cRcReZa/mDuh5XsD9p2cj8OPpH/iXJM6lG/jQOJhMspdzz KtmyHoYgNjk8HL/cQdCN8czeXvnH6l5us5cWVA28Kct+0pAA2SvjVjiEzYF2Rt9ZYGmQ 3gNQ== X-Gm-Message-State: AMke39lbQP7Gh0/Bf+T/UMTpayrhERKdbDj13KhYB/GnhfyLDfj7y7qaeLMIPc4MHQgYog== X-Received: by 10.84.233.134 with SMTP id l6mr9111948plk.49.1488600223207; Fri, 03 Mar 2017 20:03:43 -0800 (PST) Received: from localhost ([223.72.72.208]) by smtp.gmail.com with ESMTPSA id q194sm25985871pfq.43.2017.03.03.20.03.40 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 03 Mar 2017 20:03:41 -0800 (PST) From: Wanpeng Li X-Google-Original-From: Wanpeng Li To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org Cc: Paolo Bonzini , =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= , Wanpeng Li , Dmitry Vyukov Subject: [PATCH] KVM: nVMX: Reset nested_run_pending if the CPU is going to be reset Date: Fri, 3 Mar 2017 20:03:32 -0800 Message-Id: <1488600212-24037-1-git-send-email-wanpeng.li@hotmail.com> X-Mailer: git-send-email 2.7.4 MIME-Version: 1.0 Sender: kvm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Reported by syzkaller: WARNING: CPU: 1 PID: 27742 at arch/x86/kvm/vmx.c:11029 nested_vmx_vmexit+0x5c35/0x74d0 arch/x86/kvm/vmx.c:11029 CPU: 1 PID: 27742 Comm: a.out Not tainted 4.10.0+ #229 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:15 [inline] dump_stack+0x2ee/0x3ef lib/dump_stack.c:51 panic+0x1fb/0x412 kernel/panic.c:179 __warn+0x1c4/0x1e0 kernel/panic.c:540 warn_slowpath_null+0x2c/0x40 kernel/panic.c:583 nested_vmx_vmexit+0x5c35/0x74d0 arch/x86/kvm/vmx.c:11029 vmx_leave_nested arch/x86/kvm/vmx.c:11136 [inline] vmx_set_msr+0x1565/0x1910 arch/x86/kvm/vmx.c:3324 kvm_set_msr+0xd4/0x170 arch/x86/kvm/x86.c:1099 do_set_msr+0x11e/0x190 arch/x86/kvm/x86.c:1128 __msr_io arch/x86/kvm/x86.c:2577 [inline] msr_io+0x24b/0x450 arch/x86/kvm/x86.c:2614 kvm_arch_vcpu_ioctl+0x35b/0x46a0 arch/x86/kvm/x86.c:3497 kvm_vcpu_ioctl+0x232/0x1120 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2721 vfs_ioctl fs/ioctl.c:43 [inline] do_vfs_ioctl+0x1bf/0x1790 fs/ioctl.c:683 SYSC_ioctl fs/ioctl.c:698 [inline] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:689 entry_SYSCALL_64_fastpath+0x1f/0xc2 The syzkaller folks reported a nested_run_pending warning during userspace clear VMX capability which is exposed to L1 before. The warning gets thrown while doing (*(uint32_t*)0x20aecfe8 = (uint32_t)0x1); (*(uint32_t*)0x20aecfec = (uint32_t)0x0); (*(uint32_t*)0x20aecff0 = (uint32_t)0x3a); (*(uint32_t*)0x20aecff4 = (uint32_t)0x0); (*(uint64_t*)0x20aecff8 = (uint64_t)0x0); r[29] = syscall(__NR_ioctl, r[4], 0x4008ae89ul, 0x20aecfe8ul, 0, 0, 0, 0, 0, 0); i.e. KVM_SET_MSR ioctl with struct kvm_msrs { .nmsrs = 1, .pad = 0, .entries = { {.index = MSR_IA32_FEATURE_CONTROL, .reserved = 0, .data = 0} } } The VMLANCH/VMRESUME emulation should be stopped since the CPU is going to reset here. This patch resets the nested_run_pending since the CPU is going to be reset hence there should be nothing pending. Reported-by: Dmitry Vyukov Suggested-by: Radim Krčmář Cc: Paolo Bonzini Cc: Radim Krčmář Cc: Dmitry Vyukov Signed-off-by: Wanpeng Li --- arch/x86/kvm/vmx.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c index 283aa86..b4a757369 100644 --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c @@ -3310,8 +3310,10 @@ static int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info) FEATURE_CONTROL_LOCKED && !msr_info->host_initiated)) return 1; vmx->msr_ia32_feature_control = data; - if (msr_info->host_initiated && data == 0) + if (msr_info->host_initiated && data == 0) { + vmx->nested.nested_run_pending = 0; vmx_leave_nested(vcpu); + } break; case MSR_IA32_VMX_BASIC ... MSR_IA32_VMX_VMFUNC: if (!msr_info->host_initiated)