From patchwork Sat Jun 17 22:24:31 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: "Levin, Alexander" X-Patchwork-Id: 9794551 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id C6136600C5 for ; Sat, 17 Jun 2017 22:37:46 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B8CD0283BA for ; Sat, 17 Jun 2017 22:37:46 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id AD7A8283FB; Sat, 17 Jun 2017 22:37:46 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 01E23283BA for ; Sat, 17 Jun 2017 22:37:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753629AbdFQWho (ORCPT ); Sat, 17 Jun 2017 18:37:44 -0400 Received: from omzsmtpe03.verizonbusiness.com ([199.249.25.208]:1325 "EHLO omzsmtpe03.verizonbusiness.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752613AbdFQWh0 (ORCPT ); Sat, 17 Jun 2017 18:37:26 -0400 X-Greylist: delayed 721 seconds by postgrey-1.27 at vger.kernel.org; Sat, 17 Jun 2017 18:37:26 EDT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=verizon.com; i=@verizon.com; q=dns/txt; s=corp; t=1497739046; x=1529275046; h=from:cc:to:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=ltOGO8BBXr9E4o/+CNIfEBu2XYTuo1oaRzZu4YMS1Qo=; b=o4fAaXF8avnnUu0wohD8szFWHOXc57r8R9TcM+g+4S8W8vvtFI0OGLGN mCKnXgFKLZCwqyjgMcBTBgX284YXDkWWPe+bAPqeOCK5LBIxnym12XJdj mnWthy4cPTcAA0B1XGBevDYIDu8rwtkSrGSY2/xvGdmSMKrt6E9o1qZNG E=; X-IronPort-Anti-Spam-Filtered: false Received: from unknown (HELO fldsmtpi02.verizon.com) ([166.68.71.144]) by omzsmtpe03.verizonbusiness.com with ESMTP; 17 Jun 2017 22:25:18 +0000 From: "Levin, Alexander (Sasha Levin)" Cc: Dmitry Vyukov , Paolo Bonzini , =?utf-8?B?UmFkaW0gS3LEjW3DocWZ?= , Wanpeng Li , "kvm@vger.kernel.org" , "syzkaller@googlegroups.com" , "Levin, Alexander (Sasha Levin)" X-IronPort-AV: E=Sophos;i="5.39,316,1493683200"; d="scan'208";a="1468716707" Received: from rogue-10-255-192-101.rogue.vzwcorp.com (HELO atlantis.verizonwireless.com) ([10.255.192.101]) by fldsmtpi02.verizon.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 17 Jun 2017 22:24:38 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=verizon.com; i=@verizon.com; q=dns/txt; s=corp; t=1497738277; x=1529274277; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=ltOGO8BBXr9E4o/+CNIfEBu2XYTuo1oaRzZu4YMS1Qo=; b=ocaL0q1tCNoeDbSYYjD2Fwk+gtD96cYyH2guZaSZ8qr3vxrdoWEc3X3p S6X28nHTfykkw104SGcIEUm8WwHmyK1jMoPIpFnLus+1i9htV+CDzXhny ZAhWmvYyNk2DFdhTNSN9tOcKCdj3sLpb53VIdywWxNXWV+vi1nGVveJTU s=; Received: from ranger.odc.vzwcorp.com (HELO mercury.verizonwireless.com) ([10.255.240.27]) by atlantis.verizonwireless.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 17 Jun 2017 18:24:37 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=verizon.com; i=@verizon.com; q=dns/txt; s=corp; t=1497738278; x=1529274278; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=ltOGO8BBXr9E4o/+CNIfEBu2XYTuo1oaRzZu4YMS1Qo=; b=qAhyse9fg1yLGciAv2byM9lm6PZZjofutnO08+gwXzyLGlHc7gBeRAay PV/yepfAf9ld0CZQkcpayBiHxUE8hM4mgyq5u2fjs1YOpJDxJI8KdSUCS jro2IALZiQTMTqjmoluHZd7M1TVx8PX16jDz6Myq/6IeFaAZod8cG7PLV w=; X-Host: ranger.odc.vzwcorp.com Received: from casac1exh002.uswin.ad.vzwcorp.com ([10.11.218.44]) by mercury.verizonwireless.com with ESMTP/TLS/AES128-SHA256; 17 Jun 2017 22:24:37 +0000 Received: from scwexch05apd.uswin.ad.vzwcorp.com (153.114.130.24) by CASAC1EXH002.uswin.ad.vzwcorp.com (10.11.218.44) with Microsoft SMTP Server (TLS) id 14.3.248.2; Sat, 17 Jun 2017 15:24:36 -0700 Received: from OMZP1LUMXCA20.uswin.ad.vzwcorp.com (144.8.22.198) by scwexch05apd.uswin.ad.vzwcorp.com (153.114.130.24) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Sat, 17 Jun 2017 15:24:36 -0700 Received: from OMZP1LUMXCA17.uswin.ad.vzwcorp.com (144.8.22.195) by OMZP1LUMXCA20.uswin.ad.vzwcorp.com (144.8.22.198) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Sat, 17 Jun 2017 17:24:34 -0500 Received: from OMZP1LUMXCA17.uswin.ad.vzwcorp.com ([144.8.22.195]) by OMZP1LUMXCA17.uswin.ad.vzwcorp.com ([144.8.22.195]) with mapi id 15.00.1263.000; Sat, 17 Jun 2017 17:24:34 -0500 To: "stable@vger.kernel.org" , "linux-kernel@vger.kernel.org" Subject: [PATCH for v4.9 LTS 14/86] KVM: x86: fix fixing of hypercalls Thread-Topic: [PATCH for v4.9 LTS 14/86] KVM: x86: fix fixing of hypercalls Thread-Index: AQHS57h9NhsomWGrCU6vLpscBwoE6Q== Date: Sat, 17 Jun 2017 22:24:31 +0000 Message-ID: <20170617222420.19316-14-alexander.levin@verizon.com> References: <20170617222420.19316-1-alexander.levin@verizon.com> In-Reply-To: <20170617222420.19316-1-alexander.levin@verizon.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.144.60.250] Content-ID: MIME-Version: 1.0 Sender: kvm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Dmitry Vyukov [ Upstream commit ce2e852ecc9a42e4b8dabb46025cfef63209234a ] emulator_fix_hypercall() replaces hypercall with vmcall instruction, but it does not handle GP exception properly when writes the new instruction. It can return X86EMUL_PROPAGATE_FAULT without setting exception information. This leads to incorrect emulation and triggers WARN_ON(ctxt->exception.vector > 0x1f) in x86_emulate_insn() as discovered by syzkaller fuzzer: WARNING: CPU: 2 PID: 18646 at arch/x86/kvm/emulate.c:5558 Call Trace: warn_slowpath_null+0x2c/0x40 kernel/panic.c:582 x86_emulate_insn+0x16a5/0x4090 arch/x86/kvm/emulate.c:5572 x86_emulate_instruction+0x403/0x1cc0 arch/x86/kvm/x86.c:5618 emulate_instruction arch/x86/include/asm/kvm_host.h:1127 [inline] handle_exception+0x594/0xfd0 arch/x86/kvm/vmx.c:5762 vmx_handle_exit+0x2b7/0x38b0 arch/x86/kvm/vmx.c:8625 vcpu_enter_guest arch/x86/kvm/x86.c:6888 [inline] vcpu_run arch/x86/kvm/x86.c:6947 [inline] Set exception information when write in emulator_fix_hypercall() fails. Signed-off-by: Dmitry Vyukov Cc: Paolo Bonzini Cc: Radim Krčmář Cc: Wanpeng Li Cc: kvm@vger.kernel.org Cc: syzkaller@googlegroups.com Signed-off-by: Radim Krčmář Signed-off-by: Sasha Levin --- arch/x86/kvm/x86.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) -- 2.11.0 diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 62cde4f67c72..ab3f00399cbb 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -6111,7 +6111,8 @@ static int emulator_fix_hypercall(struct x86_emulate_ctxt *ctxt) kvm_x86_ops->patch_hypercall(vcpu, instruction); - return emulator_write_emulated(ctxt, rip, instruction, 3, NULL); + return emulator_write_emulated(ctxt, rip, instruction, 3, + &ctxt->exception); } static int dm_request_for_irq_injection(struct kvm_vcpu *vcpu)