renegade-project/linux-next
2
0
Fork 0
mirror of https://github.com/edk2-porting/linux-next.git synced 2025-01-14 16:44:29 +08:00
Code
b74558259c
linux-next/arch
History
Wanpeng Li b74558259c KVM: VMX: Fix vmx->nested freeing when no SMI handler 
Reported by syzkaller:

   ------------[ cut here ]------------
   WARNING: CPU: 5 PID: 2939 at arch/x86/kvm/vmx.c:3844 free_loaded_vmcs+0x77/0x80 [kvm_intel]
   CPU: 5 PID: 2939 Comm: repro Not tainted 4.14.0+ #26
   RIP: 0010:free_loaded_vmcs+0x77/0x80 [kvm_intel]
   Call Trace:
    vmx_free_vcpu+0xda/0x130 [kvm_intel]
    kvm_arch_destroy_vm+0x192/0x290 [kvm]
    kvm_put_kvm+0x262/0x560 [kvm]
    kvm_vm_release+0x2c/0x30 [kvm]
    __fput+0x190/0x370
    task_work_run+0xa1/0xd0
    do_exit+0x4d2/0x13e0
    do_group_exit+0x89/0x140
    get_signal+0x318/0xb80
    do_signal+0x8c/0xb40
    exit_to_usermode_loop+0xe4/0x140
    syscall_return_slowpath+0x206/0x230
    entry_SYSCALL_64_fastpath+0x98/0x9a

The syzkaller testcase will execute VMXON/VMLAUCH instructions, so the
vmx->nested stuff is populated, it will also issue KVM_SMI ioctl. However,
the testcase is just a simple c program and not be lauched by something
like seabios which implements smi_handler. Commit 05cade71cf (KVM: nSVM:
fix SMI injection in guest mode) gets out of guest mode and set nested.vmxon
to false for the duration of SMM according to SDM 34.14.1 "leave VMX
operation" upon entering SMM. We can't alloc/free the vmx->nested stuff
each time when entering/exiting SMM since it will induce more overhead. So
the function vmx_pre_enter_smm() marks nested.vmxon false even if vmx->nested
stuff is still populated. What it expected is em_rsm() can mark nested.vmxon
to be true again. However, the smi_handler/rsm will not execute since there
is no something like seabios in this scenario. The function free_nested()
fails to free the vmx->nested stuff since the vmx->nested.vmxon is false
which results in the above warning.

This patch fixes it by also considering the no SMI handler case, luckily
vmx->nested.smm.vmxon is marked according to the value of vmx->nested.vmxon
in vmx_pre_enter_smm(), we can take advantage of it and free vmx->nested
stuff when L1 goes down.

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Radim Krčmář <rkrcmar@redhat.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Reviewed-by: Liran Alon <liran.alon@oracle.com>
Fixes: 05cade71cf (KVM: nSVM: fix SMI injection in guest mode)
Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2017-11-27 17:37:55 +01:00
..
alpha pci-v4.15-changes 2017-11-15 15:01:28 -08:00
arc Merge branch 'for-linus' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2017-11-15 10:14:11 -08:00
arm GICv4 Support for KVM/ARM for v4.15 2017-11-17 13:20:01 +01:00
arm64 GICv4 Support for KVM/ARM for v4.15 2017-11-17 13:20:01 +01:00
blackfin This is the bulk of pin control changes for the v4.15 2017-11-16 10:57:11 -08:00
c6x DeviceTree for 4.15: 2017-11-14 18:25:40 -08:00
cris pci-v4.15-changes 2017-11-15 15:01:28 -08:00
frv Merge branch 'akpm' (patches from Andrew) 2017-11-15 19:42:40 -08:00
h8300 mm, arch: remove empty_bad_page* 2017-11-15 18:21:03 -08:00
hexagon A couple of dma-mapping updates: 2017-11-14 16:54:12 -08:00
ia64 pci-v4.15-changes 2017-11-15 15:01:28 -08:00
m32r m32r: fix endianness constraints 2017-11-15 18:21:00 -08:00
m68k A couple of dma-mapping updates: 2017-11-14 16:54:12 -08:00
metag DeviceTree for 4.15: 2017-11-14 18:25:40 -08:00
microblaze DeviceTree for 4.15: 2017-11-14 18:25:40 -08:00
mips AFS development 2017-11-16 11:41:22 -08:00
mn10300 Merge branch 'akpm' (patches from Andrew) 2017-11-15 19:42:40 -08:00
nios2 DeviceTree for 4.15: 2017-11-14 18:25:40 -08:00
openrisc kmemcheck: remove annotations 2017-11-15 18:21:04 -08:00
parisc pci-v4.15-changes 2017-11-15 15:01:28 -08:00
powerpc First batch of KVM changes for 4.15 2017-11-16 13:00:24 -08:00
riscv RISC-V Port for Linux 4.15 v9 2017-11-15 10:49:15 -08:00
s390 First batch of KVM changes for 4.15 2017-11-16 13:00:24 -08:00
score License cleanup: add SPDX license identifier to uapi header files with no license 2017-11-02 11:19:54 +01:00
sh Merge branch 'akpm' (patches from Andrew) 2017-11-15 19:42:40 -08:00
sparc Merge branch 'akpm' (patches from Andrew) 2017-11-15 19:42:40 -08:00
tile mm: remove cold parameter from free_hot_cold_page* 2017-11-15 18:21:06 -08:00
um Merge branch 'akpm' (patches from Andrew) 2017-11-15 19:42:40 -08:00
unicore32 kmemcheck: stop using GFP_NOTRACK and SLAB_NOTRACK 2017-11-15 18:21:04 -08:00
x86 KVM: VMX: Fix vmx->nested freeing when no SMI handler 2017-11-27 17:37:55 +01:00
xtensa pci-v4.15-changes 2017-11-15 15:01:28 -08:00
.gitignore
Kconfig bpf: Revert bpf_overrid_function() helper changes. 2017-11-11 18:24:55 +09:00