From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-17.4 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,NICE_REPLY_A, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0D9A4C48BDF for ; Thu, 10 Jun 2021 13:19:17 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id DC2C661374 for ; Thu, 10 Jun 2021 13:19:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230450AbhFJNVL (ORCPT ); Thu, 10 Jun 2021 09:21:11 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:46234 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230304AbhFJNVJ (ORCPT ); Thu, 10 Jun 2021 09:21:09 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1623331153; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=zy+ioEX8QbWPVNS5mTQ1lBruzExGYIs1Y2im4YELuWM=; b=EGlzgcrtV7qdxdSmifjQxjeIVtWcDb1ygZudc+jFiXC8F7KBnUEFtBz4WI7ql5G/rwJ2bu Lq0WPtVj6+jdtVsgv4f2MR2Angd/spOxGTI2SVwrGCf8EZ8FPteUFLRPifKtUp9BlKdQSm KjgeRLhQdQDUhI1fzaLZadw9JGef5Qw= Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com [209.85.128.70]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-42-ScUGOzs5O4eNV1PGvVq8uA-1; Thu, 10 Jun 2021 09:19:11 -0400 X-MC-Unique: ScUGOzs5O4eNV1PGvVq8uA-1 Received: by mail-wm1-f70.google.com with SMTP id w3-20020a1cf6030000b0290195fd5fd0f2so3004704wmc.4 for ; Thu, 10 Jun 2021 06:19:10 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=zy+ioEX8QbWPVNS5mTQ1lBruzExGYIs1Y2im4YELuWM=; b=uWZKZdsvjCxchFsGz6+us1DiDIREzLTI33DrK0hZvwKRqrvV/MuI/LVeJuOS9BLvzo HMZwQBGsmQWHJspeqDfjqn8rwWrHitkHWITIgyYGsRGgC/UZHHuW7OXxbzSL5TDSr8sO Up+SpM8Npmyir83BATcA3H192C/aSik7ntG7LlDG2RaMNFDT5EqHhjaJQSu15vYtzGLf NemM97TiRfIGPMeBqDjGCz0txoXcWPkrVDWyYlEOASYarlolEcfEJc0D2KBOCqLAeQWd obf8a1VPcenNave0jZY6qee/GJLHyviA/qGpfzJAo+KvAs9Ku/PbTOgCZGT9r0NupOm+ 0/Sw== X-Gm-Message-State: AOAM532tLuEOpD4JngD9NunbAv83t71AOcdyuDLw5E/kkryv0dBP8abF QA1XDTsGhUH4reQESYXZQ9x06hMxHwEIuGpaWPVuBzSQMupBN7im7rhrdOAlf3tnk/sc53n2xkF 6goWYtmnvbNzoW0rMyC1FG75y X-Received: by 2002:adf:ed03:: with SMTP id a3mr5466298wro.166.1623331149954; Thu, 10 Jun 2021 06:19:09 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyNWQbpsUkE8WmLIns+cDBz0m/aQwzQO+W9jG9ohTUbbulFK2fQtSJ/SsVHcVhIdPR41vuLfw== X-Received: by 2002:adf:ed03:: with SMTP id a3mr5466279wro.166.1623331149796; Thu, 10 Jun 2021 06:19:09 -0700 (PDT) Received: from ?IPv6:2001:b07:6468:f312:63a7:c72e:ea0e:6045? ([2001:b07:6468:f312:63a7:c72e:ea0e:6045]) by smtp.gmail.com with ESMTPSA id l3sm3182636wmh.2.2021.06.10.06.19.08 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 10 Jun 2021 06:19:08 -0700 (PDT) Subject: Re: [PATCH 1/9] KVM: x86: Immediately reset the MMU context when the SMM flag is cleared To: Sean Christopherson Cc: Vitaly Kuznetsov , Wanpeng Li , Jim Mattson , Joerg Roedel , kvm@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+fb0b6a7e8713aeb0319c@syzkaller.appspotmail.com References: <20210609185619.992058-1-seanjc@google.com> <20210609185619.992058-2-seanjc@google.com> From: Paolo Bonzini Message-ID: Date: Thu, 10 Jun 2021 15:19:07 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.10.1 MIME-Version: 1.0 In-Reply-To: <20210609185619.992058-2-seanjc@google.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 09/06/21 20:56, Sean Christopherson wrote: > Immediately reset the MMU context when the vCPU's SMM flag is cleared so > that the SMM flag in the MMU role is always synchronized with the vCPU's > flag. If RSM fails (which isn't correctly emulated), KVM will bail > without calling post_leave_smm() and leave the MMU in a bad state. > > The bad MMU role can lead to a NULL pointer dereference when grabbing a > shadow page's rmap for a page fault as the initial lookups for the gfn > will happen with the vCPU's SMM flag (=0), whereas the rmap lookup will > use the shadow page's SMM flag, which comes from the MMU (=1). SMM has > an entirely different set of memslots, and so the initial lookup can find > a memslot (SMM=0) and then explode on the rmap memslot lookup (SMM=1). > > general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN > KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] > CPU: 1 PID: 8410 Comm: syz-executor382 Not tainted 5.13.0-rc5-syzkaller #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 > RIP: 0010:__gfn_to_rmap arch/x86/kvm/mmu/mmu.c:935 [inline] > RIP: 0010:gfn_to_rmap+0x2b0/0x4d0 arch/x86/kvm/mmu/mmu.c:947 > Code: <42> 80 3c 20 00 74 08 4c 89 ff e8 f1 79 a9 00 4c 89 fb 4d 8b 37 44 > RSP: 0018:ffffc90000ffef98 EFLAGS: 00010246 > RAX: 0000000000000000 RBX: ffff888015b9f414 RCX: ffff888019669c40 > RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001 > RBP: 0000000000000001 R08: ffffffff811d9cdb R09: ffffed10065a6002 > R10: ffffed10065a6002 R11: 0000000000000000 R12: dffffc0000000000 > R13: 0000000000000003 R14: 0000000000000001 R15: 0000000000000000 > FS: 000000000124b300(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 0000000000000000 CR3: 0000000028e31000 CR4: 00000000001526e0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > Call Trace: > rmap_add arch/x86/kvm/mmu/mmu.c:965 [inline] > mmu_set_spte+0x862/0xe60 arch/x86/kvm/mmu/mmu.c:2604 > __direct_map arch/x86/kvm/mmu/mmu.c:2862 [inline] > direct_page_fault+0x1f74/0x2b70 arch/x86/kvm/mmu/mmu.c:3769 > kvm_mmu_do_page_fault arch/x86/kvm/mmu.h:124 [inline] > kvm_mmu_page_fault+0x199/0x1440 arch/x86/kvm/mmu/mmu.c:5065 > vmx_handle_exit+0x26/0x160 arch/x86/kvm/vmx/vmx.c:6122 > vcpu_enter_guest+0x3bdd/0x9630 arch/x86/kvm/x86.c:9428 > vcpu_run+0x416/0xc20 arch/x86/kvm/x86.c:9494 > kvm_arch_vcpu_ioctl_run+0x4e8/0xa40 arch/x86/kvm/x86.c:9722 > kvm_vcpu_ioctl+0x70f/0xbb0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3460 > vfs_ioctl fs/ioctl.c:51 [inline] > __do_sys_ioctl fs/ioctl.c:1069 [inline] > __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:1055 > do_syscall_64+0x3f/0xb0 arch/x86/entry/common.c:47 > entry_SYSCALL_64_after_hwframe+0x44/0xae > RIP: 0033:0x440ce9 > > Reported-by: syzbot+fb0b6a7e8713aeb0319c@syzkaller.appspotmail.com > Fixes: 9ec19493fb86 ("KVM: x86: clear SMM flags before loading state while leaving SMM") > Signed-off-by: Sean Christopherson > --- > arch/x86/kvm/x86.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c > index 9dd23bdfc6cc..54d212fe9b15 100644 > --- a/arch/x86/kvm/x86.c > +++ b/arch/x86/kvm/x86.c > @@ -7106,7 +7106,10 @@ static unsigned emulator_get_hflags(struct x86_emulate_ctxt *ctxt) > > static void emulator_set_hflags(struct x86_emulate_ctxt *ctxt, unsigned emul_flags) > { > - emul_to_vcpu(ctxt)->arch.hflags = emul_flags; > + struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt); > + > + vcpu->arch.hflags = emul_flags; > + kvm_mmu_reset_context(vcpu); > } > > static int emulator_pre_leave_smm(struct x86_emulate_ctxt *ctxt, > Queued for kvm/master, thanks. Paolo