From patchwork Mon Mar 5 17:39:47 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sean Christopherson X-Patchwork-Id: 10259397 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id C94076016D for ; Mon, 5 Mar 2018 17:40:02 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AAB3E28BA9 for ; Mon, 5 Mar 2018 17:40:02 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 9F77428BB1; Mon, 5 Mar 2018 17:40:02 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 287F028BA9 for ; Mon, 5 Mar 2018 17:40:02 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751830AbeCERkA (ORCPT ); Mon, 5 Mar 2018 12:40:00 -0500 Received: from mga05.intel.com ([192.55.52.43]:36176 "EHLO mga05.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751462AbeCERj7 (ORCPT ); Mon, 5 Mar 2018 12:39:59 -0500 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by fmsmga105.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 05 Mar 2018 09:39:59 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.47,427,1515484800"; d="scan'208";a="31528769" Received: from sjchrist-coffee.jf.intel.com ([10.54.74.11]) by FMSMGA003.fm.intel.com with ESMTP; 05 Mar 2018 09:39:58 -0800 From: Sean Christopherson To: kvm@vger.kernel.org, pbonzini@redhat.com, rkrcmar@redhat.com Cc: sean.j.christopherson@intel.com Subject: [PATCH] KVM: nVMX: clear nested_run_pending when emulating invalid guest state Date: Mon, 5 Mar 2018 09:39:47 -0800 Message-Id: <20180305173947.3025-1-sean.j.christopherson@intel.com> X-Mailer: git-send-email 2.16.2 Sender: kvm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Clear nested_run_pending in handle_invalid_guest_state() after calling emulate_instruction(), i.e. after attempting to emulate at least one instruction. This fixes an issue where L0 enters an infinite loop if L2 hits an exception that is intercepted by L1 while L0 is emulating L2's invalid guest state, effectively causing DoS on L1, e.g. the only way to break the loop is to kill Qemu in L0. 1. call handle_invalid_guest_state() for L2 2. emulate_instruction() pends an exception, e.g. #UD 3. L1 intercepts the exception, i.e. nested_vmx_check_exception returns 1 4. vmx_check_nested_events() returns -EBUSY because L1 wants to intercept the exception and nested_run_pending is true 5. handle_invalid_guest_state() never makes forward progress for L2 due to the pending exception 6. L1 retries VMLAUNCH and VMExits to L0 indefinitely, i.e. the L1 vCPU trying VMLAUNCH effectively hangs Signed-off-by: Sean Christopherson --- arch/x86/kvm/vmx.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c index 591214843046..3073160e6bae 100644 --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c @@ -6835,6 +6835,8 @@ static int handle_invalid_guest_state(struct kvm_vcpu *vcpu) err = emulate_instruction(vcpu, 0); + vmx->nested.nested_run_pending = 0; + if (err == EMULATE_USER_EXIT) { ++vcpu->stat.mmio_exits; ret = 0;