From patchwork Mon Mar  6 12:03:28 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Wanpeng Li <kernellwp@gmail.com>
X-Patchwork-Id: 9605907
Return-Path: <kvm-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	0CE45601D2 for <patchwork-kvm@patchwork.kernel.org>;
	Mon,  6 Mar 2017 12:03:45 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E8EE628394
	for <patchwork-kvm@patchwork.kernel.org>;
	Mon,  6 Mar 2017 12:03:44 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id DC35B28415; Mon,  6 Mar 2017 12:03:44 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_HI,
	RCVD_IN_SORBS_SPAM autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0D9C428394
	for <patchwork-kvm@patchwork.kernel.org>;
	Mon,  6 Mar 2017 12:03:43 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752968AbdCFMDh (ORCPT
	<rfc822;patchwork-kvm@patchwork.kernel.org>);
	Mon, 6 Mar 2017 07:03:37 -0500
Received: from mail-pg0-f67.google.com ([74.125.83.67]:33868 "EHLO
	mail-pg0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752685AbdCFMDf (ORCPT <rfc822; kvm@vger.kernel.org>);
	Mon, 6 Mar 2017 07:03:35 -0500
Received: by mail-pg0-f67.google.com with SMTP id b5so2787699pgg.1;
	Mon, 06 Mar 2017 04:03:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:mime-version
	:content-transfer-encoding;
	bh=hq+zIQM0Vin9+1NbeXhxXUPkdWfLEVnKIdu2FQqsugY=;
	b=DIHxpY0cZVFRSSswQjqGB8Gjjh/EwnfcuAb+8fefrcyV4D351p3Ggg8wyYHu3oxbRi
	93Dm7iVMpu1RPJhb+trGNI0u6428qxl6u76HovatGX4GfFHqFi70iSstRyRT56XhBWtI
	EwjaHF5O/cqjutA/E5sjs0VJyWroh6f6DZkor7iCz7vnhGk+TLskFvbfqkvzKQIS/4bl
	dS3rosCwJtINJNfIM4AXkVPzAVXvfTIX7SBqwTSbNzShAJzkIadbHQl9Mz/LQHcZwEBd
	MVo0nug49R0yWSdB3aigNnSn3GEcMVgT3dgnRxwyKh/H+6jBBmDypIgNq/cUtsPx/e+u
	khWA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
	:content-transfer-encoding;
	bh=hq+zIQM0Vin9+1NbeXhxXUPkdWfLEVnKIdu2FQqsugY=;
	b=BmCKQeUv645WUWqpSwxSjiMuVsCArHgYLRQFfsvbROUkHh4G/WW9mKLjwtbi5ywdYy
	3urGY11lxS8gPKasIdhl4GD6SZEPBVSKCICAL3eI4qAINBP3xLdYIpQuyiandbjkA/cs
	49nPfRSO/5p7vj8gC76O+P8vjSu4ew0a2R9jNcspZ7ygbIChhQrKBSX0PpYcVgjPCxOc
	iIuF220XeN7DNwxeZAVhOLmSb11Desj6KoOXtNRFi3dSeaTCOZ5DJnI/LzAaYWSX+M6A
	MY0jB6H8qq5nFTUS+0K93ias5FvfdxmlR3x8NTon7HGP2LyE/nJZmOO93+n1wE5yxFTo
	GMgw==
X-Gm-Message-State: 
 AMke39nHuwFQsbyhCc4S1KcOX7wNNOKFT1F8TnrPFuGJ+6Iozd/KyPSWB9E+Tuw4nimCZg==
X-Received: by 10.84.229.10 with SMTP id b10mr25711839plk.148.1488801814008;
	Mon, 06 Mar 2017 04:03:34 -0800 (PST)
Received: from localhost ([203.205.141.123])
	by smtp.gmail.com with ESMTPSA id
	y5sm39544950pgy.28.2017.03.06.04.03.32
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Mon, 06 Mar 2017 04:03:32 -0800 (PST)
From: Wanpeng Li <kernellwp@gmail.com>
X-Google-Original-From: Wanpeng Li <wanpeng.li@hotmail.com>
To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org
Cc: Paolo Bonzini <pbonzini@redhat.com>,
	=?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= <rkrcmar@redhat.com>,
	Wanpeng Li <wanpeng.li@hotmail.com>, Dmitry Vyukov <dvyukov@google.com>,
	David Hildenbrand <david@redhat.com>
Subject: [PATCH v3] KVM: nVMX: reset nested_run_pending if the vCPU is going
	to be reset
Date: Mon,  6 Mar 2017 04:03:28 -0800
Message-Id: <1488801808-12027-1-git-send-email-wanpeng.li@hotmail.com>
X-Mailer: git-send-email 2.7.4
MIME-Version: 1.0
Sender: kvm-owner@vger.kernel.org
Precedence: bulk
List-ID: <kvm.vger.kernel.org>
X-Mailing-List: kvm@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Wanpeng Li <wanpeng.li@hotmail.com>

Reported by syzkaller:

    WARNING: CPU: 1 PID: 27742 at arch/x86/kvm/vmx.c:11029
    nested_vmx_vmexit+0x5c35/0x74d0 arch/x86/kvm/vmx.c:11029
    CPU: 1 PID: 27742 Comm: a.out Not tainted 4.10.0+ #229
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
    Call Trace:
     __dump_stack lib/dump_stack.c:15 [inline]
     dump_stack+0x2ee/0x3ef lib/dump_stack.c:51
     panic+0x1fb/0x412 kernel/panic.c:179
     __warn+0x1c4/0x1e0 kernel/panic.c:540
     warn_slowpath_null+0x2c/0x40 kernel/panic.c:583
     nested_vmx_vmexit+0x5c35/0x74d0 arch/x86/kvm/vmx.c:11029
     vmx_leave_nested arch/x86/kvm/vmx.c:11136 [inline]
     vmx_set_msr+0x1565/0x1910 arch/x86/kvm/vmx.c:3324
     kvm_set_msr+0xd4/0x170 arch/x86/kvm/x86.c:1099
     do_set_msr+0x11e/0x190 arch/x86/kvm/x86.c:1128
     __msr_io arch/x86/kvm/x86.c:2577 [inline]
     msr_io+0x24b/0x450 arch/x86/kvm/x86.c:2614
     kvm_arch_vcpu_ioctl+0x35b/0x46a0 arch/x86/kvm/x86.c:3497
     kvm_vcpu_ioctl+0x232/0x1120 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2721
     vfs_ioctl fs/ioctl.c:43 [inline]
     do_vfs_ioctl+0x1bf/0x1790 fs/ioctl.c:683
     SYSC_ioctl fs/ioctl.c:698 [inline]
     SyS_ioctl+0x8f/0xc0 fs/ioctl.c:689
     entry_SYSCALL_64_fastpath+0x1f/0xc2
	
The syzkaller folks reported a nested_run_pending warning during userspace 
clear VMX capability which is exposed to L1 before. 

The warning gets thrown while doing

(*(uint32_t*)0x20aecfe8 = (uint32_t)0x1);
(*(uint32_t*)0x20aecfec = (uint32_t)0x0);
(*(uint32_t*)0x20aecff0 = (uint32_t)0x3a);
(*(uint32_t*)0x20aecff4 = (uint32_t)0x0);
(*(uint64_t*)0x20aecff8 = (uint64_t)0x0);
r[29] = syscall(__NR_ioctl, r[4], 0x4008ae89ul,
		0x20aecfe8ul, 0, 0, 0, 0, 0, 0);

i.e. KVM_SET_MSR ioctl with

struct kvm_msrs {
	.nmsrs = 1,
		.pad = 0,
		.entries = {
			{.index = MSR_IA32_FEATURE_CONTROL,
			 .reserved = 0,
			 .data = 0}
		}
}

The VMLANCH/VMRESUME emulation should be stopped since the CPU is going to 
reset here. This patch resets the nested_run_pending since the CPU is going 
to be reset hence there should be nothing pending.

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Suggested-by: Radim Krčmář <rkrcmar@redhat.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Radim Krčmář <rkrcmar@redhat.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: David Hildenbrand <david@redhat.com>
Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Jim Mattson <jmattson@google.com>
---
v2 -> v3:
 * move the reset to vmx_leave_nested()
v1 -> v2:
 * cleanup comments format

 arch/x86/kvm/vmx.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index 3b626d6..ab33858 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -11107,8 +11107,10 @@ static void nested_vmx_vmexit(struct kvm_vcpu *vcpu, u32 exit_reason,
  */
 static void vmx_leave_nested(struct kvm_vcpu *vcpu)
 {
-	if (is_guest_mode(vcpu))
+	if (is_guest_mode(vcpu)) {
+		to_vmx(vcpu)->nested.nested_run_pending = 0;
 		nested_vmx_vmexit(vcpu, -1, 0, 0);
+	}
 	free_nested(to_vmx(vcpu));
 }