From patchwork Mon Sep 21 15:44:54 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Borislav Petkov <bp@alien8.de>
X-Patchwork-Id: 7232261
Return-Path: <kvm-owner@kernel.org>
X-Original-To: patchwork-kvm@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id 048C49F32B
	for <patchwork-kvm@patchwork.kernel.org>;
	Mon, 21 Sep 2015 15:45:44 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 00C0D207AF
	for <patchwork-kvm@patchwork.kernel.org>;
	Mon, 21 Sep 2015 15:45:43 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id D24AB20649
	for <patchwork-kvm@patchwork.kernel.org>;
	Mon, 21 Sep 2015 15:45:41 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S932304AbbIUPo6 (ORCPT
	<rfc822;patchwork-kvm@patchwork.kernel.org>);
	Mon, 21 Sep 2015 11:44:58 -0400
Received: from mail.skyhub.de ([78.46.96.112]:43577 "EHLO mail.skyhub.de"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S932223AbbIUPo5 (ORCPT <rfc822;kvm@vger.kernel.org>);
	Mon, 21 Sep 2015 11:44:57 -0400
X-Virus-Scanned: Nedap ESD1 at mail.skyhub.de
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=alien8.de; s=alien8;
	t=1442850295; bh=u40hkdVs07bp/YenR45fe7ll0USLrMZNafLq/sgDNTQ=;
	h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:
	Content-Type:In-Reply-To; b=cRk1577CHbYygLQRve1QHwSQTxB1sxQuTOMZKc
	upbW+PTVnKAzASVRcuDxlYHTcQwk93PJ2rFKEi2gsA9aPyaqOzTtc7fZ4BbzcptiLK9
	LGG8DyEAnZnqy2RbNEraJeoCzxgfQI+PercMhm68cBQXOXHCeKfnn0hmoslu6VTU5Y=
Received: from mail.skyhub.de ([127.0.0.1])
	by localhost (door.skyhub.de [127.0.0.1]) (amavisd-new, port 10026)
	with ESMTP id M42kJrk8ZAae; Mon, 21 Sep 2015 17:44:55 +0200 (CEST)
Received: from pd.tnic (p5DDC781D.dip0.t-ipconnect.de [93.220.120.29])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.skyhub.de (SuperMail on ZX Spectrum 128k) with ESMTPSA id
	D28711DA269; Mon, 21 Sep 2015 17:44:54 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=alien8.de; s=alien8;
	t=1442850295; bh=u40hkdVs07bp/YenR45fe7ll0USLrMZNafLq/sgDNTQ=;
	h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:
	Content-Type:In-Reply-To; b=cRk1577CHbYygLQRve1QHwSQTxB1sxQuTOMZKc
	upbW+PTVnKAzASVRcuDxlYHTcQwk93PJ2rFKEi2gsA9aPyaqOzTtc7fZ4BbzcptiLK9
	LGG8DyEAnZnqy2RbNEraJeoCzxgfQI+PercMhm68cBQXOXHCeKfnn0hmoslu6VTU5Y=
Received: by pd.tnic (Postfix, from userid 1000)
	id 5847716032A; Mon, 21 Sep 2015 17:44:54 +0200 (CEST)
Date: Mon, 21 Sep 2015 17:44:54 +0200
From: Borislav Petkov <bp@alien8.de>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm ML <kvm@vger.kernel.org>, lkml <linux-kernel@vger.kernel.org>,
	Xiao Guangrong <guangrong.xiao@linux.intel.com>
Subject: Re: include/linux/kvm_host.h:488 suspicious rcu_dereference_check()
	usage!
Message-ID: <20150921154454.GB3666@pd.tnic>
References: <20150920164851.GB3540@pd.tnic> <56001DF6.3000902@redhat.com>
	<5600201D.8050700@redhat.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <5600201D.8050700@redhat.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: kvm-owner@vger.kernel.org
Precedence: bulk
List-ID: <kvm.vger.kernel.org>
X-Mailing-List: kvm@vger.kernel.org
X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI,RP_MATCHES_RCVD,T_DKIM_INVALID,UNPARSEABLE_RELAY
	autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

On Mon, Sep 21, 2015 at 05:19:57PM +0200, Paolo Bonzini wrote:
> First, the leaf test would have to be == 0, because I prepared the
> patch on the first 4.3 pull request instead of the latest Linus
> tree.  However even this would not be a good change, because
> 
> is_shadow_present_pte(spte) == !(pte & PT_PRESENT_MASK) || is_mmio_spte(pte)
> 
> and thus is_shadow_present_pte implies the "if" I'm adding above.
> 
> So can you instead please add this debugging printk?
> 
> diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
> index fb16a8ea3dee..90e8ef264861 100644
> --- a/arch/x86/kvm/mmu.c
> +++ b/arch/x86/kvm/mmu.c
> @@ -3334,6 +3334,7 @@ walk_shadow_page_get_mmio_spte(struct kvm_vcpu *vcpu, u64 addr, u64 *sptep)
>  			       sptes[root - 1], root);
>  			root--;
>  		}
> +		pr_err("shadow_mmio_mask: %lx\n", shadow_mmio_mask);
>  	}
>  exit:
>  	*sptep = spte;

Ok, here's with this ontop. Fixed it up to:
---

as shadow_mmio_mask is u64.

[   62.765446] walk_shadow_page_get_mmio_spte: detect reserved bits on spte, addr 0xb8000, dump hierarchy:
[   62.774903] ------ spte 0x4173d3027 level 4.
[   62.779209] ------ spte 0x4173d1027 level 3.
[   62.783558] ------ spte 0x4173c8027 level 2.
[   62.783561] ------ spte 0xffff0000000b8f67 level 1.
[   62.783562] shadow_mmio_mask: 0xc00f000000000001
[   62.783564] ------------[ cut here ]------------
[   62.783604] WARNING: CPU: 2 PID: 3531 at arch/x86/kvm/mmu.c:3386 handle_mmio_page_fault.part.93+0x1a/0x20 [kvm]()
[   62.783642] Modules linked in: tun sha256_ssse3 sha256_generic drbg binfmt_misc ipv6 vfat fat fuse dm_crypt dm_mod kvm_amd kvm crc32_pclmul aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd amd64_edac_mod k10temp fam15h_power edac_core amdkfd amd_iommu_v2 radeon acpi_cpufreq
[   62.783646] CPU: 2 PID: 3531 Comm: qemu-system-x86 Not tainted 4.3.0-rc2+ #1
[   62.783648] Hardware name: To be filled by O.E.M. To be filled by O.E.M./M5A97 EVO R2.0, BIOS 1503 01/16/2013
[   62.783654]  ffffffffa0401892 ffff880416eafb80 ffffffff812c8c2a 0000000000000000
[   62.783665]  ffff880416eafbb8 ffffffff81053e55 ffff8804172d8000 000000000000000f
[   62.783666]  00000000000b8000 0000000000000000 00000000ffffffff ffff880416eafbc8
[   62.783667] Call Trace:
[   62.783671]  [<ffffffff812c8c2a>] dump_stack+0x4e/0x84
[   62.783673]  [<ffffffff81053e55>] warn_slowpath_common+0x95/0xe0
[   62.783674]  [<ffffffff81053f5a>] warn_slowpath_null+0x1a/0x20
[   62.783684]  [<ffffffffa03d47ba>] handle_mmio_page_fault.part.93+0x1a/0x20 [kvm]
[   62.783694]  [<ffffffffa03db081>] tdp_page_fault+0x231/0x290 [kvm]
[   62.783697]  [<ffffffff810a24bd>] ? __lock_acquire+0x62d/0x19e0
[   62.783705]  [<ffffffffa03c432e>] ? emulator_pio_in_out+0x6e/0xf0 [kvm]
[   62.783715]  [<ffffffffa03d66f6>] kvm_mmu_page_fault+0x36/0x240 [kvm]
[   62.783718]  [<ffffffffa045c71e>] pf_interception+0xde/0x1d0 [kvm_amd]
[   62.783720]  [<ffffffffa045ecb1>] handle_exit+0x181/0xa70 [kvm_amd]
[   62.783729]  [<ffffffffa03cc50b>] ? kvm_arch_vcpu_ioctl_run+0x68b/0x1730 [kvm]
[   62.783738]  [<ffffffffa03cc576>] kvm_arch_vcpu_ioctl_run+0x6f6/0x1730 [kvm]
[   62.783748]  [<ffffffffa03cc50b>] ? kvm_arch_vcpu_ioctl_run+0x68b/0x1730 [kvm]
[   62.783749]  [<ffffffff81082afb>] ? preempt_count_sub+0x9b/0xf0
[   62.783751]  [<ffffffff816c144f>] ? mutex_lock_killable_nested+0x26f/0x490
[   62.783753]  [<ffffffff81082afb>] ? preempt_count_sub+0x9b/0xf0
[   62.783759]  [<ffffffffa03b37e8>] kvm_vcpu_ioctl+0x358/0x710 [kvm]
[   62.783761]  [<ffffffff810a0ae1>] ? __lock_is_held+0x51/0x70
[   62.783762]  [<ffffffff811a0711>] ? __fget+0x101/0x210
[   62.783764]  [<ffffffff81194a54>] do_vfs_ioctl+0x2f4/0x560
[   62.783766]  [<ffffffff811a0889>] ? __fget_light+0x29/0x90
[   62.783767]  [<ffffffff81194d0c>] SyS_ioctl+0x4c/0x90
[   62.783769]  [<ffffffff816c495b>] entry_SYSCALL_64_fastpath+0x16/0x73
[   62.783770] ---[ end trace 8fe1d7df0fb72e0c ]---

Index: b/arch/x86/kvm/mmu.c
===================================================================
--- a/arch/x86/kvm/mmu.c	2015-09-21 17:26:25.213434565 +0200
+++ b/arch/x86/kvm/mmu.c	2015-09-21 17:27:14.333435968 +0200
@@ -3335,6 +3335,7 @@ walk_shadow_page_get_mmio_spte(struct kv
 			       sptes[root - 1], root);
 			root--;
 		}
+		pr_err("shadow_mmio_mask: 0x%llx\n", shadow_mmio_mask);
 	}
 exit:
 	*sptep = spte;