From patchwork Thu Jul 25 10:46:44 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vitaly Kuznetsov X-Patchwork-Id: 11058591 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A9EDD13B1 for ; Thu, 25 Jul 2019 10:47:05 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 977D428864 for ; Thu, 25 Jul 2019 10:47:05 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 88502288AF; Thu, 25 Jul 2019 10:47:05 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 267C828864 for ; Thu, 25 Jul 2019 10:47:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728934AbfGYKrD (ORCPT ); Thu, 25 Jul 2019 06:47:03 -0400 Received: from mail-wr1-f67.google.com ([209.85.221.67]:45912 "EHLO mail-wr1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728321AbfGYKqv (ORCPT ); Thu, 25 Jul 2019 06:46:51 -0400 Received: by mail-wr1-f67.google.com with SMTP id f9so50192752wre.12 for ; Thu, 25 Jul 2019 03:46:49 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=fP/uxcOzwVHr7L9oUh6zQGOUjqLibLxYvQKPmz0udDQ=; b=iyKJq8F3Pot7HdFi9N3L6yoJL2LIKkFLXkncRuTUVrYMwyBcUQ3cwwRrsrcdWxA7PP Kb19993ZzS4eJVTxpFflyvr28B4H/wcWOB9u+UNH77VfkAGeguhfqufo4VqcQWCCIsGb g1JatlDcLk29F1wuhv3NE6eaSmB3I94cvQg10ygWio7LK163FT+Z+kmicMFd3ctojcOM LRjHoxT+tCcYxex2xFpnaFXDxLiqUYt1UN9bmgcYw9LaoKgofBC/tw/M8p3IqPHSKmlV eytIVCCvw0V9eQxIOrMdmkADRiiny7qics6lJDsUpIQ/lz9cLAeqtZMm2xXRIv5iQ1+t eFTQ== X-Gm-Message-State: APjAAAV37F3azgjcUWI+DoRSGDEczb3KDQUjZNr2J7/tU8LETSmlNvnD mwDohuiuHI0a2XsDxeE6bx9j9Q== X-Google-Smtp-Source: APXvYqy3zERLDjp6rqsxeS4vm7dBxqmTcEoy3J0oIY9E8QqB0xucZLj5joCQPA0shmqmsQdzg1hLFw== X-Received: by 2002:adf:b1d1:: with SMTP id r17mr94675892wra.273.1564051608781; Thu, 25 Jul 2019 03:46:48 -0700 (PDT) Received: from vitty.brq.redhat.com (nat-pool-brq-t.redhat.com. [213.175.37.10]) by smtp.gmail.com with ESMTPSA id f204sm72042696wme.18.2019.07.25.03.46.47 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Thu, 25 Jul 2019 03:46:48 -0700 (PDT) From: Vitaly Kuznetsov To: stable@vger.kernel.org Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Paolo Bonzini , =?utf-8?b?UmFkaW0gS3LEjW3DocWZ?= Subject: [PATCH stable-4.19 1/2] KVM: nVMX: do not use dangling shadow VMCS after guest reset Date: Thu, 25 Jul 2019 12:46:44 +0200 Message-Id: <20190725104645.30642-2-vkuznets@redhat.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190725104645.30642-1-vkuznets@redhat.com> References: <20190725104645.30642-1-vkuznets@redhat.com> MIME-Version: 1.0 Sender: kvm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Paolo Bonzini [ Upstream commit 88dddc11a8d6b09201b4db9d255b3394d9bc9e57 ] If a KVM guest is reset while running a nested guest, free_nested will disable the shadow VMCS execution control in the vmcs01. However, on the next KVM_RUN vmx_vcpu_run would nevertheless try to sync the VMCS12 to the shadow VMCS which has since been freed. This causes a vmptrld of a NULL pointer on my machime, but Jan reports the host to hang altogether. Let's see how much this trivial patch fixes. Reported-by: Jan Kiszka Cc: Liran Alon Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini Acked-by: Paolo Bonzini --- arch/x86/kvm/vmx.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c index 73d6d585dd66..880bc36a0d5d 100644 --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c @@ -8457,6 +8457,7 @@ static void vmx_disable_shadow_vmcs(struct vcpu_vmx *vmx) { vmcs_clear_bits(SECONDARY_VM_EXEC_CONTROL, SECONDARY_EXEC_SHADOW_VMCS); vmcs_write64(VMCS_LINK_POINTER, -1ull); + vmx->nested.sync_shadow_vmcs = false; } static inline void nested_release_vmcs12(struct vcpu_vmx *vmx) @@ -8468,7 +8469,6 @@ static inline void nested_release_vmcs12(struct vcpu_vmx *vmx) /* copy to memory all shadowed fields in case they were modified */ copy_shadow_to_vmcs12(vmx); - vmx->nested.sync_shadow_vmcs = false; vmx_disable_shadow_vmcs(vmx); } vmx->nested.posted_intr_nv = -1; @@ -8668,6 +8668,9 @@ static void copy_shadow_to_vmcs12(struct vcpu_vmx *vmx) u64 field_value; struct vmcs *shadow_vmcs = vmx->vmcs01.shadow_vmcs; + if (WARN_ON(!shadow_vmcs)) + return; + preempt_disable(); vmcs_load(shadow_vmcs); @@ -8706,6 +8709,9 @@ static void copy_vmcs12_to_shadow(struct vcpu_vmx *vmx) u64 field_value = 0; struct vmcs *shadow_vmcs = vmx->vmcs01.shadow_vmcs; + if (WARN_ON(!shadow_vmcs)) + return; + vmcs_load(shadow_vmcs); for (q = 0; q < ARRAY_SIZE(fields); q++) {