From: Borislav Petkov <bp@alien8.de>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: linux-kernel@vger.kernel.org, kvm@vger.kernel.org,
"Jörg Rödel" <joro@8bytes.org>
Subject: Re: [PATCH] kvm: x86: move tracepoints outside extended quiescent state
Date: Fri, 11 Dec 2015 11:22:45 +0100 [thread overview]
Message-ID: <20151211102244.GA3660@pd.tnic> (raw)
In-Reply-To: <5669C137.7080601@redhat.com>
On Thu, Dec 10, 2015 at 07:15:19PM +0100, Paolo Bonzini wrote:
> Yeah, wait_lapic_expire also have to be moved before __kvm_guest_enter.
Yeah, v2 doesn't splat on the Intel box anymore but the AMD box still
has, and it is a different problem. With the v2 applied, it still
explodes, see below.
And I'm willing to bet good money on that shadow pages fun. The
[ 959.466549] kernel tried to execute NX-protected page - exploit attempt? (uid: 1000)
line basically says that we're pagefaulting when trying to fetch
instructions, i.e., we're trying to execute something from a page, rIP
points to 0xffff8800b9f9bdf0 and that is most likely a page belonging to
kvm, which, however, is for some reason not executable (anymore?).
Could it have anything to do with that zapping of shadow pages, per
chance?
Can I disable the zapping and see if it still triggers? Or should I try
modprobing kvm with "npt=0" or so?
/me goes and tries it...
Nope, that doesn't help - it still splats.
Hmmm...
[ 849.272337] kvm: zapping shadow pages for mmio generation wraparound
[ 933.813871] kvm: zapping shadow pages for mmio generation wraparound
[ 959.466549] kernel tried to execute NX-protected page - exploit attempt? (uid: 1000)
[ 959.474369] BUG: unable to handle kernel paging request at ffff8800b9f9bdf0
[ 959.481407] IP: [<ffff8800b9f9bdf0>] 0xffff8800b9f9bdf0
[ 959.486677] PGD 2d7e067 PUD 43efff067 PMD 80000000b9e001e3
[ 959.492338] Oops: 0011 [#1] PREEMPT SMP
[ 959.496340] Modules linked in: tun sha256_ssse3 sha256_generic drbg binfmt_misc ipv6 vfat fat fuse dm_crypt dm_mod kvm_amd kvm irqbypass crc32_pclmul aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd amd64_edac_mod fam15h_power k10temp edac_mce_amd amdkfd amd_iommu_v2 radeon acpi_cpufreq
[ 959.524023] CPU: 3 PID: 3798 Comm: qemu-system-x86 Not tainted 4.4.0-rc4+ #8
[ 959.531127] Hardware name: To be filled by O.E.M. To be filled by O.E.M./M5A97 EVO R2.0, BIOS 1503 01/16/2013
[ 959.541113] task: ffff8800b7ca5e00 ti: ffff8800b9f98000 task.ti: ffff8800b9f98000
[ 959.548625] RIP: 0010:[<ffff8800b9f9bdf0>] [<ffff8800b9f9bdf0>] 0xffff8800b9f9bdf0
[ 959.556338] RSP: 0018:ffff8800b9f9bde0 EFLAGS: 00010206
[ 959.561676] RAX: 000003993d0f82ee RBX: ffff8800b7d48000 RCX: 0000000000000001
[ 959.568844] RDX: 0000039900000000 RSI: ffffffffa02bdc7b RDI: ffff8800b7d48000
[ 959.576010] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
[ 959.583177] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
[ 959.590346] R13: ffff8800b7d48000 R14: 0000000000000000 R15: 0000000000000000
[ 959.597513] FS: 00007f7fae580700(0000) GS:ffff88042cc00000(0000) knlGS:0000000000000000
[ 959.605643] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 959.611414] CR2: ffff8800b9f9bdf0 CR3: 000000041b5fe000 CR4: 00000000000406e0
[ 959.618579] Stack:
[ 959.620607] ffffffffa02d5e17 ffff8800b7d48000 ffff8800b9f9be08 ffffffffa02bdb1f
[ 959.628104] 0000000000000000 ffff8800b9f9be98 ffffffffa02bdc7b ffff8804242a4400
[ 959.635601] 0000000000000070 0000000000004000 ffffffff81a3c1e0 ffff8800b7ca5e00
[ 959.643114] Call Trace:
[ 959.645599] [<ffffffffa02d5e17>] ? kvm_arch_vcpu_put+0x17/0x40 [kvm]
[ 959.652081] [<ffffffffa02bdb1f>] ? vcpu_put+0x1f/0x60 [kvm]
[ 959.657782] [<ffffffffa02bdc7b>] ? kvm_vcpu_ioctl+0x11b/0x6f0 [kvm]
[ 959.664169] [<ffffffff811a0930>] ? do_vfs_ioctl+0x2e0/0x540
[ 959.669855] [<ffffffff811ac8e9>] ? __fget_light+0x29/0x90
[ 959.675364] [<ffffffff811a0bdc>] ? SyS_ioctl+0x4c/0x90
[ 959.680618] [<ffffffff816e2d5b>] ? entry_SYSCALL_64_fastpath+0x16/0x6f
[ 959.687263] Code: 00 00 00 06 02 01 00 00 00 00 00 e0 bd f9 b9 00 88 ff ff 18 00 00 00 00 00 00 00 17 5e 2d a0 ff ff ff ff 00 80 d4 b7 00 88 ff ff <08> be f9 b9 00 88 ff ff 1f db 2b a0 ff ff ff ff 00 00 00 00 00
[ 959.707506] RIP [<ffff8800b9f9bdf0>] 0xffff8800b9f9bdf0
[ 959.712862] RSP <ffff8800b9f9bde0>
[ 959.716373] CR2: ffff8800b9f9bdf0
[ 959.735764] ---[ end trace 6826bd13f6e235cd ]---
[ 959.740465] note: qemu-system-x86[3798] exited with preempt_count 1
[ 979.163010] kvm: zapping shadow pages for mmio generation wraparound
--
Regards/Gruss,
Boris.
ECO tip #101: Trim your mails when you reply.
next prev parent reply other threads:[~2015-12-11 10:22 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-10 17:38 [PATCH] kvm: x86: move tracepoints outside extended quiescent state Paolo Bonzini
2015-12-10 18:09 ` Borislav Petkov
2015-12-10 18:15 ` Paolo Bonzini
2015-12-11 10:22 ` Borislav Petkov [this message]
2015-12-11 10:41 ` Paolo Bonzini
[not found] ` <20151211114112.GA3704@pd.tnic>
2015-12-11 12:15 ` Paolo Bonzini
2015-12-11 13:02 ` Borislav Petkov
2015-12-11 12:20 ` Borislav Petkov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151211102244.GA3660@pd.tnic \
--to=bp@alien8.de \
--cc=joro@8bytes.org \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.