From: Vitaly Kuznetsov <vkuznets@redhat.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
kvm@vger.kernel.org, sean.j.christopherson@intel.com
Cc: syzbot <syzbot+2a7156e11dc199bdbd8a@syzkaller.appspotmail.com>,
bp@alien8.de, hpa@zytor.com, jmattson@google.com,
joro@8bytes.org, linux-kernel@vger.kernel.org, mingo@redhat.com,
syzkaller-bugs@googlegroups.com, tglx@linutronix.de,
wanpengli@tencent.com, x86@kernel.org
Subject: Re: WARNING in kvm_inject_emulated_page_fault
Date: Thu, 04 Jun 2020 15:51:49 +0200 [thread overview]
Message-ID: <87pnafdjm2.fsf@vitty.brq.redhat.com> (raw)
In-Reply-To: <c15b3ad0-0062-f106-0746-d018cf33adbb@redhat.com>
Paolo Bonzini <pbonzini@redhat.com> writes:
> On 04/06/20 12:53, Vitaly Kuznetsov wrote:
>> Exception we're trying to inject comes from
>>
>> nested_vmx_get_vmptr()
>> kvm_read_guest_virt()
>> kvm_read_guest_virt_helper()
>> vcpu->arch.walk_mmu->gva_to_gpa()
>>
>> but it seems it is only set if GVA to GPA convertion fails. In case it
>> doesn't, we can still fail kvm_vcpu_read_guest_page() and return
>> X86EMUL_IO_NEEDED but nested_vmx_get_vmptr() doesn't case what we return
>> and does kvm_inject_emulated_page_fault(). This can happen when VMXON
>> parameter is MMIO, for example.
>>
>> How do fix this? We can either properly exit to userspace for handling
>> or, if we decide that handling such requests makes little sense, just
>> inject #GP if exception is not set, e.g.
>>
>> diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
>> index 9c74a732b08d..a21e2f32f59b 100644
>> --- a/arch/x86/kvm/vmx/nested.c
>> +++ b/arch/x86/kvm/vmx/nested.c
>> @@ -4635,7 +4635,11 @@ static int nested_vmx_get_vmptr(struct kvm_vcpu *vcpu, gpa_t *vmpointer)
>> return 1;
>>
>> if (kvm_read_guest_virt(vcpu, gva, vmpointer, sizeof(*vmpointer), &e)) {
>> - kvm_inject_emulated_page_fault(vcpu, &e);
>> + if (e.vector == PF_VECTOR)
>> + kvm_inject_emulated_page_fault(vcpu, &e);
>> + else
>> + kvm_inject_gp(vcpu, 0);
>> +
>> return 1;
>> }
>>
>
> Yes, this is a plausible fix (with a comment explaining that we are
> taking a shortcut). Perhaps a better check would be
>
> r = kvm_read_guest_virt(vcpu, gva, vmpointer, sizeof(*vmpointer), &e);
> if (r != X86EMUL_CONTINUE) {
> if (r == X86EMUL_PROPAGATE_FAULT) {
> kvm_inject_emulated_page_fault(vcpu, &e);
> } else {
> /* ... */
> kvm_inject_gp(vcpu, 0);
> }
> return 1;
> }
>
> Are you going to send a patch?
>
Sure, will do.
--
Vitaly
next prev parent reply other threads:[~2020-06-04 13:51 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-04 8:50 WARNING in kvm_inject_emulated_page_fault syzbot
2020-06-04 10:53 ` Vitaly Kuznetsov
2020-06-04 13:20 ` Paolo Bonzini
2020-06-04 13:51 ` Vitaly Kuznetsov [this message]
2020-06-04 13:09 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87pnafdjm2.fsf@vitty.brq.redhat.com \
--to=vkuznets@redhat.com \
--cc=bp@alien8.de \
--cc=hpa@zytor.com \
--cc=jmattson@google.com \
--cc=joro@8bytes.org \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=pbonzini@redhat.com \
--cc=sean.j.christopherson@intel.com \
--cc=syzbot+2a7156e11dc199bdbd8a@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tglx@linutronix.de \
--cc=wanpengli@tencent.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.