From: Vitaly Kuznetsov <vkuznets@redhat.com>
To: Sean Christopherson <sean.j.christopherson@intel.com>
Cc: Wanpeng Li <wanpengli@tencent.com>,
Jim Mattson <jmattson@google.com>, Joerg Roedel <joro@8bytes.org>,
kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
Paolo Bonzini <pbonzini@redhat.com>
Subject: Re: [PATCH] KVM: nVMX: Store vmcs.EXIT_QUALIFICATION as an unsigned long, not u32
Date: Fri, 24 Apr 2020 13:44:00 +0200 [thread overview]
Message-ID: <87wo65nm67.fsf@vitty.brq.redhat.com> (raw)
In-Reply-To: <20200423001127.13490-1-sean.j.christopherson@intel.com>
Sean Christopherson <sean.j.christopherson@intel.com> writes:
> Use an unsigned long for 'exit_qual' in nested_vmx_reflect_vmexit(), the
> EXIT_QUALIFICATION field is naturally sized, not a 32-bit field.
>
> The bug is most easily observed by doing VMXON (or any VMX instruction)
> in L2 with a negative displacement, in which case dropping the upper
> bits on nested VM-Exit results in L1 calculating the wrong virtual
> address for the memory operand, e.g. "vmxon -0x8(%rbp)" yields:
>
> Unhandled cpu exception 14 #PF at ip 0000000000400553
> rbp=0000000000537000 cr2=0000000100536ff8
>
> Fixes: fbdd50250396d ("KVM: nVMX: Move VM-Fail check out of nested_vmx_exit_reflected()")
> Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
> ---
>
> Sadly (for me), I can't blame a mishandled merge on this one. Even more
> embarassing is that this is actually the second instance where I botched
> the size for exit_qual, you'd think I'd have double-checked everything
> after the first one...
>
> arch/x86/kvm/vmx/nested.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
> index f228339cd0a0..3f32f81f5c59 100644
> --- a/arch/x86/kvm/vmx/nested.c
> +++ b/arch/x86/kvm/vmx/nested.c
> @@ -5814,7 +5814,8 @@ bool nested_vmx_reflect_vmexit(struct kvm_vcpu *vcpu)
> {
> struct vcpu_vmx *vmx = to_vmx(vcpu);
> u32 exit_reason = vmx->exit_reason;
> - u32 exit_intr_info, exit_qual;
> + unsigned long exit_qual;
> + u32 exit_intr_info;
>
> WARN_ON_ONCE(vmx->nested.nested_run_pending);
Too late but
Reviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>
I also did 'git grep -W 'u32.*exit_qual' kvm/queue' and I can see a few
more places where 'exit_qual' is u32:
nested_vmx_check_guest_state()
nested_vmx_enter_non_root_mode()
vmx_set_nested_state()
Being too lazy to check an even if there are no immediate issues with
that, should we just use 'unsigned long' everywhere?
--
Vitaly
next prev parent reply other threads:[~2020-04-24 11:44 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-23 0:11 [PATCH] KVM: nVMX: Store vmcs.EXIT_QUALIFICATION as an unsigned long, not u32 Sean Christopherson
2020-04-24 11:44 ` Vitaly Kuznetsov [this message]
2020-04-24 14:16 ` Sean Christopherson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87wo65nm67.fsf@vitty.brq.redhat.com \
--to=vkuznets@redhat.com \
--cc=jmattson@google.com \
--cc=joro@8bytes.org \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=sean.j.christopherson@intel.com \
--cc=wanpengli@tencent.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.