From mboxrd@z Thu Jan 1 00:00:00 1970 From: Radim =?utf-8?B?S3LEjW3DocWZ?= Subject: Re: [PATCH] KVM: x86: fix fixing of hypercalls Date: Fri, 20 Jan 2017 18:26:23 +0100 Message-ID: <20170120172623.GB6291@potion> References: <20170117135104.145739-1-dvyukov@google.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Cc: pbonzini@redhat.com, Wanpeng Li , kvm@vger.kernel.org, syzkaller@googlegroups.com To: Dmitry Vyukov Return-path: Received: from mx1.redhat.com ([209.132.183.28]:48964 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751315AbdATR04 (ORCPT ); Fri, 20 Jan 2017 12:26:56 -0500 Content-Disposition: inline In-Reply-To: <20170117135104.145739-1-dvyukov@google.com> Sender: kvm-owner@vger.kernel.org List-ID: 2017-01-17 14:51+0100, Dmitry Vyukov: > emulator_fix_hypercall() replaces hypercall with vmcall instruction, > but it does not handle GP exception properly when writes the new instruction. > It can return X86EMUL_PROPAGATE_FAULT without setting exception information. > This leads to incorrect emulation and triggers > WARN_ON(ctxt->exception.vector > 0x1f) in x86_emulate_insn() > as discovered by syzkaller fuzzer: > > WARNING: CPU: 2 PID: 18646 at arch/x86/kvm/emulate.c:5558 > Call Trace: > warn_slowpath_null+0x2c/0x40 kernel/panic.c:582 > x86_emulate_insn+0x16a5/0x4090 arch/x86/kvm/emulate.c:5572 > x86_emulate_instruction+0x403/0x1cc0 arch/x86/kvm/x86.c:5618 > emulate_instruction arch/x86/include/asm/kvm_host.h:1127 [inline] > handle_exception+0x594/0xfd0 arch/x86/kvm/vmx.c:5762 > vmx_handle_exit+0x2b7/0x38b0 arch/x86/kvm/vmx.c:8625 > vcpu_enter_guest arch/x86/kvm/x86.c:6888 [inline] > vcpu_run arch/x86/kvm/x86.c:6947 [inline] > > Set exception information when write in emulator_fix_hypercall() fails. > > Signed-off-by: Dmitry Vyukov > Cc: Paolo Bonzini > Cc: Radim Krčmář > Cc: Wanpeng Li > Cc: kvm@vger.kernel.org > Cc: syzkaller@googlegroups.com > --- Applied to kvm/master, thanks.