From mboxrd@z Thu Jan  1 00:00:00 1970
From: Paolo Bonzini <pbonzini@redhat.com>
Subject: Re: [PATCH] KVM: VMX: fix vmwrite to invalid VMCS
Date: Tue, 7 Jul 2015 15:55:36 +0200
Message-ID: <559BDA58.203@redhat.com>
References: <1435931368-27730-1-git-send-email-rkrcmar@redhat.com>
 <5596A679.1050202@redhat.com> <20150707135012.GA26862@potion.brq.redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: QUOTED-PRINTABLE
Cc: linux-kernel@vger.kernel.org, kvm@vger.kernel.org,
	stable@vger.kernel.org, Yang Zhang <yang.z.zhang@intel.com>,
	Liang Li <liang.z.li@intel.com>
To: =?UTF-8?B?UmFkaW0gS3LEjW3DocWZ?= <rkrcmar@redhat.com>
Return-path: <stable-owner@vger.kernel.org>
In-Reply-To: <20150707135012.GA26862@potion.brq.redhat.com>
Sender: stable-owner@vger.kernel.org
List-Id: kvm.vger.kernel.org



On 07/07/2015 15:50, Radim Kr=C4=8Dm=C3=A1=C5=99 wrote:

>> Andrey reported offlist that the bug went away by reverting 1cde293.=
  So
>> the patch would at least need a new commit message. :)
>=20
> I think it's a different bug than the one Andrey reproduced
> (https://bugzilla.kernel.org/show_bug.cgi?id=3D100671).
> I'll send a v2 that cleans up the code and makes the commit message
> clearer, unless you find the reasoning below unsound.

Yes, the patch is okay.  The problem is that kvm-arch_vcpu_create is
called from a VM ioctl and thus is not between vcpu_load and vcpu_put.

Thanks, I applied it.

Paolo

> This bug is specific to 'kvm_arch_vcpu_create()' and Vlastimil Holer =
hit
> it on RHEL 7.2 (278.el7) kernel that didn't have 1cde2930e154
> ("sched/preempt: Add static_key() to preempt_notifiers").
>=20
> The commit message does not base on tracing (I haven't reproduced it)=
,
> but I couldn't make sense out of this bug otherwise.
> I think it happens just because other VCPU preempted the new one betw=
een
> vmx_vcpu_put()+put_cpu() and the end of kvm_x86_ops->fpu_activate(), =
so
> vmwrite accessed different VMCS.  The code in kvm_vm_ioctl_create_vcp=
u()
> that made me think so:
>=20
>   vcpu =3D kvm_arch_vcpu_create(id) {
>     vcpu =3D kvm_x86_ops->vcpu_create(kvm, id) {
>       vmx =3D kmem_cache_zalloc(kvm_vcpu_cache, GFP_KERNEL);
>       kvm_vcpu_init(&vmx->vcpu, kvm, id);
>       vmx->loaded_vmcs =3D &vmx->vmcs01;
>       vmx->loaded_vmcs->vmcs =3D alloc_vmcs();
>       loaded_vmcs_init(vmx->loaded_vmcs);
>=20
>       // disabling preemption and activating VMCS
>       cpu =3D get_cpu();
>       vmx_vcpu_load(&vmx->vcpu, cpu);
>=20
>       vmx_vcpu_setup(vmx);
>=20
>       // abandoning VMCS and enabling preemption
>       vmx_vcpu_put(&vmx->vcpu);
>       put_cpu();
>=20
>       return &vmx->vcpu;
>     }
>=20
>     // enabled preemption and undefined current VMCS
>     kvm_x86_ops->fpu_activate(vcpu);
>     return vcpu;
>   }
>=20
>   preempt_notifier_init(&vcpu->preempt_notifier, &kvm_preempt_ops);
>   kvm_arch_vcpu_setup(vcpu) {
>     vcpu_load(vcpu);
>     ...
>   }
>=20