[Bug 204401] New: After a VMexit, the guest is re-entring with a wrong vcpu PC address which is causing the guest to crash.

public inbox for kvm@vger.kernel.org
 help / color / mirror / Atom feed

From: bugzilla-daemon@bugzilla.kernel.org
To: kvm@vger.kernel.org
Subject: [Bug 204401] New: After a VMexit, the guest is re-entring with a wrong vcpu PC address which is causing the guest to crash.
Date: Thu, 01 Aug 2019 12:04:38 +0000	[thread overview]
Message-ID: <bug-204401-28872@https.bugzilla.kernel.org/> (raw)

https://bugzilla.kernel.org/show_bug.cgi?id=204401

            Bug ID: 204401
           Summary: After a VMexit, the guest is re-entring with a wrong
                    vcpu PC address which is causing the guest to crash.
           Product: Virtualization
           Version: unspecified
    Kernel Version: 4.19.26
          Hardware: ARM
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: kvm
          Assignee: virtualization_kvm@kernel-bugs.osdl.org
          Reporter: denis_roux_@hotmail.com
        Regression: No

Created attachment 284069
  --> https://bugzilla.kernel.org/attachment.cgi?id=284069&action=edit
Fix applied to linux

guest crash:

ESF PC                 : 0x7004b528 ( (0x7004b4a4) + 0x84)
Exception Vec          : 1 (Undefined Instruction)
CPSR                   : 0x20000093
PE Mode             : Supervisor
Instruction         : A32
FIQ                 : Not Masked
IRQ                 : Masked
Async data abort    : Not Masked
Endianness          : little-endian
GE flag             : 0x0
Status flags        : nzCvq
SCTLR                  : 0x20C5183D
MMU                : Enabled
Alignment Check    : Disabled
Cache              : Enabled
CP15 barrier op    : Enabled
IT instr           : Enabled
SETEND instr       : Enabled
Instr cache        : Enabled
Vector address     : In VBAR
PL0 WFI            : Enabled
PL0 WFE            : Enabled
Exec at writable   : Allowed
Exec at unprivileged write: Allowed
Exec endianness    : Little-endian
TEX Remap          : Disabled
Access flag        : Enabled
Exception exc state: A32
TTBR0                  : 0x0000000072C56000
TTBR1                  : 0x0000000000000000
TCB PC                 : 0x7004b528 ( (0x7004b4a4) + 0x84)
TCB LR                 : 0x703f482c ( (0x703f26b4) + 0x2178)
TCB Registers          : r0 = 00000080 r1 = 00000086 r2 = 00000100 r3 =
89DA3500
                       : r4 = 70C085A0 r5 = 703F473C r6 = 001E83D7 r7 =
00000000
                       : r8 = 0F13B46A r9 = 00000000 r10= 703B8484 fp =
7260FCC4
                       : ip = 12200000 sp = 7260FCA0 lr = 703F482C pc =
7004B528


Guest assembly being execute leading to the crash:

0x7004b508 <+0x0064>: bc 00 c3 e1                       strh    r0, [r3, #12]  
                                      /* will cause a MMIO VMexit */
0x7004b50c <+0x0068>: 04 30 94 e5                       ldr    r3, [r4, #4]
0x7004b510 <+0x006c>: bc 10 c3 e1                       strh    r1, [r3, #12]  
                                      /* will cause a MMIO VMexit */
0x7004b514 <+0x0070>: 04 30 94 e5                       ldr    r3, [r4, #4]
0x7004b518 <+0x0074>: bc 20 c3 e1                       strh    r2, [r3, #12]  
                                      /* will cause a MMIO VMexit */
0x7004b51c <+0x0078>: f0 ab 9d e8                       ldm    sp, {r4, r5, r6,
r7, r8, r9, r11, sp, pc}   /* function return */
0x7004b520 <+0x007c>: 88 c7 03 70                       andvc    r12, r3, r8,
lsl #15                             /* Compiler generated data */
0x7004b524 <+0x0080>: 90 c8 03 70                       mulvc    r3, r0, r8    
                                       /* Compiler generated data */
0x7004b528 <+0x0084>: 3c 47 3f 70                       eorsvc    r4, pc, r12,
lsr r7    ; <UNPREDICTABLE> /* Compiler generated data */


Observed scenario on KVM:

    VM exit occured at vcpu PC 0x7004b518 (exit reason KVM_EXIT_MMIO)
    kvm_arch_vcpu_ioctl_run re-entered
    kvm_handle_mmio_return is executed to emulate the instruction at vcpu PC
0x7004b518. This is done successfully and vcpu PC is updated to 0x7004b51c.
    run->immediate_exit is checked and found to be set. It returns.
    kvm_arch_vcpu_ioctl_run re-entered
    kvm_handle_mmio_return is executed to emulate the instruction at vcpu PC
0x7004b518. This is done successfully and vcpu PC is updated to 0x7004b520.
    run->immediate_exit is checked but is not set.
    VM enter occurs with a corrupted vcpu PC which leads to the crash.

System information:
cpu model: ARMv7 Processor rev 4 (v7l)
Linux: 4.19.26
host kernel arch: arm
guest arch: arm
qemu cmd:qemu-system-arm -nographic -M virt -enable-kvm- cpu host ...

I have attached the patch that I have used to fix this issue.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

                 reply	other threads:[~2019-08-01 12:04 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bug-204401-28872@https.bugzilla.kernel.org/ \
    --to=bugzilla-daemon@bugzilla.kernel.org \
    --cc=kvm@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox