Patch "KVM: X86: Fix SMRAM accessing even if VM is shutdown" has been added to the 4.14-stable tree

Patch "KVM: X86: Fix SMRAM accessing even if VM is shutdown" has been added to the 4.14-stable tree

[gregkh]

This is a note to let you know that I've just added the patch titled

    KVM: X86: Fix SMRAM accessing even if VM is shutdown

to the 4.14-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     kvm-x86-fix-smram-accessing-even-if-vm-is-shutdown.patch
and it can be found in the queue-4.14 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From 95e057e25892eaa48cad1e2d637b80d0f1a4fac5 Mon Sep 17 00:00:00 2001
From: Wanpeng Li <wanpengli@tencent.com>
Date: Thu, 8 Feb 2018 15:32:45 +0800
Subject: KVM: X86: Fix SMRAM accessing even if VM is shutdown
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

From: Wanpeng Li <wanpengli@tencent.com>

commit 95e057e25892eaa48cad1e2d637b80d0f1a4fac5 upstream.

Reported by syzkaller:

   WARNING: CPU: 6 PID: 2434 at arch/x86/kvm/vmx.c:6660 handle_ept_misconfig+0x54/0x1e0 [kvm_intel]
   CPU: 6 PID: 2434 Comm: repro_test Not tainted 4.15.0+ #4
   RIP: 0010:handle_ept_misconfig+0x54/0x1e0 [kvm_intel]
   Call Trace:
    vmx_handle_exit+0xbd/0xe20 [kvm_intel]
    kvm_arch_vcpu_ioctl_run+0xdaf/0x1d50 [kvm]
    kvm_vcpu_ioctl+0x3e9/0x720 [kvm]
    do_vfs_ioctl+0xa4/0x6a0
    SyS_ioctl+0x79/0x90
    entry_SYSCALL_64_fastpath+0x25/0x9c

The testcase creates a first thread to issue KVM_SMI ioctl, and then creates
a second thread to mmap and operate on the same vCPU.  This triggers a race
condition when running the testcase with multiple threads. Sometimes one thread
exits with a triple fault while another thread mmaps and operates on the same
vCPU.  Because CS=0x3000/IP=0x8000 is not mapped, accessing the SMI handler
results in an EPT misconfig. This patch fixes it by returning RET_PF_EMULATE
in kvm_handle_bad_page(), which will go on to cause an emulation failure and an
exit with KVM_EXIT_INTERNAL_ERROR.

Reported-by: syzbot+c1d9517cab094dae65e446c0c5b4de6c40f4dc58@syzkaller.appspotmail.com
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Radim Krčmář <rkrcmar@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Wanpeng Li <wanpengli@tencent.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kvm/mmu.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/x86/kvm/mmu.c
+++ b/arch/x86/kvm/mmu.c
@@ -3004,7 +3004,7 @@ static int kvm_handle_bad_page(struct kv
 		return 0;
 	}
 
-	return -EFAULT;
+	return RET_PF_EMULATE;
 }
 
 static void transparent_hugepage_adjust(struct kvm_vcpu *vcpu,


Patches currently in stable-queue which might be from wanpengli@tencent.com are

queue-4.14/kvm-x86-fix-smram-accessing-even-if-vm-is-shutdown.patch

Re: Patch "KVM: X86: Fix SMRAM accessing even if VM is shutdown" has been added to the 4.14-stable tree

[Thomas Backlund]

Den 07-03-2018 kl. 05:54, skrev gregkh@linuxfoundation.org:
> 
> This is a note to let you know that I've just added the patch titled
> 
>      KVM: X86: Fix SMRAM accessing even if VM is shutdown
> 


This one breaks build on 4.14 (and earlier I presume) as RET_PF_EMULATE 
was introduced in v4.15-rc1~79^2~8.

To fix the build on 4.14 you would need:

 From 9b8ebbdb74b5ad76b9dfd8b101af17839174b126 Mon Sep 17 00:00:00 2001
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Thu, 17 Aug 2017 15:03:32 +0200
Subject: [PATCH] KVM: x86: extend usage of RET_MMIO_PF_* constants


I haven't tested it on older kernels...

--
Thomas


> to the 4.14-stable tree which can be found at:
>      http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
> 
> The filename of the patch is:
>       kvm-x86-fix-smram-accessing-even-if-vm-is-shutdown.patch
> and it can be found in the queue-4.14 subdirectory.
> 
> If you, or anyone else, feels it should not be added to the stable tree,
> please let <stable@vger.kernel.org> know about it.
> 
> 
>  From 95e057e25892eaa48cad1e2d637b80d0f1a4fac5 Mon Sep 17 00:00:00 2001
> From: Wanpeng Li <wanpengli@tencent.com>
> Date: Thu, 8 Feb 2018 15:32:45 +0800
> Subject: KVM: X86: Fix SMRAM accessing even if VM is shutdown
> MIME-Version: 1.0
> Content-Type: text/plain; charset=UTF-8
> Content-Transfer-Encoding: 8bit
> 
> From: Wanpeng Li <wanpengli@tencent.com>
> 
> commit 95e057e25892eaa48cad1e2d637b80d0f1a4fac5 upstream.
> 
> Reported by syzkaller:
> 
>     WARNING: CPU: 6 PID: 2434 at arch/x86/kvm/vmx.c:6660 handle_ept_misconfig+0x54/0x1e0 [kvm_intel]
>     CPU: 6 PID: 2434 Comm: repro_test Not tainted 4.15.0+ #4
>     RIP: 0010:handle_ept_misconfig+0x54/0x1e0 [kvm_intel]
>     Call Trace:
>      vmx_handle_exit+0xbd/0xe20 [kvm_intel]
>      kvm_arch_vcpu_ioctl_run+0xdaf/0x1d50 [kvm]
>      kvm_vcpu_ioctl+0x3e9/0x720 [kvm]
>      do_vfs_ioctl+0xa4/0x6a0
>      SyS_ioctl+0x79/0x90
>      entry_SYSCALL_64_fastpath+0x25/0x9c
> 
> The testcase creates a first thread to issue KVM_SMI ioctl, and then creates
> a second thread to mmap and operate on the same vCPU.  This triggers a race
> condition when running the testcase with multiple threads. Sometimes one thread
> exits with a triple fault while another thread mmaps and operates on the same
> vCPU.  Because CS=0x3000/IP=0x8000 is not mapped, accessing the SMI handler
> results in an EPT misconfig. This patch fixes it by returning RET_PF_EMULATE
> in kvm_handle_bad_page(), which will go on to cause an emulation failure and an
> exit with KVM_EXIT_INTERNAL_ERROR.
> 
> Reported-by: syzbot+c1d9517cab094dae65e446c0c5b4de6c40f4dc58@syzkaller.appspotmail.com
> Cc: Paolo Bonzini <pbonzini@redhat.com>
> Cc: Radim Krčmář <rkrcmar@redhat.com>
> Cc: stable@vger.kernel.org
> Signed-off-by: Wanpeng Li <wanpengli@tencent.com>
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> 
> ---
>   arch/x86/kvm/mmu.c |    2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> --- a/arch/x86/kvm/mmu.c
> +++ b/arch/x86/kvm/mmu.c
> @@ -3004,7 +3004,7 @@ static int kvm_handle_bad_page(struct kv
>   		return 0;
>   	}
>   
> -	return -EFAULT;
> +	return RET_PF_EMULATE;
>   }
>   
>   static void transparent_hugepage_adjust(struct kvm_vcpu *vcpu,
> 
> 
> Patches currently in stable-queue which might be from wanpengli@tencent.com are
> 
> queue-4.14/kvm-x86-fix-smram-accessing-even-if-vm-is-shutdown.patch
> 

Re: Patch "KVM: X86: Fix SMRAM accessing even if VM is shutdown" has been added to the 4.14-stable tree

[Greg KH]

On Wed, Mar 07, 2018 at 01:48:52PM +0200, Thomas Backlund wrote:
> Den 07-03-2018 kl. 05:54, skrev gregkh@linuxfoundation.org:
> > 
> > This is a note to let you know that I've just added the patch titled
> > 
> >      KVM: X86: Fix SMRAM accessing even if VM is shutdown
> > 
> 
> 
> This one breaks build on 4.14 (and earlier I presume) as RET_PF_EMULATE was
> introduced in v4.15-rc1~79^2~8.

Yeah, I just found that out :(

> To fix the build on 4.14 you would need:
> 
> From 9b8ebbdb74b5ad76b9dfd8b101af17839174b126 Mon Sep 17 00:00:00 2001
> From: Paolo Bonzini <pbonzini@redhat.com>
> Date: Thu, 17 Aug 2017 15:03:32 +0200
> Subject: [PATCH] KVM: x86: extend usage of RET_MMIO_PF_* constants
> 
> 
> I haven't tested it on older kernels...

It doesn't apply on older kernels, so I'm having to drop the original
patch here from 4.4.y and 4.9.y.  If someone wants them there, please
provide working backports :)

thanks,

greg k-h

Re: Patch "KVM: X86: Fix SMRAM accessing even if VM is shutdown" has been added to the 4.14-stable tree

[Paolo Bonzini]

On 07/03/2018 16:02, Greg KH wrote:
> On Wed, Mar 07, 2018 at 01:48:52PM +0200, Thomas Backlund wrote:
>> Den 07-03-2018 kl. 05:54, skrev gregkh@linuxfoundation.org:
>>>
>>> This is a note to let you know that I've just added the patch titled
>>>
>>>      KVM: X86: Fix SMRAM accessing even if VM is shutdown
>>>
>>
>>
>> This one breaks build on 4.14 (and earlier I presume) as RET_PF_EMULATE was
>> introduced in v4.15-rc1~79^2~8.
> 
> Yeah, I just found that out :(
> 
>> To fix the build on 4.14 you would need:
>>
>> From 9b8ebbdb74b5ad76b9dfd8b101af17839174b126 Mon Sep 17 00:00:00 2001
>> From: Paolo Bonzini <pbonzini@redhat.com>
>> Date: Thu, 17 Aug 2017 15:03:32 +0200
>> Subject: [PATCH] KVM: x86: extend usage of RET_MMIO_PF_* constants
>>
>>
>> I haven't tested it on older kernels...
> 
> It doesn't apply on older kernels, so I'm having to drop the original
> patch here from 4.4.y and 4.9.y.  If someone wants them there, please
> provide working backports :)

Will do!

Paolo