queue-4.4/kvm-x86-fix-residual-mmio-emulation-request-to-userspace.patch

   1 From bbeac2830f4de270bb48141681cb730aadf8dce1 Mon Sep 17 00:00:00 2001
   2 From: Wanpeng Li <kernellwp@gmail.com>
   3 Date: Wed, 9 Aug 2017 22:33:12 -0700
   4 Subject: KVM: X86: Fix residual mmio emulation request to userspace
   5 MIME-Version: 1.0
   6 Content-Type: text/plain; charset=UTF-8
   7 Content-Transfer-Encoding: 8bit
   8
   9 From: Wanpeng Li <kernellwp@gmail.com>
  10
  11 commit bbeac2830f4de270bb48141681cb730aadf8dce1 upstream.
  12
  13 Reported by syzkaller:
  14
  15 The kvm-intel.unrestricted_guest=0
  16
  17    WARNING: CPU: 5 PID: 1014 at /home/kernel/data/kvm/arch/x86/kvm//x86.c:7227 kvm_arch_vcpu_ioctl_run+0x38b/0x1be0 [kvm]
  18    CPU: 5 PID: 1014 Comm: warn_test Tainted: G        W  OE   4.13.0-rc3+ #8
  19    RIP: 0010:kvm_arch_vcpu_ioctl_run+0x38b/0x1be0 [kvm]
  20    Call Trace:
  21     ? put_pid+0x3a/0x50
  22     ? rcu_read_lock_sched_held+0x79/0x80
  23     ? kmem_cache_free+0x2f2/0x350
  24     kvm_vcpu_ioctl+0x340/0x700 [kvm]
  25     ? kvm_vcpu_ioctl+0x340/0x700 [kvm]
  26     ? __fget+0xfc/0x210
  27     do_vfs_ioctl+0xa4/0x6a0
  28     ? __fget+0x11d/0x210
  29     SyS_ioctl+0x79/0x90
  30     entry_SYSCALL_64_fastpath+0x23/0xc2
  31     ? __this_cpu_preempt_check+0x13/0x20
  32
  33 The syszkaller folks reported a residual mmio emulation request to userspace
  34 due to vm86 fails to emulate inject real mode interrupt(fails to read CS) and
  35 incurs a triple fault. The vCPU returns to userspace with vcpu->mmio_needed == true
  36 and KVM_EXIT_SHUTDOWN exit reason. However, the syszkaller testcase constructs
  37 several threads to launch the same vCPU, the thread which lauch this vCPU after
  38 the thread whichs get the vcpu->mmio_needed == true and KVM_EXIT_SHUTDOWN will
  39 trigger the warning.
  40
  41    #define _GNU_SOURCE
  42    #include <pthread.h>
  43    #include <stdio.h>
  44    #include <stdlib.h>
  45    #include <string.h>
  46    #include <sys/wait.h>
  47    #include <sys/types.h>
  48    #include <sys/stat.h>
  49    #include <sys/mman.h>
  50    #include <fcntl.h>
  51    #include <unistd.h>
  52    #include <linux/kvm.h>
  53    #include <stdio.h>
  54
  55    int kvmcpu;
  56    struct kvm_run *run;
  57
  58    void* thr(void* arg)
  59    {
  60      int res;
  61      res = ioctl(kvmcpu, KVM_RUN, 0);
  62      printf("ret1=%d exit_reason=%d suberror=%d\n",
  63          res, run->exit_reason, run->internal.suberror);
  64      return 0;
  65    }
  66
  67    void test()
  68    {
  69      int i, kvm, kvmvm;
  70      pthread_t th[4];
  71
  72      kvm = open("/dev/kvm", O_RDWR);
  73      kvmvm = ioctl(kvm, KVM_CREATE_VM, 0);
  74      kvmcpu = ioctl(kvmvm, KVM_CREATE_VCPU, 0);
  75      run = (struct kvm_run*)mmap(0, 4096, PROT_READ|PROT_WRITE, MAP_SHARED, kvmcpu, 0);
  76      srand(getpid());
  77      for (i = 0; i < 4; i++) {
  78        pthread_create(&th[i], 0, thr, 0);
  79        usleep(rand() % 10000);
  80      }
  81      for (i = 0; i < 4; i++)
  82        pthread_join(th[i], 0);
  83    }
  84
  85    int main()
  86    {
  87      for (;;) {
  88        int pid = fork();
  89        if (pid < 0)
  90          exit(1);
  91        if (pid == 0) {
  92          test();
  93          exit(0);
  94        }
  95        int status;
  96        while (waitpid(pid, &status, __WALL) != pid) {}
  97      }
  98      return 0;
  99    }
 100
 101 This patch fixes it by resetting the vcpu->mmio_needed once we receive
 102 the triple fault to avoid the residue.
 103
 104 Reported-by: Dmitry Vyukov <dvyukov@google.com>
 105 Tested-by: Dmitry Vyukov <dvyukov@google.com>
 106 Cc: Paolo Bonzini <pbonzini@redhat.com>
 107 Cc: Radim Krčmář <rkrcmar@redhat.com>
 108 Cc: Dmitry Vyukov <dvyukov@google.com>
 109 Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
 110 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
 111 Cc: Zubin Mithra <zsm@chromium.org>
 112 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 113
 114 ---
 115  arch/x86/kvm/vmx.c |    1 +
 116  arch/x86/kvm/x86.c |    1 +
 117  2 files changed, 2 insertions(+)
 118
 119 --- a/arch/x86/kvm/vmx.c
 120 +++ b/arch/x86/kvm/vmx.c
 121 @@ -5574,6 +5574,7 @@ static int handle_external_interrupt(str
 122  static int handle_triple_fault(struct kvm_vcpu *vcpu)
 123  {
 124         vcpu->run->exit_reason = KVM_EXIT_SHUTDOWN;
 125 +       vcpu->mmio_needed = 0;
 126         return 0;
 127  }
 128
 129 --- a/arch/x86/kvm/x86.c
 130 +++ b/arch/x86/kvm/x86.c
 131 @@ -6478,6 +6478,7 @@ static int vcpu_enter_guest(struct kvm_v
 132                 }
 133                 if (kvm_check_request(KVM_REQ_TRIPLE_FAULT, vcpu)) {
 134                         vcpu->run->exit_reason = KVM_EXIT_SHUTDOWN;
 135 +                       vcpu->mmio_needed = 0;
 136                         r = 0;
 137                         goto out;
 138                 }