From: Haozhong Zhang <haozhong.zhang@intel.com>
To: Wanpeng Li <kernellwp@gmail.com>
Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
kvm <kvm@vger.kernel.org>, "Wanpeng Li" <wanpeng.li@hotmail.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Radim Krčmář" <rkrcmar@redhat.com>,
"Yunhong Jiang" <yunhong.jiang@intel.com>,
"Jan Kiszka" <jan.kiszka@siemens.com>
Subject: Re: [PATCH v3 1/2] KVM: nVMX: Fix incorrect preemption timer vmexit in nested guest
Date: Thu, 7 Jul 2016 15:02:04 +0800 [thread overview]
Message-ID: <20160707070204.gunjncvuggllu44c@hz-desktop> (raw)
In-Reply-To: <CANRm+CxSjjUbW8cgJbaAEMC=265Zpp9CKwmXZaZETEDmL6amzQ@mail.gmail.com>
On 07/07/16 14:56, Wanpeng Li wrote:
> 2016-07-07 14:48 GMT+08:00 Haozhong Zhang <haozhong.zhang@intel.com>:
> > On 07/07/16 11:46, Wanpeng Li wrote:
> >> From: Wanpeng Li <wanpeng.li@hotmail.com>
> >>
> >> BUG: unable to handle kernel NULL pointer dereference at (null)
> >> IP: [< (null)>] (null)
> >> PGD 0
> >> Oops: 0010 [#1] SMP
> >> Call Trace:
> >> ? kvm_lapic_expired_hv_timer+0x47/0x90 [kvm]
> >> handle_preemption_timer+0xe/0x20 [kvm_intel]
> >> vmx_handle_exit+0x169/0x15a0 [kvm_intel]
> >> ? kvm_arch_vcpu_ioctl_run+0xd5d/0x19d0 [kvm]
> >> kvm_arch_vcpu_ioctl_run+0xdee/0x19d0 [kvm]
> >> ? kvm_arch_vcpu_ioctl_run+0xd5d/0x19d0 [kvm]
> >> ? vcpu_load+0x1c/0x60 [kvm]
> >> ? kvm_arch_vcpu_load+0x57/0x260 [kvm]
> >> kvm_vcpu_ioctl+0x2d3/0x7c0 [kvm]
> >> do_vfs_ioctl+0x96/0x6a0
> >> ? __fget_light+0x2a/0x90
> >> SyS_ioctl+0x79/0x90
> >> do_syscall_64+0x68/0x180
> >> entry_SYSCALL64_slow_path+0x25/0x25
> >> Code: Bad RIP value.
> >> RIP [< (null)>] (null)
> >> RSP <ffff8800b5263c48>
> >> CR2: 0000000000000000
> >> ---[ end trace 9c70c48b1a2bc66e ]---
> >>
> >> This can be reproduced readily by preemption timer enabled on L0 and disabled
> >> on L1.
> >>
> >> Preemption timer for nested VMX is emulated by hrtimer which is started on L2
> >> entry, stopped on L2 exit and evaluated via the check_nested_events hook. However,
> >> nested_vmx_exit_handled is always return true for preemption timer vmexit, then
> >> the L1 preemption timer vmexit is captured and be treated as a L2 preemption
> >> timer vmexit, incurr a nested vmexit dereference NULL pointer.
> >>
> >> This patch fix it by depending on check_nested_events to capture L2 preemption
> >> timer(emulated hrtimer) expire and nested vmexit.
> >>
> >> Tested-by: Haozhong Zhang <haozhong.zhang@intel.com>
> >> Cc: Paolo Bonzini <pbonzini@redhat.com>
> >> Cc: Radim Krčmář <rkrcmar@redhat.com>
> >> Cc: Yunhong Jiang <yunhong.jiang@intel.com>
> >> Cc: Jan Kiszka <jan.kiszka@siemens.com>
> >> Cc: Haozhong Zhang <haozhong.zhang@intel.com>
> >> Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
> >> ---
> >> v2 -> v3:
> >> * update patch subject
> >> v1 -> v2:
> >> * fix typo in patch description
> >>
> >> arch/x86/kvm/vmx.c | 2 ++
> >> 1 file changed, 2 insertions(+)
> >>
> >> diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
> >> index 85e2f0a..29c16a8 100644
> >> --- a/arch/x86/kvm/vmx.c
> >> +++ b/arch/x86/kvm/vmx.c
> >> @@ -8041,6 +8041,8 @@ static bool nested_vmx_exit_handled(struct kvm_vcpu *vcpu)
> >> return nested_cpu_has2(vmcs12, SECONDARY_EXEC_XSAVES);
> >> case EXIT_REASON_PCOMMIT:
> >> return nested_cpu_has2(vmcs12, SECONDARY_EXEC_PCOMMIT);
> >> + case EXIT_REASON_PREEMPTION_TIMER:
> >> + return false;
> >
> > If patch 2 can avoid accidentally enabling preemption timer in vmcs02,
> > will this one still be needed?
>
> After complete "L1 TSC deadline timer to trigger while L2 is running",
> L0's preemption timer fire when L2 is running can result in
> (is_guest_mode(vcpu) && nested_vmx_exit_handled(vcpu)) be true, right?
>
In prepare_vmcs02():
exec_control &= ~PIN_BASED_VMX_PREEMPTION_TIMER;
...
vmcs_write32(PIN_BASED_VM_EXEC_CONTROL, exec_control);
so preemption timer will never be enabled while L2 guest is running.
Haozhong
next prev parent reply other threads:[~2016-07-07 7:02 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-07 3:46 [PATCH v3 1/2] KVM: nVMX: Fix incorrect preemption timer vmexit in nested guest Wanpeng Li
2016-07-07 3:46 ` [PATCH v3 2/2] KVM: nVMX: Fix preemption timer bit set in vmcs02 even if L1 doesn't enable it Wanpeng Li
2016-07-07 8:10 ` Paolo Bonzini
2016-07-07 8:31 ` Wanpeng Li
2016-07-07 10:33 ` Paolo Bonzini
2016-07-07 10:54 ` Wanpeng Li
2016-07-07 6:48 ` [PATCH v3 1/2] KVM: nVMX: Fix incorrect preemption timer vmexit in nested guest Haozhong Zhang
2016-07-07 6:56 ` Wanpeng Li
2016-07-07 7:02 ` Haozhong Zhang [this message]
2016-07-07 7:07 ` Wanpeng Li
2016-07-07 7:25 ` Haozhong Zhang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160707070204.gunjncvuggllu44c@hz-desktop \
--to=haozhong.zhang@intel.com \
--cc=jan.kiszka@siemens.com \
--cc=kernellwp@gmail.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=rkrcmar@redhat.com \
--cc=wanpeng.li@hotmail.com \
--cc=yunhong.jiang@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.