KVM Archive on lore.kernel.org
 help / color / Atom feed
* [Bug 203923] New: Running a nested freedos results in NULL pointer dereference in L0 (kvm_mmu_load)
@ 2019-06-18 15:01 bugzilla-daemon
  2019-06-18 15:03 ` [Bug 203923] Running a nested freedos on AMD Athlon i686-pae " bugzilla-daemon
                   ` (4 more replies)
  0 siblings, 5 replies; 6+ messages in thread
From: bugzilla-daemon @ 2019-06-18 15:01 UTC (permalink / raw)
  To: kvm

https://bugzilla.kernel.org/show_bug.cgi?id=203923

            Bug ID: 203923
           Summary: Running a nested freedos results in NULL pointer
                    dereference in L0 (kvm_mmu_load)
           Product: Virtualization
           Version: unspecified
    Kernel Version: 5.1
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: kvm
          Assignee: virtualization_kvm@kernel-bugs.osdl.org
          Reporter: jpalecek@web.de
        Regression: No

Hello,

while I was playing around with kvm and trying nested virtual machines, I got
OOPS on the hardware machine. I ran

$ qemu-system-i386 -enable-kvm -virtfs
local,path=.,security_model=none,mount_tag=hostfs -cpu host
/mnt/extras/src/qemu-image-autopkgtest2

and inside the machine, I ran a freedos install image residing in teh currect
directory (ie. through the virtfs mount). The image is running a 5.2-rc4
kernel; note that when I run a 4.19 kernel as the L1 guest it seems to work. It
crashed very early, before the nested system prints anything to the screen. The
error on L0 was:


[  505.814203] BUG: unable to handle kernel NULL pointer dereference at
00000000
[  505.814208] #PF error: [WRITE]
[  505.814209] *pdpt = 0000000015f1f001 *pde = 0000000000000000 
[  505.814212] Oops: 0002 [#1] SMP NOPTI
[  505.814216] CPU: 1 PID: 2292 Comm: qemu-system-i38 Tainted: P           O   
  5.1.0-bughunt+ #2
[  505.814217] Hardware name: System manufacturer System Product Name/M4N68T-M,
BIOS 1301    07/05/2011
[  505.814234] EIP: kvm_mmu_load+0x292/0x4c0 [kvm]
[  505.814236] Code: 55 e8 e8 d1 f0 ff ff 8b 48 20 ff 40 28 8b 07 81 c1 00 00
00 40 c6 00 00 0f 1f 00 8b 87 68 02 00 00 0b 4d dc 8b 80 88 00 00 00 <89> 0c 30
c7 44 30 04 00 00 00 00 e9 6b ff ff ff 8d b6 00 00 00 00
[  505.814238] EAX: 00000000 EBX: 00000000 ECX: 1267a001 EDX: d30c7d6c
[  505.814239] ESI: 00000000 EDI: d2538000 EBP: d30c7dd0 ESP: d30c7d9c
[  505.814241] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 EFLAGS: 00210202
[  505.814242] CR0: 80050033 CR2: 00000000 CR3: 223e2e40 CR4: 000006f0
[  505.814243] Call Trace:
[  505.814256]  kvm_arch_vcpu_ioctl_run+0xc87/0x1910 [kvm]
[  505.814260]  ? _copy_to_user+0x21/0x30
[  505.814264]  ? tomoyo_path_number_perm+0x5f/0x200
[  505.814274]  kvm_vcpu_ioctl+0x214/0x580 [kvm]
[  505.814284]  ? __bpf_trace_kvm_async_pf_nopresent_ready+0x30/0x30 [kvm]
[  505.814287]  do_vfs_ioctl+0x91/0x6b0
[  505.814290]  ? __audit_syscall_entry+0xb8/0x100
[  505.814292]  ? syscall_trace_enter+0x1e1/0x240
[  505.814294]  ? tomoyo_file_ioctl+0x19/0x20
[  505.814296]  ? security_file_ioctl+0x2a/0x40
[  505.814298]  ksys_ioctl+0x60/0x90
[  505.814300]  sys_ioctl+0x16/0x20
[  505.814302]  do_fast_syscall_32+0x91/0x17c
[  505.814304]  entry_SYSENTER_32+0x6b/0xbe
[  505.814306] EIP: 0xb7f8b83d
[  505.814307] Code: 54 cd ff ff 8b 98 58 cd ff ff 85 d2 89 c8 74 02 89 0a 5b
5d c3 8b 04 24 c3 8b 14 24 c3 8b 3c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59
c3 90 90 90 90 8d 76 00 58 b8 77 00 00 00 cd 80 90 8d 76
[  505.814308] EAX: ffffffda EBX: 0000000e ECX: 0000ae80 EDX: 00000000
[  505.814309] ESI: 0224ead0 EDI: 00000000 EBP: b50f6000 ESP: b31bbc98
[  505.814311] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00200292
[  505.814313]  ? nmi+0x8b/0x190
[  505.814314] Modules linked in: snd_hrtimer snd_seq_midi snd_seq_midi_event
snd_rawmidi snd_seq snd_seq_device cpufreq_powersave cpufreq_userspace
cpufreq_conservative nvidia_drm(PO) drm_kms_helper drm fb_sys_fops syscopyarea
sysfillrect sysimgblt nvidia_modeset(PO) nvidia(PO) binfmt_misc fuse
snd_hda_codec_via snd_hda_codec_hdmi snd_hda_codec_generic nls_iso8859_2
nls_cp437 vfat kvm_amd snd_hda_intel fat kvm snd_hda_codec snd_hda_core
snd_hwdep snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd ohci_pci irqbypass
ohci_hcd soundcore k10temp ehci_pci ehci_hcd forcedeth i2c_nforce2 sr_mod
sata_nv cdrom sg asus_atk0110 pcc_cpufreq pcspkr acpi_cpufreq button
ipmi_devintf ipmi_msghandler usblp usbcore parport_pc ppdev lp parport
ip_tables x_tables autofs4 ext4 crc32c_generic crc16 mbcache jbd2 sd_mod
psmouse evdev serio_raw ata_generic pata_amd libata scsi_mod
[  505.814341] CR2: 0000000000000000
[  505.814343] ---[ end trace f9a592688c8617bc ]---
[  505.814354] EIP: kvm_mmu_load+0x292/0x4c0 [kvm]
[  505.814355] Code: 55 e8 e8 d1 f0 ff ff 8b 48 20 ff 40 28 8b 07 81 c1 00 00
00 40 c6 00 00 0f 1f 00 8b 87 68 02 00 00 0b 4d dc 8b 80 88 00 00 00 <89> 0c 30
c7 44 30 04 00 00 00 00 e9 6b ff ff ff 8d b6 00 00 00 00
[  505.814357] EAX: 00000000 EBX: 00000000 ECX: 1267a001 EDX: d30c7d6c
[  505.814358] ESI: 00000000 EDI: d2538000 EBP: d30c7dd0 ESP: d6a0d3bc
[  505.814359] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 EFLAGS: 00210202
[  505.814360] CR0: 80050033 CR2: 00000000 CR3: 223e2e40 CR4: 000006f0

The processor on L0 is Athlon II X2 240.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [Bug 203923] Running a nested freedos on AMD Athlon i686-pae results in NULL pointer dereference in L0 (kvm_mmu_load)
  2019-06-18 15:01 [Bug 203923] New: Running a nested freedos results in NULL pointer dereference in L0 (kvm_mmu_load) bugzilla-daemon
@ 2019-06-18 15:03 ` " bugzilla-daemon
  2019-06-20 10:19 ` bugzilla-daemon
                   ` (3 subsequent siblings)
  4 siblings, 0 replies; 6+ messages in thread
From: bugzilla-daemon @ 2019-06-18 15:03 UTC (permalink / raw)
  To: kvm

https://bugzilla.kernel.org/show_bug.cgi?id=203923

Jiri Palecek (jpalecek@web.de) changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|Running a nested freedos    |Running a nested freedos on
                   |results in NULL pointer     |AMD Athlon i686-pae results
                   |dereference in L0           |in NULL pointer dereference
                   |(kvm_mmu_load)              |in L0 (kvm_mmu_load)

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [Bug 203923] Running a nested freedos on AMD Athlon i686-pae results in NULL pointer dereference in L0 (kvm_mmu_load)
  2019-06-18 15:01 [Bug 203923] New: Running a nested freedos results in NULL pointer dereference in L0 (kvm_mmu_load) bugzilla-daemon
  2019-06-18 15:03 ` [Bug 203923] Running a nested freedos on AMD Athlon i686-pae " bugzilla-daemon
@ 2019-06-20 10:19 ` bugzilla-daemon
  2019-06-20 13:57 ` bugzilla-daemon
                   ` (2 subsequent siblings)
  4 siblings, 0 replies; 6+ messages in thread
From: bugzilla-daemon @ 2019-06-20 10:19 UTC (permalink / raw)
  To: kvm

https://bugzilla.kernel.org/show_bug.cgi?id=203923

Paolo Bonzini (bonzini@gnu.org) changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |bonzini@gnu.org

--- Comment #2 from Paolo Bonzini (bonzini@gnu.org) ---
A patch for this is on its way to Linus.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [Bug 203923] Running a nested freedos on AMD Athlon i686-pae results in NULL pointer dereference in L0 (kvm_mmu_load)
  2019-06-18 15:01 [Bug 203923] New: Running a nested freedos results in NULL pointer dereference in L0 (kvm_mmu_load) bugzilla-daemon
  2019-06-18 15:03 ` [Bug 203923] Running a nested freedos on AMD Athlon i686-pae " bugzilla-daemon
  2019-06-20 10:19 ` bugzilla-daemon
@ 2019-06-20 13:57 ` bugzilla-daemon
  2019-06-20 22:14 ` bugzilla-daemon
  2019-06-22 22:49 ` bugzilla-daemon
  4 siblings, 0 replies; 6+ messages in thread
From: bugzilla-daemon @ 2019-06-20 13:57 UTC (permalink / raw)
  To: kvm

https://bugzilla.kernel.org/show_bug.cgi?id=203923

--- Comment #3 from Jiri Palecek (jpalecek@web.de) ---
Good! Could you point me to the patch please?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [Bug 203923] Running a nested freedos on AMD Athlon i686-pae results in NULL pointer dereference in L0 (kvm_mmu_load)
  2019-06-18 15:01 [Bug 203923] New: Running a nested freedos results in NULL pointer dereference in L0 (kvm_mmu_load) bugzilla-daemon
                   ` (2 preceding siblings ...)
  2019-06-20 13:57 ` bugzilla-daemon
@ 2019-06-20 22:14 ` bugzilla-daemon
  2019-06-22 22:49 ` bugzilla-daemon
  4 siblings, 0 replies; 6+ messages in thread
From: bugzilla-daemon @ 2019-06-20 22:14 UTC (permalink / raw)
  To: kvm

https://bugzilla.kernel.org/show_bug.cgi?id=203923

Paolo Bonzini (bonzini@gnu.org) changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |CODE_FIX

--- Comment #4 from Paolo Bonzini (bonzini@gnu.org) ---
Sure:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b6b80c78af838bef17501416d5d383fedab0010a

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [Bug 203923] Running a nested freedos on AMD Athlon i686-pae results in NULL pointer dereference in L0 (kvm_mmu_load)
  2019-06-18 15:01 [Bug 203923] New: Running a nested freedos results in NULL pointer dereference in L0 (kvm_mmu_load) bugzilla-daemon
                   ` (3 preceding siblings ...)
  2019-06-20 22:14 ` bugzilla-daemon
@ 2019-06-22 22:49 ` bugzilla-daemon
  4 siblings, 0 replies; 6+ messages in thread
From: bugzilla-daemon @ 2019-06-22 22:49 UTC (permalink / raw)
  To: kvm

https://bugzilla.kernel.org/show_bug.cgi?id=203923

--- Comment #7 from Jiri Palecek (jpalecek@web.de) ---
Created attachment 283393
  --> https://bugzilla.kernel.org/attachment.cgi?id=283393&action=edit
Patch that fixes this problem on my system

So, I had a look around the code and found that SVM initialized the nested
vcpus in such a way that ->arch.mmu points to ->arch.guest_mmu. The code in
mmu.c then uses ->arch.mmu->pae_root which crashes.

This patch really takes the path of the least resistance. If they want to have
pae_root allocated even for guest_mmu, let them have it and just allocate it.
Maybe if this is specific to AMD the whole business should be in svm.c though?
Or do it lazily only when actually doing the nesting?

The patch fixes 5.1 kernel on my machine, kvm guest start and the nested guest
start as well. However, in 5.2 there will probably be more problems ahead
because I got a different error there (kvm_spurious_fault in L1).

What are your thoughts on this?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, back to index

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-06-18 15:01 [Bug 203923] New: Running a nested freedos results in NULL pointer dereference in L0 (kvm_mmu_load) bugzilla-daemon
2019-06-18 15:03 ` [Bug 203923] Running a nested freedos on AMD Athlon i686-pae " bugzilla-daemon
2019-06-20 10:19 ` bugzilla-daemon
2019-06-20 13:57 ` bugzilla-daemon
2019-06-20 22:14 ` bugzilla-daemon
2019-06-22 22:49 ` bugzilla-daemon

KVM Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/kvm/0 kvm/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 kvm kvm/ https://lore.kernel.org/kvm \
		kvm@vger.kernel.org kvm@archiver.kernel.org
	public-inbox-index kvm


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.kvm


AGPL code for this site: git clone https://public-inbox.org/ public-inbox