- cpu model:
Intel(R) Xeon(R) Platinum 8358 CPU @ 2.60GHz
- host kernel version:
Linux 946db039d590 5.10.73-kafl+ #1 SMP Fri Mar 18 13:20:22 CET 2022 x86_64 x86_64 x86_64 GNU/Linux
- host kernel arch:
x86_64
- guest kernel version:
(the latest Linux kernel version commit 23956900041d968f9ad0f30db6dede4daccd7aa9)
Linux syzkaller 6.8.0-11767-g23956900041d #2 SMP PREEMPT_DYNAMIC Thu Mar 21 22:01:33 CST 2024 x86_64 GNU/Linux
- qemu command:
in the file list
- Whether the problem goes away if using the -machine kernel_irqchip=off QEMU switch?
yes
- Whether the problem also appears with the -accel tcg switch?
the qemu can't start with error: "qemu-system-x86_64: CPU model 'host' requires KVM"
I discovered that in KVM, the following PoC will produce a warning. This PoC first sets the vCPU to 64-bit and executes the KVM_SETUP_VM instruction to enable nested virtualization.
Then it sets the vCPU to 16-bit and executes the lldt instruction. Since the execution of this instruction requires simulation, the `em_lldt` function is called.
It sets the LDTR with the specified selector, and when the selector is set to 0xf, its Ti bit is set (while the LDTR register should point to the GDT, and its Ti bit should not be set), leading to a failure in verifying the validity of the LDTR (in the `ldtr_valid` function in arch/x86/kvm/vmx/vmx.c), setting the vmx->emulation_required field.
Subsequently, in the next `vcpu_enter_guest`, it sequentially enters kvm_request_pending->kvm_check_and_inject_events->vmx_inject_exception. Since vmx->emulation_required is true at this time, it triggers a warning.
Triggering warning in the `vmx_inject_exception` function in arch/x86/kvm/vmx/vmx.c.
I've just started learning about KVM and am interested in understanding the cause of this issue, the potential harm it could cause, and how it should be addressed. Thank you for your help.
The warning is as follows
```
[ 4824.188590] ------------[ cut here ]------------
[ 4824.188908] WARNING: CPU: 0 PID: 404 at arch/x86/kvm/vmx/vmx.c:1820 vmx_inject_exception+0x13b/0x150
[ 4824.189524] Modules linked in:
[ 4824.189743] CPU: 0 PID: 404 Comm: test Tainted: G W 6.8.0-11767-g23956900041d #2
[ 4824.190361] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
[ 4824.190952] RIP: 0010:vmx_inject_exception+0x13b/0x150
[ 4824.191775] Code: 16 ff ff ff e8 a6 91 ea 00 81 cb 00 08 00 80 e9 06 ff ff ff e8 96 91 ea 00 eb b0 90 bf 1a 40 00 00 e8 99 ea ff ff 90 eb a2 90 <00
[ 4824.192578] RSP: 0018:ffa0000000d57d98 EFLAGS: 00010202
[ 4824.192813] RAX: 00000000fffffffe RBX: 0000000080000001 RCX: 0000000000000001
[ 4824.193122] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ff11000007118000
[ 4824.193436] RBP: ff11000007118000 R08: 0000000000000004 R09: 0000000000004000
[ 4824.193746] R10: 000000000000000f R11: 000000000000000c R12: ff11000007118000
[ 4824.194058] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000100
[ 4824.194376] FS: 00007f32fe37a540(0000) GS:ff1100007dc00000(0000) knlGS:0000000000000000
[ 4824.194732] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 4824.194985] CR2: 0000000000000000 CR3: 0000000005d26004 CR4: 0000000000773ef0
[ 4824.195314] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 4824.195625] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 4824.195934] PKRU: 55555554
[ 4824.196059] Call Trace:
[ 4824.196171] <TASK>
[ 4824.196276] ? __warn+0x7e/0x130
[ 4824.196429] ? vmx_inject_exception+0x13b/0x150
[ 4824.196634] ? report_bug+0x1b7/0x1d0
[ 4824.196801] ? handle_bug+0x3d/0x70
[ 4824.196961] ? exc_invalid_op+0x18/0x70
[ 4824.197133] ? asm_exc_invalid_op+0x1a/0x20
[ 4824.197324] ? vmx_inject_exception+0x13b/0x150
[ 4824.197528] ? vmx_inject_exception+0x1c/0x150
[ 4824.197727] vcpu_enter_guest+0xc85/0x1650
[ 4824.197911] ? vmx_vcpu_load+0x20/0x70
[ 4824.198083] ? restore_fpregs_from_fpstate+0x42/0xc0
[ 4824.198309] kvm_arch_vcpu_ioctl_run+0x1e8/0xa00
[ 4824.198517] kvm_vcpu_ioctl+0x272/0x6c0
[ 4824.198692] ? vfs_read+0x26c/0x340
[ 4824.198853] __x64_sys_ioctl+0x8a/0xc0
[ 4824.199021] do_syscall_64+0xb1/0x1b0
[ 4824.199193] entry_SYSCALL_64_after_hwframe+0x6d/0x75
[ 4824.199417] RIP: 0033:0x7f32fe296277
[ 4824.199571] Code: 00 00 00 48 8b 05 19 cc 0d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48
[ 4824.200343] RSP: 002b:00007ffff4d18bc8 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
[ 4824.200669] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f32fe296277
[ 4824.200981] RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000005
[ 4824.201296] RBP: 00007ffff4d18c80 R08: 0000000000000000 R09: 00007ffff4d18aa0
[ 4824.201608] R10: 0000000020010000 R11: 0000000000000206 R12: 000055d4bb2ae150
[ 4824.201917] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 4824.202228] </TASK>
[ 4824.202334] ---[ end trace 0000000000000000 ]---
```
Intel(R) Xeon(R) Platinum 8358 CPU @ 2.60GHz
- host kernel version:
Linux 946db039d590 5.10.73-kafl+ #1 SMP Fri Mar 18 13:20:22 CET 2022 x86_64 x86_64 x86_64 GNU/Linux
- host kernel arch:
x86_64
- guest kernel version:
(the latest Linux kernel version commit 23956900041d968f9ad0f30db6dede4daccd7aa9)
Linux syzkaller 6.8.0-11767-g23956900041d #2 SMP PREEMPT_DYNAMIC Thu Mar 21 22:01:33 CST 2024 x86_64 GNU/Linux
- qemu command:
in the file list
- Whether the problem goes away if using the -machine kernel_irqchip=off QEMU switch?
yes
- Whether the problem also appears with the -accel tcg switch?
the qemu can't start with error: "qemu-system-x86_64: CPU model 'host' requires KVM"
I discovered that in KVM, the following PoC will produce a warning. This PoC first sets the vCPU to 64-bit and executes the KVM_SETUP_VM instruction to enable nested virtualization.
Then it sets the vCPU to 16-bit and executes the lldt instruction. Since the execution of this instruction requires simulation, the `em_lldt` function is called.
It sets the LDTR with the specified selector, and when the selector is set to 0xf, its Ti bit is set (while the LDTR register should point to the GDT, and its Ti bit should not be set), leading to a failure in verifying the validity of the LDTR (in the `ldtr_valid` function in arch/x86/kvm/vmx/vmx.c), setting the vmx->emulation_required field.
Subsequently, in the next `vcpu_enter_guest`, it sequentially enters kvm_request_pending->kvm_check_and_inject_events->vmx_inject_exception. Since vmx->emulation_required is true at this time, it triggers a warning.
Triggering warning in the `vmx_inject_exception` function in arch/x86/kvm/vmx/vmx.c.
I've just started learning about KVM and am interested in understanding the cause of this issue, the potential harm it could cause, and how it should be addressed. Thank you for your help.
The warning is as follows
```
[ 4824.188590] ------------[ cut here ]------------
[ 4824.188908] WARNING: CPU: 0 PID: 404 at arch/x86/kvm/vmx/vmx.c:1820 vmx_inject_exception+0x13b/0x150
[ 4824.189524] Modules linked in:
[ 4824.189743] CPU: 0 PID: 404 Comm: test Tainted: G W 6.8.0-11767-g23956900041d #2
[ 4824.190361] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
[ 4824.190952] RIP: 0010:vmx_inject_exception+0x13b/0x150
[ 4824.191775] Code: 16 ff ff ff e8 a6 91 ea 00 81 cb 00 08 00 80 e9 06 ff ff ff e8 96 91 ea 00 eb b0 90 bf 1a 40 00 00 e8 99 ea ff ff 90 eb a2 90 <00
[ 4824.192578] RSP: 0018:ffa0000000d57d98 EFLAGS: 00010202
[ 4824.192813] RAX: 00000000fffffffe RBX: 0000000080000001 RCX: 0000000000000001
[ 4824.193122] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ff11000007118000
[ 4824.193436] RBP: ff11000007118000 R08: 0000000000000004 R09: 0000000000004000
[ 4824.193746] R10: 000000000000000f R11: 000000000000000c R12: ff11000007118000
[ 4824.194058] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000100
[ 4824.194376] FS: 00007f32fe37a540(0000) GS:ff1100007dc00000(0000) knlGS:0000000000000000
[ 4824.194732] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 4824.194985] CR2: 0000000000000000 CR3: 0000000005d26004 CR4: 0000000000773ef0
[ 4824.195314] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 4824.195625] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 4824.195934] PKRU: 55555554
[ 4824.196059] Call Trace:
[ 4824.196171] <TASK>
[ 4824.196276] ? __warn+0x7e/0x130
[ 4824.196429] ? vmx_inject_exception+0x13b/0x150
[ 4824.196634] ? report_bug+0x1b7/0x1d0
[ 4824.196801] ? handle_bug+0x3d/0x70
[ 4824.196961] ? exc_invalid_op+0x18/0x70
[ 4824.197133] ? asm_exc_invalid_op+0x1a/0x20
[ 4824.197324] ? vmx_inject_exception+0x13b/0x150
[ 4824.197528] ? vmx_inject_exception+0x1c/0x150
[ 4824.197727] vcpu_enter_guest+0xc85/0x1650
[ 4824.197911] ? vmx_vcpu_load+0x20/0x70
[ 4824.198083] ? restore_fpregs_from_fpstate+0x42/0xc0
[ 4824.198309] kvm_arch_vcpu_ioctl_run+0x1e8/0xa00
[ 4824.198517] kvm_vcpu_ioctl+0x272/0x6c0
[ 4824.198692] ? vfs_read+0x26c/0x340
[ 4824.198853] __x64_sys_ioctl+0x8a/0xc0
[ 4824.199021] do_syscall_64+0xb1/0x1b0
[ 4824.199193] entry_SYSCALL_64_after_hwframe+0x6d/0x75
[ 4824.199417] RIP: 0033:0x7f32fe296277
[ 4824.199571] Code: 00 00 00 48 8b 05 19 cc 0d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48
[ 4824.200343] RSP: 002b:00007ffff4d18bc8 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
[ 4824.200669] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f32fe296277
[ 4824.200981] RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000005
[ 4824.201296] RBP: 00007ffff4d18c80 R08: 0000000000000000 R09: 00007ffff4d18aa0
[ 4824.201608] R10: 0000000020010000 R11: 0000000000000206 R12: 000055d4bb2ae150
[ 4824.201917] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 4824.202228] </TASK>
[ 4824.202334] ---[ end trace 0000000000000000 ]---
```
<<attachment: email.zip>>
