From: Paolo Bonzini <pbonzini@xxxxxxxxxx>
commit 78e546c824fa8f96d323b7edd6f5cad5b74af057 upstream
This cannot be returned by KVM_GET_VCPU_EVENTS, so it is okay to return
EINVAL. It causes a WARN from exception_type:
WARNING: CPU: 3 PID: 16732 at arch/x86/kvm/x86.c:345 exception_type+0x49/0x50 [kvm]()
CPU: 3 PID: 16732 Comm: a.out Tainted: G W 4.4.6-300.fc23.x86_64 #1
Hardware name: LENOVO 2325F51/2325F51, BIOS G2ET32WW (1.12 ) 05/30/2012
0000000000000286 000000006308a48b ffff8800bec7fcf8 ffffffff813b542e
0000000000000000 ffffffffa0966496 ffff8800bec7fd30 ffffffff810a40f2
ffff8800552a8000 0000000000000000 00000000002c267c 0000000000000001
Call Trace:
[<ffffffff813b542e>] dump_stack+0x63/0x85
[<ffffffff810a40f2>] warn_slowpath_common+0x82/0xc0
[<ffffffff810a423a>] warn_slowpath_null+0x1a/0x20
[<ffffffffa0924809>] exception_type+0x49/0x50 [kvm]
[<ffffffffa0934622>] kvm_arch_vcpu_ioctl_run+0x10a2/0x14e0 [kvm]
[<ffffffffa091c04d>] kvm_vcpu_ioctl+0x33d/0x620 [kvm]
[<ffffffff81241248>] do_vfs_ioctl+0x298/0x480
[<ffffffff812414a9>] SyS_ioctl+0x79/0x90
[<ffffffff817a04ee>] entry_SYSCALL_64_fastpath+0x12/0x71
---[ end trace b1a0391266848f50 ]---
Testcase (beautified/reduced from syzkaller output):
#include <unistd.h>
#include <sys/syscall.h>
#include <string.h>
#include <stdint.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <linux/kvm.h>
long r[31];
int main()
{
memset(r, -1, sizeof(r));
r[2] = open("/dev/kvm", O_RDONLY);
r[3] = ioctl(r[2], KVM_CREATE_VM, 0);
r[7] = ioctl(r[3], KVM_CREATE_VCPU, 0);
struct kvm_vcpu_events ve = {
.exception.injected = 1,
.exception.nr = 0xd4
};
r[27] = ioctl(r[7], KVM_SET_VCPU_EVENTS, &ve);
r[30] = ioctl(r[7], KVM_RUN, 0);
return 0;
}
Reported-by: Dmitry Vyukov <dvyukov@xxxxxxxxxx>
Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
Signed-off-by: Radim Krčmář <rkrcmar@xxxxxxxxxx>
Signed-off-by: Zubin Mithra <zsm@xxxxxxxxxxxx>
---
Notes:
* Syzkaller triggered a WARNING in exception_type with the following stacktrace.
Call Trace:
__dump_stack lib/dump_stack.c:15 [inline]
dump_stack+0xbf/0x113 lib/dump_stack.c:51
panic+0x1a6/0x361 kernel/panic.c:116
__warn+0x168/0x1b0 kernel/panic.c:470
warn_slowpath_null+0x3c/0x40 kernel/panic.c:514
exception_type+0x33/0x7d arch/x86/kvm/x86.c:354
inject_pending_event arch/x86/kvm/x86.c:6072 [inline]
vcpu_enter_guest arch/x86/kvm/x86.c:6551 [inline]
vcpu_run arch/x86/kvm/x86.c:6744 [inline]
kvm_arch_vcpu_ioctl_run+0x1b76/0x352e arch/x86/kvm/x86.c:6902
kvm_vcpu_ioctl+0x396/0xa74 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2432
vfs_ioctl fs/ioctl.c:43 [inline]
do_vfs_ioctl+0xcb0/0xd0f fs/ioctl.c:630
SYSC_ioctl fs/ioctl.c:645 [inline]
SyS_ioctl+0x71/0xad fs/ioctl.c:636
entry_SYSCALL_64_fastpath+0x31/0xb3
* This patch resolves a conflict that arises when applying the original upstream
commit. The conflict arises as the following upstream patch was applied to 4.4.y:
28bf28887976 ("KVM: x86: fix user triggerable warning in kvm_apic_accept_events()")
* This commit is present in linux-4.9.y
* Tests run: Chrome OS tryjobs, Syzkaller reproducer
arch/x86/kvm/x86.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 706c5d63a53f..d830a0d60ba4 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -2972,6 +2972,10 @@ static int kvm_vcpu_ioctl_x86_set_vcpu_events(struct kvm_vcpu *vcpu,
| KVM_VCPUEVENT_VALID_SMM))
return -EINVAL;
+ if (events->exception.injected &&
+ (events->exception.nr > 31 || events->exception.nr == NMI_VECTOR))
+ return -EINVAL;
+
/* INITs are latched while in SMM */
if (events->flags & KVM_VCPUEVENT_VALID_SMM &&
(events->smi.smm || events->smi.pending) &&
--
2.21.0.593.g511ec345e18-goog
