tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
KVM: nVMX: do not use dangling shadow VMCS after guest reset
If a KVM guest is reset while running a nested guest, free_nested will
disable the shadow VMCS execution control in the vmcs01. However,
on the next KVM_RUN vmx_vcpu_run would nevertheless try to sync
the VMCS12 to the shadow VMCS which has since been freed.
This causes a vmptrld of a NULL pointer on my machime, but Jan reports
the host to hang altogether. Let's see how much this trivial patch fixes.
Reported-by: Jan Kiszka <jan.kiszka@siemens.com>
Cc: Liran Alon <liran.alon@oracle.com>
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+7
-1
+7
-1
arch/x86/kvm/vmx/nested.c
+7
-1
arch/x86/kvm/vmx/nested.c
···
194
194
{
195
195
secondary_exec_controls_clearbit(vmx, SECONDARY_EXEC_SHADOW_VMCS);
196
196
vmcs_write64(VMCS_LINK_POINTER, -1ull);
197
+
vmx->nested.need_vmcs12_to_shadow_sync = false;
197
198
}
198
199
199
200
static inline void nested_release_evmcs(struct kvm_vcpu *vcpu)
···
1342
1341
unsigned long val;
1343
1342
int i;
1344
1343
1344
+
if (WARN_ON(!shadow_vmcs))
1345
+
return;
1346
+
1345
1347
preempt_disable();
1346
1348
1347
1349
vmcs_load(shadow_vmcs);
···
1376
1372
struct shadow_vmcs_field field;
1377
1373
unsigned long val;
1378
1374
int i, q;
1375
+
1376
+
if (WARN_ON(!shadow_vmcs))
1377
+
return;
1379
1378
1380
1379
vmcs_load(shadow_vmcs);
1381
1380
···
4443
4436
/* copy to memory all shadowed fields in case
4444
4437
they were modified */
4445
4438
copy_shadow_to_vmcs12(vmx);
4446
-
vmx->nested.need_vmcs12_to_shadow_sync = false;
4447
4439
vmx_disable_shadow_vmcs(vmx);
4448
4440
}
4449
4441
vmx->nested.posted_intr_nv = -1;