Re: [PATCH 13/20] KVM: x86 emulator: fix memory access during x86 emulation
Avi Kivity wrote: On 03/06/2010 03:53 PM, Stefan Bader wrote: i Avi, we currently try to integrate this patch for an update into a 2.6.32 based system (amongst other kvm updates). But as soon as this patch gets added kvm will die on startup in kvm_leave_lazy_mmu. This has been documented here: https://bugs.edge.launchpad.net/ubuntu/+source/linux/+bug/531823 I have placed the backports of your patches, which are currently in linux-next and marked for stable here: git://kernel.ubuntu.com/smb/linux-2.6.32.y kvm I have tested the failure with a version that got only the following patches in: KVM: x86 emulator: Add Virtual-8086 mode of emulation KVM: x86 emulator: fix memory access during x86 emulation KVM: x86 emulator: Check IOPL level during io instruction emulation KVM: x86 emulator: Fix popf emulation KVM: x86 emulator: Check CPL level during privilege instruction emulation and also with a version that takes all stable patches up to the bad one: KVM: VMX: Trap and invalid MWAIT/MONITOR instruction KVM: x86 emulator: Add group8 instruction decoding KVM: x86 emulator: Add group9 instruction decoding KVM: x86 emulator: Add Virtual-8086 mode of emulation KVM: x86 emulator: fix memory access during x86 emulation But as soon as the fix for memory access gets added, the bug will occur. Would you have an idea what might be causing this? Does the same guest, using the same qemu-kvm, work on kvm.git or upstream? The test was done with a kvm user-space package based on 0.12.3 (which seems to be the current upstream version). I try to do a test on the git version. Stefan -- To unsubscribe from this list: send the line unsubscribe kvm in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 13/20] KVM: x86 emulator: fix memory access during x86 emulation
On 03/08/2010 04:10 PM, Stefan Bader wrote: Avi Kivity wrote: On 03/06/2010 03:53 PM, Stefan Bader wrote: i Avi, we currently try to integrate this patch for an update into a 2.6.32 based system (amongst other kvm updates). But as soon as this patch gets added kvm will die on startup in kvm_leave_lazy_mmu. This has been documented here: https://bugs.edge.launchpad.net/ubuntu/+source/linux/+bug/531823 I have placed the backports of your patches, which are currently in linux-next and marked for stable here: git://kernel.ubuntu.com/smb/linux-2.6.32.y kvm I have tested the failure with a version that got only the following patches in: KVM: x86 emulator: Add Virtual-8086 mode of emulation KVM: x86 emulator: fix memory access during x86 emulation KVM: x86 emulator: Check IOPL level during io instruction emulation KVM: x86 emulator: Fix popf emulation KVM: x86 emulator: Check CPL level during privilege instruction emulation and also with a version that takes all stable patches up to the bad one: KVM: VMX: Trap and invalid MWAIT/MONITOR instruction KVM: x86 emulator: Add group8 instruction decoding KVM: x86 emulator: Add group9 instruction decoding KVM: x86 emulator: Add Virtual-8086 mode of emulation KVM: x86 emulator: fix memory access during x86 emulation But as soon as the fix for memory access gets added, the bug will occur. Would you have an idea what might be causing this? Does the same guest, using the same qemu-kvm, work on kvm.git or upstream? The test was done with a kvm user-space package based on 0.12.3 (which seems to be the current upstream version). I try to do a test on the git version. I meant keep the same userspace without change, and try it on a Linus kernel or kvm.git master (http://git.kernel.org/?p=virt/kvm/kvm.git;a=summary). -- error compiling committee.c: too many arguments to function -- To unsubscribe from this list: send the line unsubscribe kvm in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 13/20] KVM: x86 emulator: fix memory access during x86 emulation
Avi Kivity wrote: On 03/08/2010 04:10 PM, Stefan Bader wrote: Avi Kivity wrote: On 03/06/2010 03:53 PM, Stefan Bader wrote: i Avi, we currently try to integrate this patch for an update into a 2.6.32 based system (amongst other kvm updates). But as soon as this patch gets added kvm will die on startup in kvm_leave_lazy_mmu. This has been documented here: https://bugs.edge.launchpad.net/ubuntu/+source/linux/+bug/531823 I have placed the backports of your patches, which are currently in linux-next and marked for stable here: git://kernel.ubuntu.com/smb/linux-2.6.32.y kvm I have tested the failure with a version that got only the following patches in: KVM: x86 emulator: Add Virtual-8086 mode of emulation KVM: x86 emulator: fix memory access during x86 emulation KVM: x86 emulator: Check IOPL level during io instruction emulation KVM: x86 emulator: Fix popf emulation KVM: x86 emulator: Check CPL level during privilege instruction emulation and also with a version that takes all stable patches up to the bad one: KVM: VMX: Trap and invalid MWAIT/MONITOR instruction KVM: x86 emulator: Add group8 instruction decoding KVM: x86 emulator: Add group9 instruction decoding KVM: x86 emulator: Add Virtual-8086 mode of emulation KVM: x86 emulator: fix memory access during x86 emulation But as soon as the fix for memory access gets added, the bug will occur. Would you have an idea what might be causing this? Does the same guest, using the same qemu-kvm, work on kvm.git or upstream? The test was done with a kvm user-space package based on 0.12.3 (which seems to be the current upstream version). I try to do a test on the git version. I meant keep the same userspace without change, and try it on a Linus kernel or kvm.git master (http://git.kernel.org/?p=virt/kvm/kvm.git;a=summary). Ok, sorry I misunderstood that. As I see Linus just pulled your patches in, I will get that compiled and tested. -- To unsubscribe from this list: send the line unsubscribe kvm in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 13/20] KVM: x86 emulator: fix memory access during x86 emulation
Avi Kivity wrote: On 03/08/2010 04:10 PM, Stefan Bader wrote: Avi Kivity wrote: On 03/06/2010 03:53 PM, Stefan Bader wrote: i Avi, we currently try to integrate this patch for an update into a 2.6.32 based system (amongst other kvm updates). But as soon as this patch gets added kvm will die on startup in kvm_leave_lazy_mmu. This has been documented here: https://bugs.edge.launchpad.net/ubuntu/+source/linux/+bug/531823 I have placed the backports of your patches, which are currently in linux-next and marked for stable here: git://kernel.ubuntu.com/smb/linux-2.6.32.y kvm I have tested the failure with a version that got only the following patches in: KVM: x86 emulator: Add Virtual-8086 mode of emulation KVM: x86 emulator: fix memory access during x86 emulation KVM: x86 emulator: Check IOPL level during io instruction emulation KVM: x86 emulator: Fix popf emulation KVM: x86 emulator: Check CPL level during privilege instruction emulation and also with a version that takes all stable patches up to the bad one: KVM: VMX: Trap and invalid MWAIT/MONITOR instruction KVM: x86 emulator: Add group8 instruction decoding KVM: x86 emulator: Add group9 instruction decoding KVM: x86 emulator: Add Virtual-8086 mode of emulation KVM: x86 emulator: fix memory access during x86 emulation But as soon as the fix for memory access gets added, the bug will occur. Would you have an idea what might be causing this? Does the same guest, using the same qemu-kvm, work on kvm.git or upstream? The test was done with a kvm user-space package based on 0.12.3 (which seems to be the current upstream version). I try to do a test on the git version. I meant keep the same userspace without change, and try it on a Linus kernel or kvm.git master (http://git.kernel.org/?p=virt/kvm/kvm.git;a=summary). HEAD of kvm.git tree works (with same client and userspace) Stable 2.6.32.y tree plus all patches marked cc: stable fails. (32bit host/guest) Host dmesg: kvm: emulating exchange as write Guest dmesg: ... [3.053503] Freeing initrd memory: 8843k freed [3.059863] Freeing unused kernel memory: 660k freed [3.076657] Write protecting the kernel text: 4780k [3.082863] Write protecting the kernel read-only data: 1912k [3.08] BUG: unable to handle kernel paging request at c01292e3 [3.088025] IP: [c01292e3] kvm_leave_lazy_mmu+0x43/0x70 [3.088025] *pde = 00910067 *pte = 00129161 [3.088025] Oops: 0003 [#1] SMP [3.088025] last sysfs file: [3.088025] Modules linked in: [3.088025] [3.088025] Pid: 1, comm: init Not tainted (2.6.32-15-generic #22-Ubuntu) Bochs [3.088025] EIP: 0060:[c01292e3] EFLAGS: 00010246 CPU: 0 [3.088025] EIP is at kvm_leave_lazy_mmu+0x43/0x70 [3.088025] EAX: 0002 EBX: 0018 ECX: 01802c20 EDX: [3.088025] ESI: c1802c20 EDI: c1802c20 EBP: df071cb4 ESP: df071ca8 [3.088025] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 [3.088025] Process init (pid: 1, ti=df07 task=df068000 task.ti=df07) [3.088025] Stack: [3.088025] c000 dce2b000 dce2a844 df071cf0 c01e8b6d 0001 b000 [3.088025] 0 db7ed000 c139d54c c139d54c df133000 db7ed000 1ffef067 b000 [3.088025] 0 bfe1 db44bbfc df071d2c c01e8ce0 c000 df133000 db44bbfc bfe1 [3.088025] Call Trace: [3.088025] [c01e8b6d] ? move_ptes+0x1ad/0x270 [3.088025] [c01e8ce0] ? move_page_tables+0xb0/0x130 [3.088025] [c020b614] ? shift_arg_pages+0x94/0x180 [3.088025] [c020b885] ? setup_arg_pages+0x185/0x1b0 [3.088025] [c0241243] ? load_elf_binary+0x3c3/0xac0 [3.088025] [c02f1654] ? security_file_permission+0x14/0x20 [3.088025] [c02052f4] ? rw_verify_area+0x64/0xe0 [3.088025] [c0240e80] ? load_elf_binary+0x0/0xac0 [3.088025] [c020bd9f] ? search_binary_handler+0xef/0x2f0 [3.088025] [c020b465] ? kernel_read+0x35/0x50 [3.088025] [c023f7b2] ? load_script+0x1e2/0x270 [3.088025] [c01e4160] ? get_user_pages+0x50/0x60 [3.088025] [c020a662] ? get_arg_page+0x52/0xb0 [3.088025] [c023f5d0] ? load_script+0x0/0x270 [3.088025] [c020bd9f] ? search_binary_handler+0xef/0x2f0 [3.088025] [c020a834] ? copy_strings+0x174/0x190 [3.088025] [c020c2c7] ? do_execve+0x1f7/0x2c0 [3.088025] [c034ed6a] ? strncpy_from_user+0x3a/0x70 [3.088025] [c0101a1d] ? sys_execve+0x2d/0x60 [3.088025] [c01033ec] ? syscall_call+0x7/0xb [3.088025] [c01070a4] ? kernel_execve+0x24/0x30 [3.088025] [c01012ac] ? run_init_process+0x1c/0x20 [3.088025] [c0101396] ? init_post+0xe6/0x100 [3.088025] [c07d83d0] ? kernel_init+0xb8/0xbf [3.088025] [c07d8318] ? kernel_init+0x0/0xbf [3.088025] [c0104087] ? kernel_thread_helper+0x7/0x10 [3.088025] Code: 6c 87 c0 64 a1 40 6a 87 c0 03 3c 85 80 4a 7d c0 8b 9f 00 04 00 00 85 db 74 24 89 fe 31 d2 66 90 8d 8e 00 00 00 40 b8 02 00 00 00 0f 01 c1 01 c6 29 c3 75 ec c7 87
Re: [PATCH 13/20] KVM: x86 emulator: fix memory access during x86 emulation
On 03/06/2010 03:53 PM, Stefan Bader wrote: i Avi, we currently try to integrate this patch for an update into a 2.6.32 based system (amongst other kvm updates). But as soon as this patch gets added kvm will die on startup in kvm_leave_lazy_mmu. This has been documented here: https://bugs.edge.launchpad.net/ubuntu/+source/linux/+bug/531823 I have placed the backports of your patches, which are currently in linux-next and marked for stable here: git://kernel.ubuntu.com/smb/linux-2.6.32.y kvm I have tested the failure with a version that got only the following patches in: KVM: x86 emulator: Add Virtual-8086 mode of emulation KVM: x86 emulator: fix memory access during x86 emulation KVM: x86 emulator: Check IOPL level during io instruction emulation KVM: x86 emulator: Fix popf emulation KVM: x86 emulator: Check CPL level during privilege instruction emulation and also with a version that takes all stable patches up to the bad one: KVM: VMX: Trap and invalid MWAIT/MONITOR instruction KVM: x86 emulator: Add group8 instruction decoding KVM: x86 emulator: Add group9 instruction decoding KVM: x86 emulator: Add Virtual-8086 mode of emulation KVM: x86 emulator: fix memory access during x86 emulation But as soon as the fix for memory access gets added, the bug will occur. Would you have an idea what might be causing this? Does the same guest, using the same qemu-kvm, work on kvm.git or upstream? -- error compiling committee.c: too many arguments to function -- To unsubscribe from this list: send the line unsubscribe kvm in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 13/20] KVM: x86 emulator: fix memory access during x86 emulation
i Avi, we currently try to integrate this patch for an update into a 2.6.32 based system (amongst other kvm updates). But as soon as this patch gets added kvm will die on startup in kvm_leave_lazy_mmu. This has been documented here: https://bugs.edge.launchpad.net/ubuntu/+source/linux/+bug/531823 I have placed the backports of your patches, which are currently in linux-next and marked for stable here: git://kernel.ubuntu.com/smb/linux-2.6.32.y kvm I have tested the failure with a version that got only the following patches in: KVM: x86 emulator: Add Virtual-8086 mode of emulation KVM: x86 emulator: fix memory access during x86 emulation KVM: x86 emulator: Check IOPL level during io instruction emulation KVM: x86 emulator: Fix popf emulation KVM: x86 emulator: Check CPL level during privilege instruction emulation and also with a version that takes all stable patches up to the bad one: KVM: VMX: Trap and invalid MWAIT/MONITOR instruction KVM: x86 emulator: Add group8 instruction decoding KVM: x86 emulator: Add group9 instruction decoding KVM: x86 emulator: Add Virtual-8086 mode of emulation KVM: x86 emulator: fix memory access during x86 emulation But as soon as the fix for memory access gets added, the bug will occur. Would you have an idea what might be causing this? Thanks, Stefan Avi Kivity wrote: From: Gleb Natapov g...@redhat.com Currently when x86 emulator needs to access memory, page walk is done with broadest permission possible, so if emulated instruction was executed by userspace process it can still access kernel memory. Fix that by providing correct memory access to page walker during emulation. Signed-off-by: Gleb Natapov g...@redhat.com Cc: sta...@kernel.org Signed-off-by: Avi Kivity a...@redhat.com --- arch/x86/include/asm/kvm_emulate.h | 14 +++- arch/x86/include/asm/kvm_host.h|7 ++- arch/x86/kvm/emulate.c |6 +- arch/x86/kvm/mmu.c | 17 ++--- arch/x86/kvm/mmu.h |6 ++ arch/x86/kvm/paging_tmpl.h | 11 ++- arch/x86/kvm/x86.c | 131 +++- 7 files changed, 142 insertions(+), 50 deletions(-) diff --git a/arch/x86/include/asm/kvm_emulate.h b/arch/x86/include/asm/kvm_emulate.h index 784d7c5..7a6f54f 100644 --- a/arch/x86/include/asm/kvm_emulate.h +++ b/arch/x86/include/asm/kvm_emulate.h @@ -54,13 +54,23 @@ struct x86_emulate_ctxt; struct x86_emulate_ops { /* * read_std: Read bytes of standard (non-emulated/special) memory. - * Used for instruction fetch, stack operations, and others. + * Used for descriptor reading. * @addr: [IN ] Linear address from which to read. * @val: [OUT] Value read from memory, zero-extended to 'u_long'. * @bytes: [IN ] Number of bytes to read from memory. */ int (*read_std)(unsigned long addr, void *val, - unsigned int bytes, struct kvm_vcpu *vcpu); + unsigned int bytes, struct kvm_vcpu *vcpu, u32 *error); + + /* + * fetch: Read bytes of standard (non-emulated/special) memory. + *Used for instruction fetch. + * @addr: [IN ] Linear address from which to read. + * @val: [OUT] Value read from memory, zero-extended to 'u_long'. + * @bytes: [IN ] Number of bytes to read from memory. + */ + int (*fetch)(unsigned long addr, void *val, + unsigned int bytes, struct kvm_vcpu *vcpu, u32 *error); /* * read_emulated: Read bytes from emulated/special memory area. diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h index 1522337..c07c16f 100644 --- a/arch/x86/include/asm/kvm_host.h +++ b/arch/x86/include/asm/kvm_host.h @@ -243,7 +243,8 @@ struct kvm_mmu { void (*new_cr3)(struct kvm_vcpu *vcpu); int (*page_fault)(struct kvm_vcpu *vcpu, gva_t gva, u32 err); void (*free)(struct kvm_vcpu *vcpu); - gpa_t (*gva_to_gpa)(struct kvm_vcpu *vcpu, gva_t gva); + gpa_t (*gva_to_gpa)(struct kvm_vcpu *vcpu, gva_t gva, u32 access, + u32 *error); void (*prefetch_page)(struct kvm_vcpu *vcpu, struct kvm_mmu_page *page); int (*sync_page)(struct kvm_vcpu *vcpu, @@ -660,6 +661,10 @@ void __kvm_mmu_free_some_pages(struct kvm_vcpu *vcpu); int kvm_mmu_load(struct kvm_vcpu *vcpu); void kvm_mmu_unload(struct kvm_vcpu *vcpu); void kvm_mmu_sync_roots(struct kvm_vcpu *vcpu); +gpa_t kvm_mmu_gva_to_gpa_read(struct kvm_vcpu *vcpu, gva_t gva, u32 *error); +gpa_t kvm_mmu_gva_to_gpa_fetch(struct kvm_vcpu *vcpu, gva_t gva, u32 *error); +gpa_t kvm_mmu_gva_to_gpa_write(struct kvm_vcpu *vcpu, gva_t gva, u32 *error); +gpa_t kvm_mmu_gva_to_gpa_system(struct kvm_vcpu *vcpu, gva_t gva, u32 *error); int kvm_emulate_hypercall(struct kvm_vcpu *vcpu); diff --git a/arch/x86/kvm/emulate.c