Re: [PATCH v2] KVM: nVMX: Fix preemption timer kernel NULL pointer dereference
From: Wanpeng Li
Date: Wed Jul 06 2016 - 07:55:24 EST
2016-07-06 19:38 GMT+08:00 Wanpeng Li <kernellwp@xxxxxxxxx>:
> 2016-07-06 19:02 GMT+08:00 Paolo Bonzini <pbonzini@xxxxxxxxxx>:
>>
>>
>> On 06/07/2016 12:29, Wanpeng Li wrote:
>>> BUG: unable to handle kernel NULL pointer dereference at (null)
>>> IP: [< (null)>] (null)
>>> PGD 0
>>> Oops: 0010 [#1] SMP
>>> Call Trace:
>>> ? kvm_lapic_expired_hv_timer+0x47/0x90 [kvm]
>>> handle_preemption_timer+0xe/0x20 [kvm_intel]
>>> vmx_handle_exit+0x169/0x15a0 [kvm_intel]
>>> ? kvm_arch_vcpu_ioctl_run+0xd5d/0x19d0 [kvm]
>>> kvm_arch_vcpu_ioctl_run+0xdee/0x19d0 [kvm]
>>> ? kvm_arch_vcpu_ioctl_run+0xd5d/0x19d0 [kvm]
>>> ? vcpu_load+0x1c/0x60 [kvm]
>>> ? kvm_arch_vcpu_load+0x57/0x260 [kvm]
>>> kvm_vcpu_ioctl+0x2d3/0x7c0 [kvm]
>>> do_vfs_ioctl+0x96/0x6a0
>>> ? __fget_light+0x2a/0x90
>>> SyS_ioctl+0x79/0x90
>>> do_syscall_64+0x68/0x180
>>> entry_SYSCALL64_slow_path+0x25/0x25
>>> Code: Bad RIP value.
>>> RIP [< (null)>] (null)
>>> RSP <ffff8800b5263c48>
>>> CR2: 0000000000000000
>>> ---[ end trace 9c70c48b1a2bc66e ]---
>>
>> This is happening in L2, while the patch is for L1, right? So the commit
>> title should be "KVM: nVMX: fix incorrect preemption timer vmexit in nested guest".
>
> Thanks. I will send out another version. :)
>
>>
>> The patch looks correct, but I'm not sure how you get a preemption
>> timer vmexit while vmcs02 is active:
>>
>> exec_control = vmcs12->pin_based_vm_exec_control;
>> exec_control |= vmcs_config.pin_based_exec_ctrl;
>> exec_control &= ~PIN_BASED_VMX_PREEMPTION_TIMER;
>>
>> In other words, don't you need something like
>
> After apply your patch, L0 calltrace.
my patch + your patch, L0 calltrace.
w/o my patch + your patch, L1 the same calltrace.
Regards,
Wanpeng Li