204401 – After a VMexit, the guest is re-entring with a wrong vcpu PC address which is causing the guest to crash.

Bug 204401 - After a VMexit, the guest is re-entring with a wrong vcpu PC address which is causing the guest to crash.

Summary: After a VMexit, the guest is re-entring with a wrong vcpu PC address which is...

Status:	NEW

Alias:	None

Product:	Virtualization
Classification:	Unclassified
Component:	kvm (show other bugs)
Hardware:	ARM Linux

Importance:	P1 normal
Assignee:	virtualization_kvm

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-08-01 12:04 UTC by Denis Roux
Modified:	2019-08-01 12:04 UTC (History)
CC List:	0 users

See Also:
Kernel Version:	4.19.26
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
Fix applied to linux (686 bytes, application/mbox) 2019-08-01 12:04 UTC, Denis Roux	Details
Add an attachment (proposed patch, testcase, etc.)

Description Denis Roux 2019-08-01 12:04:38 UTC

Created attachment 284069 [details]
Fix applied to linux

guest crash:

ESF PC                 : 0x7004b528 ( (0x7004b4a4) + 0x84)
Exception Vec          : 1 (Undefined Instruction)
CPSR                   : 0x20000093
PE Mode             : Supervisor
Instruction         : A32
FIQ                 : Not Masked
IRQ                 : Masked
Async data abort    : Not Masked
Endianness          : little-endian
GE flag             : 0x0
Status flags        : nzCvq
SCTLR                  : 0x20C5183D
MMU                : Enabled
Alignment Check    : Disabled
Cache              : Enabled
CP15 barrier op    : Enabled
IT instr           : Enabled
SETEND instr       : Enabled
Instr cache        : Enabled
Vector address     : In VBAR
PL0 WFI            : Enabled
PL0 WFE            : Enabled
Exec at writable   : Allowed
Exec at unprivileged write: Allowed
Exec endianness    : Little-endian
TEX Remap          : Disabled
Access flag        : Enabled
Exception exc state: A32
TTBR0                  : 0x0000000072C56000
TTBR1                  : 0x0000000000000000
TCB PC                 : 0x7004b528 ( (0x7004b4a4) + 0x84)
TCB LR                 : 0x703f482c ( (0x703f26b4) + 0x2178)
TCB Registers          : r0 = 00000080 r1 = 00000086 r2 = 00000100 r3 = 89DA3500
                       : r4 = 70C085A0 r5 = 703F473C r6 = 001E83D7 r7 = 00000000
                       : r8 = 0F13B46A r9 = 00000000 r10= 703B8484 fp = 7260FCC4
                       : ip = 12200000 sp = 7260FCA0 lr = 703F482C pc = 7004B528


Guest assembly being execute leading to the crash:

0x7004b508 <+0x0064>: bc 00 c3 e1                       strh    r0, [r3, #12]                                         /* will cause a MMIO VMexit */
0x7004b50c <+0x0068>: 04 30 94 e5                       ldr    r3, [r4, #4]
0x7004b510 <+0x006c>: bc 10 c3 e1                       strh    r1, [r3, #12]                                         /* will cause a MMIO VMexit */
0x7004b514 <+0x0070>: 04 30 94 e5                       ldr    r3, [r4, #4]
0x7004b518 <+0x0074>: bc 20 c3 e1                       strh    r2, [r3, #12]                                         /* will cause a MMIO VMexit */
0x7004b51c <+0x0078>: f0 ab 9d e8                       ldm    sp, {r4, r5, r6, r7, r8, r9, r11, sp, pc}   /* function return */
0x7004b520 <+0x007c>: 88 c7 03 70                       andvc    r12, r3, r8, lsl #15                             /* Compiler generated data */
0x7004b524 <+0x0080>: 90 c8 03 70                       mulvc    r3, r0, r8                                            /* Compiler generated data */
0x7004b528 <+0x0084>: 3c 47 3f 70                       eorsvc    r4, pc, r12, lsr r7    ; <UNPREDICTABLE> /* Compiler generated data */


Observed scenario on KVM:

    VM exit occured at vcpu PC 0x7004b518 (exit reason KVM_EXIT_MMIO)
    kvm_arch_vcpu_ioctl_run re-entered
    kvm_handle_mmio_return is executed to emulate the instruction at vcpu PC 0x7004b518. This is done successfully and vcpu PC is updated to 0x7004b51c.
    run->immediate_exit is checked and found to be set. It returns.
    kvm_arch_vcpu_ioctl_run re-entered
    kvm_handle_mmio_return is executed to emulate the instruction at vcpu PC 0x7004b518. This is done successfully and vcpu PC is updated to 0x7004b520.
    run->immediate_exit is checked but is not set.
    VM enter occurs with a corrupted vcpu PC which leads to the crash.

System information:
cpu model: ARMv7 Processor rev 4 (v7l)
Linux: 4.19.26
host kernel arch: arm
guest arch: arm
qemu cmd:qemu-system-arm -nographic -M virt -enable-kvm- cpu host ...

I have attached the patch that I have used to fix this issue.

Note You need to log in before you can comment on or make changes to this bug.