From patchwork Fri May 26 23:50:45 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sean Christopherson X-Patchwork-Id: 9929 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:994d:0:b0:3d9:f83d:47d9 with SMTP id k13csp29650vqr; Fri, 26 May 2023 16:54:43 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ7xyWLzRopofGz8E1WfA59Fl5PwlB/3uN32k3Tma/NxUJbUmLE9xkD6Nu29/V6PFPt7viWN X-Received: by 2002:a05:6a20:3ca1:b0:10f:195f:6556 with SMTP id b33-20020a056a203ca100b0010f195f6556mr1331371pzj.31.1685145283541; Fri, 26 May 2023 16:54:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1685145283; cv=none; d=google.com; s=arc-20160816; b=Ko7xtXxIbs14am6KE5kwm7aeKQig6HoUK7zdMKP8BlbQkuvZB74TzsS/XywmVGsd3T hBBSMQ6Tg3STmPGG03IuV5YAvtDXFkt3s6AtvYrNETBs0oDCVKR90VOV2RsVUh4WB0DB WKqVKHokuRvKFBZutqVYOE51+FiGj+uoHJV+dBIKyGoB0994AypXM8qJx9DkabuuVIDJ A9Nv79bMkB8Ce2bOxlOM6x0PcZFgQl6ryxnBAcfcqoGb31moB2cJ5pCgdz7lFkCNw7oK NK8+MjTwEsUqOemX4ZseQvpInAvEo+2F1aj9laAvgeAJuTZKBqE9Nj312oaP6Z+ZYrd+ r5Mg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:mime-version:date :reply-to:dkim-signature; bh=GrrbCTNmuoStmkrRuA8nAkDHAJuHJg+G1Ouxa5BEv0E=; b=rHgaWiztAQI9ttdp9eoYH0uENKfklQEICUYHDTJ5UqV+Wr2LIEe8pMS9t1hUK5RiA5 2o+ZFovNbIGHQaJ8028INiFhWaDL9E/jvoxZlcFl0oacOcd4qSyqQwSeSdiWLU5xU0El 7Ca/7ahOapoNK6TaAszhfGEIgzkzLdPgCVbJ7SaxVteVZWPepWpioytWMEYoAplAb12z rKopCU2KwybjO+W8ZANUrgtmzhYoqzDRBZNhrk5Ylzu2tTRXBvfjS1mDWpYN8+0etWUr 6vFOPzUTEfyJt5JpgT6VXPuxCjuBC521b2MnISvupVRgO96SdDJpVNtJN4nRyq8pXqkL spIA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=mTELTfly; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id h28-20020aa79f5c000000b0064378422f5fsi4911948pfr.169.2023.05.26.16.54.29; Fri, 26 May 2023 16:54:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=mTELTfly; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230329AbjEZXuz (ORCPT + 99 others); Fri, 26 May 2023 19:50:55 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35346 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231341AbjEZXuw (ORCPT ); Fri, 26 May 2023 19:50:52 -0400 Received: from mail-yw1-x114a.google.com (mail-yw1-x114a.google.com [IPv6:2607:f8b0:4864:20::114a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AAAC183 for ; Fri, 26 May 2023 16:50:51 -0700 (PDT) Received: by mail-yw1-x114a.google.com with SMTP id 00721157ae682-565a66a5d84so17911637b3.0 for ; Fri, 26 May 2023 16:50:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1685145051; x=1687737051; h=cc:to:from:subject:message-id:mime-version:date:reply-to:from:to:cc :subject:date:message-id:reply-to; bh=GrrbCTNmuoStmkrRuA8nAkDHAJuHJg+G1Ouxa5BEv0E=; b=mTELTflySAQiCs9/L8ypvXX/eTvO6pIM2XukZz0HRry6ElpVfxuvF3c5N068qIlCAk k9AwIdmbQMpqPeMRBvZZrTdMrkC9Z7Vu0RCDajLwkIiIUp3HgRvBSggzqGb/HZAY7ovb bLRpUxscmxUk737WD9naghz/xT0aukmgjM9ooxoCqHhDcv5S+M+1VlxM9blNYxTHThdx oWi5spgRGEmKEet0XuSz26RRSwWMS/ame/liPHy7UP6yNZYoSBp1Sd3yznXvwglCFW1z 35S9pH9rfzByljMOnIy9ZkQsaM7E6zOGuJg9DGSp7ZWeuUXnUpd11aQMyeUjsYaLwU8v yOwQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1685145051; x=1687737051; h=cc:to:from:subject:message-id:mime-version:date:reply-to :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=GrrbCTNmuoStmkrRuA8nAkDHAJuHJg+G1Ouxa5BEv0E=; b=H20K4iJJgCkXaDCLQqnQESXv+qRiAGOi+cvaVUbPNo+QwlWqs9gaAFQV2C4fFEfRV5 cbAy4KPL7Q4LRos4Rt+MmRTa2ZlMJwXjAvoSL+fz63HXahKT7iAFhEZS0lEzfGfwVMGQ dmho431c5HwQDbEqvkP4u9I7zNrhk1PyUNhRcRUb/j5AmKop+4RFZC+wIbz9uJks6IA2 2puK4njp+Dy8Cd/eA2psMJNAmoaCa6fwf5GYlmcTu4MrQW1VCmf5tQ+s0wheX2IZCfsK SamtAZxnNSJXLyUfQQilNAmVuz/mJxM8IgfnaTtHnaRpIAFGzAymaAQ4VvDbDnJk0lWE V9FQ== X-Gm-Message-State: AC+VfDwLka6OA8sY1tbM8pdOxzB8T4QN6FAKFN7i9i6kK0xTbau2PrHt ks0soJKKR46slEMxvF+1giiR2tHQlg8= X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37]) (user=seanjc job=sendgmr) by 2002:a81:4050:0:b0:561:8ff6:fb5b with SMTP id m16-20020a814050000000b005618ff6fb5bmr1955724ywn.10.1685145051003; Fri, 26 May 2023 16:50:51 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 26 May 2023 16:50:45 -0700 Mime-Version: 1.0 X-Mailer: git-send-email 2.41.0.rc0.172.g3f132b7071-goog Message-ID: <20230526235048.2842761-1-seanjc@google.com> Subject: [PATCH v2 0/3] KVM: x86: Out-of-bounds access in kvm_recalculate_phys_map() From: Sean Christopherson To: Sean Christopherson , Paolo Bonzini Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Michal Luczaj X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1767002900369348236?= X-GMAIL-MSGID: =?utf-8?q?1767002900369348236?= v2 of Michal's fix for a TOCTOU bug in kvm_recalculate_phys_map(). Not fully tested (will do that next week), though I did confirm the reworked selftest can hit the bug. Posting a bit prematurely as I have a long weekend and I don't want Michal to do any duplicate work. In Michal's words... kvm_recalculate_apic_map() creates the APIC map iterating over the list of vCPUs twice. First to find the max APIC ID and allocate a max-sized buffer, then again, calling kvm_recalculate_phys_map() for each vCPU. This opens a race window: value of max APIC ID can increase _after_ the buffer was allocated. Michal Luczaj (1): KVM: selftests: Add test for race in kvm_recalculate_apic_map() Sean Christopherson (2): KVM: x86: Bail from kvm_recalculate_phys_map() if x2APIC ID is out-of-bounds KVM: x86: Retry APIC optimized map recalc if vCPU is added/enabled arch/x86/kvm/lapic.c | 49 ++++++++++-- tools/testing/selftests/kvm/Makefile | 1 + .../kvm/x86_64/recalc_apic_map_race.c | 76 +++++++++++++++++++ 3 files changed, 120 insertions(+), 6 deletions(-) create mode 100644 tools/testing/selftests/kvm/x86_64/recalc_apic_map_race.c base-commit: 39428f6ea9eace95011681628717062ff7f5eb5f