From patchwork Fri May 26 23:50:46 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Sean Christopherson <seanjc@google.com>
X-Patchwork-Id: 99724
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:994d:0:b0:3d9:f83d:47d9 with SMTP id k13csp31934vqr;
        Fri, 26 May 2023 17:01:19 -0700 (PDT)
X-Google-Smtp-Source: 
 ACHHUZ6FaC5oWlqVl+kGp/ofhf10mJrDk74vXj6MTBE8C7dZ0lRonKfVwCvjEcIVCMOMHlRx31wc
X-Received: by 2002:a05:6a00:15cc:b0:64f:3fc8:5d19 with SMTP id
 o12-20020a056a0015cc00b0064f3fc85d19mr5817129pfu.32.1685145678823;
        Fri, 26 May 2023 17:01:18 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1685145678; cv=none;
        d=google.com; s=arc-20160816;
        b=VawIUuhKKj5fST6Amdn/UC2IaM9tV/Gp8RkfffT9b6gaEkTTKrTyzjO8pgIv4hFmsM
         zRiezGoMY6xhOmRmkTYPuGn+1DUZvAZJMx66iTnOid5nCKJ4Fjru5RzrMtvDXqfGZAlZ
         R9hUINqBfCCWy3ikHEG8vVSl2YZ8tCENZrWIRujG9e5BqqWWrEqLteVGKKgqhyCFooYX
         qjvds9Hin+llgvu1ywQIpUAuD5i739smWMtgJIi7OwPXCcRQoLJdIfDVDB4V83cPqGcD
         F5N5L/FxCIT9oyXnDpXMBTso/V8p+wwSKaRIyPpY+KkeiH36YB5zSe5WJzxZVmP0pb7B
         TM8g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:cc:to:from:subject:message-id:references
         :mime-version:in-reply-to:date:reply-to:dkim-signature;
        bh=JJTnaK90tbCk38mc8/WTI5ISgxszxEnEDXTsDq7XHRg=;
        b=ZoGYBkcpCEIm99uD5LK60QxafKU0wWCVYQhoq6Qv4sDtyr7J3kmKwiqIG7Gbz8oHPE
         wVd2Rehgh0tiw+jIs53WqsvIlT7z+RIes+gji+yvt7gdw+hXnGz5RS2VP2Of/HXqs2OG
         0UB0YMQ9ecbkW9lDbV6l4ZfB5HsHFUb/hxLaQKyKdiDzfRIqe3YB0d1x0qqjFiN2M/LV
         N2jcscqYxl+JToa0FEBLov0jyWT7Sw5UCQi6hjAq9ILYKvN47ZhcZbN96lPYvCylute0
         7tonFtkNlRVmcTX5dzKoINmvbygBFJVO2XT3F54WwBGROTarUrfQhBAYNno8Lp93CmUe
         BVbw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20221208 header.b=JMhrg9Uv;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id
 h28-20020aa79f5c000000b0064378422f5fsi4911948pfr.169.2023.05.26.17.00.39;
        Fri, 26 May 2023 17:01:18 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20221208 header.b=JMhrg9Uv;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S237152AbjEZXu6 (ORCPT <rfc822;zhanglyra.2023@gmail.com>
        + 99 others); Fri, 26 May 2023 19:50:58 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35430 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S237305AbjEZXuy (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 26 May 2023 19:50:54 -0400
Received: from mail-pf1-x449.google.com (mail-pf1-x449.google.com
 [IPv6:2607:f8b0:4864:20::449])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 33A0D83
        for <linux-kernel@vger.kernel.org>;
 Fri, 26 May 2023 16:50:53 -0700 (PDT)
Received: by mail-pf1-x449.google.com with SMTP id
 d2e1a72fcca58-64d443a1e2dso990770b3a.1
        for <linux-kernel@vger.kernel.org>;
 Fri, 26 May 2023 16:50:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20221208; t=1685145052; x=1687737052;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=JJTnaK90tbCk38mc8/WTI5ISgxszxEnEDXTsDq7XHRg=;
        b=JMhrg9UvfHZSjJmgVRTI7PqyZvt0iLnmuwMIf8oadVR6b/BLDy/9Jc40kUBVPzy1mh
         qBFSyRD3hhSBSJOraJ9XBqJICFBICIE262E5FcyLJsr8ReNzFIDYw00c/BVPE+rfKE1v
         774GfbQnmHQ9C9qL5sRQbJ0nLiJv5+cK/zxpPwHvzUEraxplb0i8F8RIEh57YPtwehB2
         1w+9j576NlriI2nxiL0Y470ZzbTGwGjny8nBW1Z4W66rYiJkT/+OzNIRltyappMmYNSA
         YbJ/k9prNHu9x/J7hI5Bshvd/ntsVuzGcQmoROyP4Rtl1XiaBP4zjPuxTXgCbQHjfo5Q
         0QZg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1685145052; x=1687737052;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=JJTnaK90tbCk38mc8/WTI5ISgxszxEnEDXTsDq7XHRg=;
        b=YPYvV4a3JUxn30l49Y0TwdwGMKGMt/+sJWc9D0LizGHWJQSQajR7mFkHkxG6pO1jGT
         XTZ6QLfFrjKh885ODoVi5Dx7dyq2iYk8SDM58FPB/fa9RfIINAo+/rkHJ/CfnV4+vunA
         DHWljQbh3PQtZ9u/iSl8iHk0NQTA25lIhbV3Pt43PaG2uUjfGBmVNJJwv4A7T/GNfhnf
         b+L87i2cz/vh2bxL8t0RMwpCIlpaxiu6zbJ1JlAo9V32lMbzR0EI9OSMADwYMD24P0Ff
         ozE6OTebGIfPAWxBA7rM3ZCb9dBCEfOJAMYEIcd0yijjTvx92+fLFTwfYPjXGNRAW2km
         j9nw==
X-Gm-Message-State: AC+VfDxYqK7HXYdpuX3UVqdYLUNoenV3y6BzWmSFXxZu53zTx3Y/jsnW
        lPA/YV4/2Ds6JrwIS5CY/wGp014bGRE=
X-Received: from zagreus.c.googlers.com
 ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37])
 (user=seanjc job=sendgmr) by 2002:a05:6a00:14c6:b0:64d:602a:2483 with SMTP id
 w6-20020a056a0014c600b0064d602a2483mr171024pfu.2.1685145052623; Fri, 26 May
 2023 16:50:52 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 26 May 2023 16:50:46 -0700
In-Reply-To: <20230526235048.2842761-1-seanjc@google.com>
Mime-Version: 1.0
References: <20230526235048.2842761-1-seanjc@google.com>
X-Mailer: git-send-email 2.41.0.rc0.172.g3f132b7071-goog
Message-ID: <20230526235048.2842761-2-seanjc@google.com>
Subject: [PATCH v2 1/3] KVM: x86: Bail from kvm_recalculate_phys_map() if
 x2APIC ID is out-of-bounds
From: Sean Christopherson <seanjc@google.com>
To: Sean Christopherson <seanjc@google.com>,
        Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
        Michal Luczaj <mhal@rbox.co>
X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1767003315172393360?=
X-GMAIL-MSGID: =?utf-8?q?1767003315172393360?=

Bail from kvm_recalculate_phys_map() and disable the optimized map if the
target vCPU's x2APIC ID is out-of-bounds, i.e. if the vCPU was added
and/or enabled its local APIC after the map was allocated.  This fixes an
out-of-bounds access bug in the !x2apic_format path where KVM would write
beyond the end of phys_map.

Check the x2APIC ID regardless of whether or not x2APIC is enabled,
as KVM's hardcodes x2APIC ID to be the vCPU ID, i.e. it can't change, and
the map allocation in kvm_recalculate_apic_map() doesn't check for x2APIC
being enabled, i.e. the check won't get false postivies.

Note, this also affects the x2apic_format path, which previously just
ignored the "x2apic_id > new->max_apic_id" case.  That too is arguably a
bug fix, as ignoring the vCPU meant that KVM would not send interrupts to
the vCPU until the next map recalculation.  In practice, that "bug" is
likely benign as a newly present vCPU/APIC would immediately trigger a
recalc.  But, there's no functional downside to disabling the map, and
a future patch will gracefully handle the -E2BIG case by retrying instead
of simply disabling the optimized map.

Opportunistically add a sanity check on the xAPIC ID size, along with a
comment explaining why the xAPIC ID is guaranteed to be "good".

Reported-by: Michal Luczaj <mhal@rbox.co>
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/kvm/lapic.c | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
index e542cf285b51..3c300a196bdf 100644
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -228,6 +228,23 @@ static int kvm_recalculate_phys_map(struct kvm_apic_map *new,
 	u32 xapic_id = kvm_xapic_id(apic);
 	u32 physical_id;
 
+	/*
+	 * For simplicity, KVM always allocates enough space for all possible
+	 * xAPIC IDs.  Yell, but don't kill the VM, as KVM can continue on
+	 * without the optimized map.
+	 */
+	if (WARN_ON_ONCE(xapic_id > new->max_apic_id))
+		return -EINVAL;
+
+	/*
+	 * Bail if a vCPU was added and/or enabled its APIC between allocating
+	 * the map and doing the actual calculations for the map.  Note, KVM
+	 * hardcodes the x2APIC ID to vcpu_id, i.e. there's no TOCTOU bug if
+	 * the compiler decides to reload x2apic_id after this check.
+	 */
+	if (x2apic_id > new->max_apic_id)
+		return -E2BIG;
+
 	/*
 	 * Deliberately truncate the vCPU ID when detecting a mismatched APIC
 	 * ID to avoid false positives if the vCPU ID, i.e. x2APIC ID, is a
@@ -253,8 +270,7 @@ static int kvm_recalculate_phys_map(struct kvm_apic_map *new,
 	 */
 	if (vcpu->kvm->arch.x2apic_format) {
 		/* See also kvm_apic_match_physical_addr(). */
-		if ((apic_x2apic_mode(apic) || x2apic_id > 0xff) &&
-			x2apic_id <= new->max_apic_id)
+		if (apic_x2apic_mode(apic) || x2apic_id > 0xff)
 			new->phys_map[x2apic_id] = apic;
 
 		if (!apic_x2apic_mode(apic) && !new->phys_map[xapic_id])

From patchwork Fri May 26 23:50:47 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Sean Christopherson <seanjc@google.com>
X-Patchwork-Id: 99725
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:994d:0:b0:3d9:f83d:47d9 with SMTP id k13csp33623vqr;
        Fri, 26 May 2023 17:04:10 -0700 (PDT)
X-Google-Smtp-Source: 
 ACHHUZ65QctjFGVL94DdLjGRnkhc32Icpv1MO+M5isfkqc23Mdc39VD5oVOq+rDqOyijffQ10/Wy
X-Received: by 2002:a05:6a20:8f08:b0:100:809b:d6b6 with SMTP id
 b8-20020a056a208f0800b00100809bd6b6mr1552018pzk.26.1685145850520;
        Fri, 26 May 2023 17:04:10 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1685145850; cv=none;
        d=google.com; s=arc-20160816;
        b=KLvnyNHPBqH5anacdZyc4XiEbtH6MksihWI4gmSufQqeWiDBOLJ2G/iHo31ndutSlf
         M6SWuo6h+vVNCcjwx54v7OgANaOSeM6WTSWDrQ+LmX7e2NJ29vlpuexqYpvvNAojlXpi
         2V8jdCcFN4RJRBjYUqRGEzAh34TFNbVBWvQXhODQWyP+sVvf53kyuS1Kv5JVh8bOUIxp
         PNWZh6SHHxjVsbPs74D6Qd0IZN+VJ5jXPwhNcPhauHktNwlEqF/dVisrbcFw6CgQYgWt
         KJ0NwQzGmGcYGXpyyepunCljxYN4MY6eOMluxNJxpiAkm7jrfv64BLKOMSG60kklrHLa
         JyVQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:cc:to:from:subject:message-id:references
         :mime-version:in-reply-to:date:reply-to:dkim-signature;
        bh=LQ1i2DguubB/+TBn/4idJEX6+htUYXJLnvWqgTtQ+sE=;
        b=jxiCkRHAfUBeQgKCkDcmdRkP2AZeol5yPPIRn74IkFVqa+WYbmJlYrj2LE6z7hE+ji
         mwHtv+fWdyi7y3x1eCkvFomlc7AfJTeAB8wRevmXPIQQgdjISvWxBAB/IxmqZIZO2uDd
         +Vl6U5x/mbAe5BRUE6nzVH96fCVAyroAE9o9qo12diR/z6DkXK8+WF+Vj6yZYf87eNHC
         CVLQrjeiJ4eCufevq8mWk/Nl49iXEAuBs9xVbk7roraj9FsqC2u9Qp2T13zX51BLl9Lw
         VQVxTYCzo52ulLYsmlgnhlkD7g/2LQyqq37bZjeaN0tDRg9JjK1O5vy6CkhIxCczs1Rx
         Ri6Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20221208 header.b=oHPPJs2T;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id
 y13-20020a17090aca8d00b002533873625dsi6261314pjt.24.2023.05.26.17.03.54;
        Fri, 26 May 2023 17:04:10 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20221208 header.b=oHPPJs2T;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S242576AbjEZXvF (ORCPT <rfc822;zhanglyra.2023@gmail.com>
        + 99 others); Fri, 26 May 2023 19:51:05 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35478 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S237211AbjEZXu7 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 26 May 2023 19:50:59 -0400
Received: from mail-pg1-x549.google.com (mail-pg1-x549.google.com
 [IPv6:2607:f8b0:4864:20::549])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 51D679E
        for <linux-kernel@vger.kernel.org>;
 Fri, 26 May 2023 16:50:55 -0700 (PDT)
Received: by mail-pg1-x549.google.com with SMTP id
 41be03b00d2f7-521262a6680so1328766a12.1
        for <linux-kernel@vger.kernel.org>;
 Fri, 26 May 2023 16:50:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20221208; t=1685145055; x=1687737055;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=LQ1i2DguubB/+TBn/4idJEX6+htUYXJLnvWqgTtQ+sE=;
        b=oHPPJs2TrWWxfVTfh0L6PYe6vc/Ms3IcW3ZenHdvhI3xb0N3mUWHwvhAXg2lKBbnSA
         mGVb1+PpZ7crIlrD6Gi52A7680Hg0E9PY+orIMxLbSDHx8zW9k3j5kx0LAdcsNRTx2Mu
         1cFTeCdL1HR9ofonVDVrdvKpRD+5jjtuyDlZ6S2hswUNAhTQhKIAFoYB6cLZpxt5t9lm
         NRaANo4FDjvt0UczMWprEBMSVeDVmXFbuzF6wASwyQRf6tl3a/7Y9HhhzhVknO2Pzw7y
         WNXNjV6Ae/vC7RVVO7IjPopqgPsw7T7vxeBf7XRY9VDCzXYVTXEWrxs//V2fYQ64wfrK
         z5JQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1685145055; x=1687737055;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=LQ1i2DguubB/+TBn/4idJEX6+htUYXJLnvWqgTtQ+sE=;
        b=M6DbV6PFi0QzBzKp/GlMHIBOwe3lCztaRqBpsNJiTd4uvg3PsZY1xYjIDr5uQ2ANvx
         Gk/CZVr9YhQ2ChAMl4Y7LnoOe1h3Vm6Ot8ynGDIPo8D/Kfueoyi2UCT4bwhCLwGyznG9
         JfNycopUymzxIwQ4+QWsKUDrvcEp+4jL+V/YCz5x8+tdESBGO+Enz0rpl/r+RDCPgdFM
         z4q+s/IWX4V2UqmA0B+MCqsiDPXFL3xcka16/BfG/z5RubUsx1/dHdewvFEt5kRCBfD4
         pBHtrJaVbiUY73EZS2uN4sY3HpGyQUMhnulR2/7F1KgeTQtW/mwtWLM2LQ+Pa/0I1dei
         Lguw==
X-Gm-Message-State: AC+VfDzlT0pSII3hED82zQO6llmrFTB9KN7evtEp37E+RyOKYsPH09oD
        epXCti3wyITHbx+k+p0fEXqVhpvwSas=
X-Received: from zagreus.c.googlers.com
 ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37])
 (user=seanjc job=sendgmr) by 2002:a63:6c2:0:b0:53f:5c6c:3d18 with SMTP id
 185-20020a6306c2000000b0053f5c6c3d18mr205156pgg.10.1685145054665; Fri, 26 May
 2023 16:50:54 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 26 May 2023 16:50:47 -0700
In-Reply-To: <20230526235048.2842761-1-seanjc@google.com>
Mime-Version: 1.0
References: <20230526235048.2842761-1-seanjc@google.com>
X-Mailer: git-send-email 2.41.0.rc0.172.g3f132b7071-goog
Message-ID: <20230526235048.2842761-3-seanjc@google.com>
Subject: [PATCH v2 2/3] KVM: x86: Retry APIC optimized map recalc if vCPU is
 added/enabled
From: Sean Christopherson <seanjc@google.com>
To: Sean Christopherson <seanjc@google.com>,
        Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
        Michal Luczaj <mhal@rbox.co>
X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL
        autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1767003495269072534?=
X-GMAIL-MSGID: =?utf-8?q?1767003495269072534?=

Retry the optimized APIC map recalculation if an APIC-enabled vCPU shows
up between allocating the map and filling in the map data.  Conditionally
reschedule before retrying even though the number of vCPUs that can be
created is bounded by KVM.  Retrying a few thousand times isn't so slow
as to be hugely problematic, but it's not blazing fast either.

Reset xapic_id_mistach on each retry as a vCPU could change its xAPIC ID
between loops, but do NOT reset max_id.  The map size also factors in
whether or not a vCPU's local APIC is hardware-enabled, i.e. userspace
and/or the guest can theoretically keep KVM retrying indefinitely.  The
only downside is that KVM will allocate more memory than is strictly
necessary if the vCPU with the highest x2APIC ID disabled its APIC while
the recalculation was in-progress.

Refresh kvm->arch.apic_map_dirty to opportunistically change it from
DIRTY => UPDATE_IN_PROGRESS to avoid an unnecessary recalc from a
different task, i.e. if another task is waiting to attempt an update
(which is likely since a retry happens if and only if an update is
required).

Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/kvm/lapic.c | 29 +++++++++++++++++++++++++----
 1 file changed, 25 insertions(+), 4 deletions(-)

diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
index 3c300a196bdf..cadeaba25e65 100644
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -381,7 +381,8 @@ void kvm_recalculate_apic_map(struct kvm *kvm)
 	struct kvm_vcpu *vcpu;
 	unsigned long i;
 	u32 max_id = 255; /* enough space for any xAPIC ID */
-	bool xapic_id_mismatch = false;
+	bool xapic_id_mismatch;
+	int r;
 
 	/* Read kvm->arch.apic_map_dirty before kvm->arch.apic_map.  */
 	if (atomic_read_acquire(&kvm->arch.apic_map_dirty) == CLEAN)
@@ -391,9 +392,14 @@ void kvm_recalculate_apic_map(struct kvm *kvm)
 		  "Dirty APIC map without an in-kernel local APIC");
 
 	mutex_lock(&kvm->arch.apic_map_lock);
+
+retry:
 	/*
-	 * Read kvm->arch.apic_map_dirty before kvm->arch.apic_map
-	 * (if clean) or the APIC registers (if dirty).
+	 * Read kvm->arch.apic_map_dirty before kvm->arch.apic_map (if clean)
+	 * or the APIC registers (if dirty).  Note, on retry the map may have
+	 * not yet been marked dirty by whatever task changed a vCPU's x2APIC
+	 * ID, i.e. the map may still show up as in-progress.  In that case
+	 * this task still needs to retry and copmlete its calculation.
 	 */
 	if (atomic_cmpxchg_acquire(&kvm->arch.apic_map_dirty,
 				   DIRTY, UPDATE_IN_PROGRESS) == CLEAN) {
@@ -402,6 +408,15 @@ void kvm_recalculate_apic_map(struct kvm *kvm)
 		return;
 	}
 
+	/*
+	 * Reset the mismatch flag between attempts so that KVM does the right
+	 * thing if a vCPU changes its xAPIC ID, but do NOT reset max_id, i.e.
+	 * keep max_id strictly increasing.  Disallowing max_id from shrinking
+	 * ensures KVM won't get stuck in an infinite loop, e.g. if the vCPU
+	 * with the highest x2APIC ID is toggling its APIC on and off.
+	 */
+	xapic_id_mismatch = false;
+
 	kvm_for_each_vcpu(i, vcpu, kvm)
 		if (kvm_apic_present(vcpu))
 			max_id = max(max_id, kvm_x2apic_id(vcpu->arch.apic));
@@ -420,9 +435,15 @@ void kvm_recalculate_apic_map(struct kvm *kvm)
 		if (!kvm_apic_present(vcpu))
 			continue;
 
-		if (kvm_recalculate_phys_map(new, vcpu, &xapic_id_mismatch)) {
+		r = kvm_recalculate_phys_map(new, vcpu, &xapic_id_mismatch);
+		if (r) {
 			kvfree(new);
 			new = NULL;
+			if (r == -E2BIG) {
+				cond_resched();
+				goto retry;
+			}
+
 			goto out;
 		}
 

From patchwork Fri May 26 23:50:48 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Sean Christopherson <seanjc@google.com>
X-Patchwork-Id: 99727
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:994d:0:b0:3d9:f83d:47d9 with SMTP id k13csp51085vqr;
        Fri, 26 May 2023 17:51:48 -0700 (PDT)
X-Google-Smtp-Source: 
 ACHHUZ7fVQOP1c9uvQK+dPyPNDVFrLuI9T7hdh8txg9PdbLV9Q7UChoOs/DaaeqO5D+EDFZhI3Dk
X-Received: by 2002:a17:902:ebd2:b0:1a6:8031:59e7 with SMTP id
 p18-20020a170902ebd200b001a6803159e7mr4739349plg.46.1685148707746;
        Fri, 26 May 2023 17:51:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1685148707; cv=none;
        d=google.com; s=arc-20160816;
        b=DnY2VH0LfU6p2TbRwiAJ4eOx2S3ug43FhGCuhje7gEkvQMh8sGs6pHk+lK5BIdR+y4
         H79nnYg82ERujWzrDsYnzDK9b2HEuGnwjnqGLytz1ktRlAwaRyANJoI8IS1IZProkSZn
         cwiyDWh8Evx86RIvL1t1rZAKHq4dks1fPQvPgnnkyh4LgbMqkKP3a7yEnl+AVUGGynw8
         MEuz9atKlH9xcaIP8SfAGZ8PvQ1OIoDgj3uAOC9g6+ypNj9CEgVhZGuD0kOSsUOOL+6t
         uBdOaE1Uyqaz8ZZb65lpMVwysCfQFVC9zcd+rhfXJd17JAq0VJP8vDJr+86aVOXdqYXz
         2TEQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:cc:to:from:subject:message-id:references
         :mime-version:in-reply-to:date:reply-to:dkim-signature;
        bh=Bk1UDmvPC4i4QcCcByGound/sEkJg+oDBKjGWlXb8JU=;
        b=Pi16joxn3B/R2EUwnXRPzHAcedgLAl+mK0hqQcnMdpTYsRE/2LU1KzXFKqRLPHeibq
         5xaWiXgWMFpFdu3FrXApOc7HwSeV6uCPOgZu2tMgWwntC4tADvJV0NG0VFtKLjzmvgXn
         Wt+J0SgEHWo0ejTSaVrA93mp+PpaS5ePJUHA2bPE5GsA6Wl5y3+Z/WRHwuK4fPVFpow/
         qarhHUzfOQYSnUi1qxUKyS3H521dQNC530rZaF/s2aoV9+mla+5rGS2dNjwwUrZHlNVb
         SqDPkzpTzXpLZVBUbZMTwfqHnmpIUjsPfXk2q91XuJdggZa6CCQP4eL+hBGup0oo9EsY
         P9Jg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20221208 header.b="b/S5rioS";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id
 m6-20020a170902db8600b001aad8686ebasi4822035pld.251.2023.05.26.17.51.36;
        Fri, 26 May 2023 17:51:47 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20221208 header.b="b/S5rioS";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S237792AbjEZXvC (ORCPT <rfc822;zhanglyra.2023@gmail.com>
        + 99 others); Fri, 26 May 2023 19:51:02 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35488 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S237428AbjEZXu7 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 26 May 2023 19:50:59 -0400
Received: from mail-pf1-x449.google.com (mail-pf1-x449.google.com
 [IPv6:2607:f8b0:4864:20::449])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B97881A2
        for <linux-kernel@vger.kernel.org>;
 Fri, 26 May 2023 16:50:56 -0700 (PDT)
Received: by mail-pf1-x449.google.com with SMTP id
 d2e1a72fcca58-64d1c53cad8so1632233b3a.3
        for <linux-kernel@vger.kernel.org>;
 Fri, 26 May 2023 16:50:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20221208; t=1685145056; x=1687737056;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=Bk1UDmvPC4i4QcCcByGound/sEkJg+oDBKjGWlXb8JU=;
        b=b/S5rioSyiILJQs6UKnM3duZoCNlAbzAiw9wfNE+A0VSgXSpbWDc9bAXYZ0cLdL+DZ
         2uEnOSwSL/9N6VTbCO+GDRzecVuGUcIp1MW7e/WVy3U+6EXro8ItKlYOl2uhHuvWrsOg
         p6JSZ3CtSyfneC1g5UW5/tU7cDnIK/CmNCczY+MlhjqwAH6wBmtxSHcNTRF6h6B+41uc
         vMBYdeJ0HzcoKczzVjIvuHERnJDS2dopnEyzqp2e/YZ8edaTDKqz8JbytR4XMFerZFBE
         FJlWWkSzYrPKODDIxJfZfd0LKpiUyKP6bhpDYzO3DCZ0YLH9zhVCqo48cSABG2v9SAmc
         ChFw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1685145056; x=1687737056;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=Bk1UDmvPC4i4QcCcByGound/sEkJg+oDBKjGWlXb8JU=;
        b=V6LAO0JQc0fRbQPaBNwCgJokCElvPqoendw7dgtxTXPJqOwGN7zJeoEskd7pS4drUd
         0wBMEOn8HZfO/WydJz94o7Mhkj0FoWcptKZ3m+cr7CZERsdfBQiqSJFaSq9KT1SYzor1
         HeKjogjv1hZG2iXqbIfUzeTCeKr7h8WGB1CpAxGyxR+eff6Ts+Cw6O9MRp8fcjUGDani
         5IJCJ/6yHnhxBP/r5etvD9uzelaRKu6qPYDO7lKdfRRFSyoCdYRq54YyYnmlnKniAWJK
         kaJ54v8nNPiV03sC3W/rlU00Hjs8wq45kItlnTH8arGqEGyeEvI5WvJJMCj5n1qFQyDF
         7j/A==
X-Gm-Message-State: AC+VfDxyCftgLhJwuMntY2yArxkZ+jAITlgCMj+WnviQftA9VG3BeGRy
        7C8ERuZa2oq6lo+RSRU77+x3m+Y1h44=
X-Received: from zagreus.c.googlers.com
 ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37])
 (user=seanjc job=sendgmr) by 2002:a05:6a00:1797:b0:64f:c0b1:6967 with SMTP id
 s23-20020a056a00179700b0064fc0b16967mr4749pfg.1.1685145056321; Fri, 26 May
 2023 16:50:56 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 26 May 2023 16:50:48 -0700
In-Reply-To: <20230526235048.2842761-1-seanjc@google.com>
Mime-Version: 1.0
References: <20230526235048.2842761-1-seanjc@google.com>
X-Mailer: git-send-email 2.41.0.rc0.172.g3f132b7071-goog
Message-ID: <20230526235048.2842761-4-seanjc@google.com>
Subject: [PATCH v2 3/3] KVM: selftests: Add test for race in
 kvm_recalculate_apic_map()
From: Sean Christopherson <seanjc@google.com>
To: Sean Christopherson <seanjc@google.com>,
        Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
        Michal Luczaj <mhal@rbox.co>
X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL
        autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1767006491043862639?=
X-GMAIL-MSGID: =?utf-8?q?1767006491043862639?=

From: Michal Luczaj <mhal@rbox.co>

Keep switching between LAPIC_MODE_X2APIC and LAPIC_MODE_DISABLED during
APIC map construction to hunt for TOCTOU bugs in KVM.  KVM's optimized map
recalc makes multiple passes over the list of vCPUs, and the calculations
ignore vCPU's whose APIC is hardware-disabled, i.e. there's a window where
toggling LAPIC_MODE_DISABLED is quite interesting.

Signed-off-by: Michal Luczaj <mhal@rbox.co>
Co-developed-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 tools/testing/selftests/kvm/Makefile          |  1 +
 .../kvm/x86_64/recalc_apic_map_race.c         | 76 +++++++++++++++++++
 2 files changed, 77 insertions(+)
 create mode 100644 tools/testing/selftests/kvm/x86_64/recalc_apic_map_race.c

diff --git a/tools/testing/selftests/kvm/Makefile b/tools/testing/selftests/kvm/Makefile
index 7a5ff646e7e7..c9b8f16fb23f 100644
--- a/tools/testing/selftests/kvm/Makefile
+++ b/tools/testing/selftests/kvm/Makefile
@@ -116,6 +116,7 @@ TEST_GEN_PROGS_x86_64 += x86_64/sev_migrate_tests
 TEST_GEN_PROGS_x86_64 += x86_64/amx_test
 TEST_GEN_PROGS_x86_64 += x86_64/max_vcpuid_cap_test
 TEST_GEN_PROGS_x86_64 += x86_64/triple_fault_event_test
+TEST_GEN_PROGS_x86_64 += x86_64/recalc_apic_map_race
 TEST_GEN_PROGS_x86_64 += access_tracking_perf_test
 TEST_GEN_PROGS_x86_64 += demand_paging_test
 TEST_GEN_PROGS_x86_64 += dirty_log_test
diff --git a/tools/testing/selftests/kvm/x86_64/recalc_apic_map_race.c b/tools/testing/selftests/kvm/x86_64/recalc_apic_map_race.c
new file mode 100644
index 000000000000..09516548c11a
--- /dev/null
+++ b/tools/testing/selftests/kvm/x86_64/recalc_apic_map_race.c
@@ -0,0 +1,76 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ * recalc_apic_map_race
+ *
+ * Test for a race condition in kvm_recalculate_apic_map().
+ */
+
+#include <sys/ioctl.h>
+#include <pthread.h>
+#include <time.h>
+
+#include "processor.h"
+#include "test_util.h"
+#include "kvm_util.h"
+#include "apic.h"
+
+#define TIMEOUT		5	/* seconds */
+
+#define LAPIC_DISABLED	0
+#define LAPIC_X2APIC	(MSR_IA32_APICBASE_ENABLE | X2APIC_ENABLE)
+#define MAX_XAPIC_ID	0xff
+
+static void *race(void *arg)
+{
+	struct kvm_lapic_state lapic = {};
+	struct kvm_vcpu *vcpu = arg;
+
+	while (1) {
+		/* Trigger kvm_recalculate_apic_map(). */
+		vcpu_ioctl(vcpu, KVM_SET_LAPIC, &lapic);
+		pthread_testcancel();
+	}
+
+	return NULL;
+}
+
+int main(void)
+{
+	struct kvm_vcpu *vcpus[KVM_MAX_VCPUS];
+	struct kvm_vcpu *vcpuN;
+	struct kvm_vm *vm;
+	pthread_t thread;
+	time_t t;
+	int i;
+
+	kvm_static_assert(KVM_MAX_VCPUS > MAX_XAPIC_ID);
+
+	/*
+	 * Creating the max number of vCPUs supported by selftests so that KVM
+	 * has decent amount of work to do when recalculating the map, i.e. to
+	 * make the problematic window large enough to hit.
+	 */
+	vm = vm_create_with_vcpus(KVM_MAX_VCPUS, NULL, vcpus);
+
+	/*
+	 * Enable x2APIC on all vCPUs so that KVM doesn't bail from the recalc
+	 * due to vCPUs having aliased xAPIC IDs (truncated to 8 bits).
+	 */
+	for (i = 0; i < KVM_MAX_VCPUS; i++)
+		vcpu_set_msr(vcpus[i], MSR_IA32_APICBASE, LAPIC_X2APIC);
+
+	ASSERT_EQ(pthread_create(&thread, NULL, race, vcpus[0]), 0);
+
+	vcpuN = vcpus[KVM_MAX_VCPUS - 1];
+	for (t = time(NULL) + TIMEOUT; time(NULL) < t;) {
+		vcpu_set_msr(vcpuN, MSR_IA32_APICBASE, LAPIC_X2APIC);
+		vcpu_set_msr(vcpuN, MSR_IA32_APICBASE, LAPIC_DISABLED);
+	}
+
+	ASSERT_EQ(pthread_cancel(thread), 0);
+	ASSERT_EQ(pthread_join(thread, NULL), 0);
+
+	kvm_vm_release(vm);
+
+	return 0;
+}