From patchwork Fri Jun 2 23:32:48 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sean Christopherson X-Patchwork-Id: 102720 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:994d:0:b0:3d9:f83d:47d9 with SMTP id k13csp1372866vqr; Fri, 2 Jun 2023 16:59:44 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5P228qQWW43kvw4cnPna+yA8BNDAwjqIieLGPq5c5CsB4gTBh70Az+pfn9Mut8lWh06y6F X-Received: by 2002:a17:903:455:b0:1ac:7345:f254 with SMTP id iw21-20020a170903045500b001ac7345f254mr1431855plb.33.1685750383708; Fri, 02 Jun 2023 16:59:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1685750383; cv=none; d=google.com; s=arc-20160816; b=ri9oTn8ox0YCAqeIFj/vWv6P43RCZQij1OjtrEWwDDW67UvGPrkczNQ/V//ZYvXbHv S6iJPVVAQLklgzMvAoh8y6Zfj+G0edjxh+aCw9e795rGxR3CcgIYNK4Rbpp6RYBtpZHw fLVbr+fP0Z4Wazcwb7qHZwi5JxjE7gysDnf81NgQUMaf1kGRYTGfj7cHxpPL2ZOkvuvd +LUxx3pclCnHR5r9IvT9xGPm36jNQ03/CQLvt9C8uGRa3oAOiOm1TuilFe5Ww5JDSsAO s2Ql3Gizvui5QvfLkAtWRCiuAZV5dsyUBBTK1QJfEvJjG1gEgzTEB0sJcdPBYzE+1eJt nJNg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:reply-to:dkim-signature; bh=88IydSMT3h4MdgZedrdgoEtngKl/WmRfHDWOuNscQw8=; b=zNpxWDQjTn8C05XBdepofC1cCIwYVg8urxXqXI8zn9+PzzbNGC8IoFpWOXgWe1CGiK EYVG+TL2kSgRBjadxEnTZtuKLAvvPCAft7QvNvjjFVZQ5+qC318HAdT46GHYqJ+m6Irk UPT5WB/Dn2F/5OXkx3ge+xmp7eaB9jjVGo6Cf9dh8vU6GyFJrUbbhsvlJhjHbMJFchml C+vCEtlRDmTnM7MwQQKpmQXrb1WmkrYPXmK1iK1i2aARA8it2eZX8HHjSpsPRXIY+xav kTBV8eL9Bzt+CixIIstLXfZoXBEI4coV+l8ZWktUkx5QZbRozEAGgYBt+l1guZaK+mt0 pFqA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=pEHPhuEb; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id e14-20020a17090301ce00b001b0044f186fsi1703145plh.41.2023.06.02.16.59.32; Fri, 02 Jun 2023 16:59:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=pEHPhuEb; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236855AbjFBXdH (ORCPT + 99 others); Fri, 2 Jun 2023 19:33:07 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49690 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236836AbjFBXdF (ORCPT ); Fri, 2 Jun 2023 19:33:05 -0400 Received: from mail-pf1-x449.google.com (mail-pf1-x449.google.com [IPv6:2607:f8b0:4864:20::449]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 77D33197 for ; Fri, 2 Jun 2023 16:33:04 -0700 (PDT) Received: by mail-pf1-x449.google.com with SMTP id d2e1a72fcca58-653843401feso403718b3a.0 for ; Fri, 02 Jun 2023 16:33:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1685748784; x=1688340784; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=88IydSMT3h4MdgZedrdgoEtngKl/WmRfHDWOuNscQw8=; b=pEHPhuEb5kqwcEzdnoMQsduQWHqF7mPaSb55QalrwPyEi4aqtMLBsI8lMdOzk8bJKV WDeRHKXRdGpS6xsiuoo4O7Cu2xAsE21ZUGRyIiltQDgh/Kt5tmuyES0sSKqyvpDnFTJv lEyURT5JQMY+5XDQ3LFqFDSHlrtmVPLIzKc0OZqGne0xIpGtM12fj0Zv8IAvfzSYzcg0 9Uab/x8qPHEQwXy0xZ35ltGuBhs3jxiRuf9yksdXIuXUGST6F9S9c/JH7mdNAr2Dc6FK j/zBAvloqpza0OavffT0JC29z5mjr/x4plcVZ2Y+jA0MGVFPeA5WLLzulVNa037P9FkG my3w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1685748784; x=1688340784; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=88IydSMT3h4MdgZedrdgoEtngKl/WmRfHDWOuNscQw8=; b=P4kRvwNvtcIXi7CdkM8AUPYRzPi1ocDj0fD/Z6VWBXFw2dXct0qsXUnteg7i+7I5PJ mNKwvuAOJtgjLH1OeUIjOMWcGGVUbpZ7pcNBvbALkLoY03L4f4sizwz4Dz7mL4TISMoq xxymzU0+UBK2UUYASOqmxukZ5w/GEkhl8Q2CtrF2hBU5Ebz8BtiIiVDWeckFCS3cyjhp VwOrWvU+gpz2nzobcjUBRFx3eGTeleDHDVHV7HX9sOasVWtp2h/sSmeu3Vjt6lrbdCNz WN9LX1xIJv5dc1ibI5zQFqGH92qeuZcWehCgNRhcjlfD1qaZF6ZRoo8AseaeBPbLY2tN iFew== X-Gm-Message-State: AC+VfDzkL4yIDqRd4p0CPDVD3qSAE4GwV3EMAjMb8yYaRMetkyWQvDJJ XS9bfDolES4hAW00Yb1MJl8A4QjRUXE= X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37]) (user=seanjc job=sendgmr) by 2002:a05:6a00:2e24:b0:64d:2cb0:c60c with SMTP id fc36-20020a056a002e2400b0064d2cb0c60cmr5046418pfb.5.1685748784040; Fri, 02 Jun 2023 16:33:04 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 2 Jun 2023 16:32:48 -0700 In-Reply-To: <20230602233250.1014316-1-seanjc@google.com> Mime-Version: 1.0 References: <20230602233250.1014316-1-seanjc@google.com> X-Mailer: git-send-email 2.41.0.rc2.161.g9c6817b8e7-goog Message-ID: <20230602233250.1014316-2-seanjc@google.com> Subject: [PATCH v3 1/3] KVM: x86: Bail from kvm_recalculate_phys_map() if x2APIC ID is out-of-bounds From: Sean Christopherson To: Sean Christopherson , Paolo Bonzini Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Michal Luczaj X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1767637394720644508?= X-GMAIL-MSGID: =?utf-8?q?1767637394720644508?= Bail from kvm_recalculate_phys_map() and disable the optimized map if the target vCPU's x2APIC ID is out-of-bounds, i.e. if the vCPU was added and/or enabled its local APIC after the map was allocated. This fixes an out-of-bounds access bug in the !x2apic_format path where KVM would write beyond the end of phys_map. Check the x2APIC ID regardless of whether or not x2APIC is enabled, as KVM's hardcodes x2APIC ID to be the vCPU ID, i.e. it can't change, and the map allocation in kvm_recalculate_apic_map() doesn't check for x2APIC being enabled, i.e. the check won't get false postivies. Note, this also affects the x2apic_format path, which previously just ignored the "x2apic_id > new->max_apic_id" case. That too is arguably a bug fix, as ignoring the vCPU meant that KVM would not send interrupts to the vCPU until the next map recalculation. In practice, that "bug" is likely benign as a newly present vCPU/APIC would immediately trigger a recalc. But, there's no functional downside to disabling the map, and a future patch will gracefully handle the -E2BIG case by retrying instead of simply disabling the optimized map. Opportunistically add a sanity check on the xAPIC ID size, along with a comment explaining why the xAPIC ID is guaranteed to be "good". Reported-by: Michal Luczaj Signed-off-by: Sean Christopherson --- arch/x86/kvm/lapic.c | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c index e542cf285b51..3c300a196bdf 100644 --- a/arch/x86/kvm/lapic.c +++ b/arch/x86/kvm/lapic.c @@ -228,6 +228,23 @@ static int kvm_recalculate_phys_map(struct kvm_apic_map *new, u32 xapic_id = kvm_xapic_id(apic); u32 physical_id; + /* + * For simplicity, KVM always allocates enough space for all possible + * xAPIC IDs. Yell, but don't kill the VM, as KVM can continue on + * without the optimized map. + */ + if (WARN_ON_ONCE(xapic_id > new->max_apic_id)) + return -EINVAL; + + /* + * Bail if a vCPU was added and/or enabled its APIC between allocating + * the map and doing the actual calculations for the map. Note, KVM + * hardcodes the x2APIC ID to vcpu_id, i.e. there's no TOCTOU bug if + * the compiler decides to reload x2apic_id after this check. + */ + if (x2apic_id > new->max_apic_id) + return -E2BIG; + /* * Deliberately truncate the vCPU ID when detecting a mismatched APIC * ID to avoid false positives if the vCPU ID, i.e. x2APIC ID, is a @@ -253,8 +270,7 @@ static int kvm_recalculate_phys_map(struct kvm_apic_map *new, */ if (vcpu->kvm->arch.x2apic_format) { /* See also kvm_apic_match_physical_addr(). */ - if ((apic_x2apic_mode(apic) || x2apic_id > 0xff) && - x2apic_id <= new->max_apic_id) + if (apic_x2apic_mode(apic) || x2apic_id > 0xff) new->phys_map[x2apic_id] = apic; if (!apic_x2apic_mode(apic) && !new->phys_map[xapic_id]) From patchwork Fri Jun 2 23:32:49 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sean Christopherson X-Patchwork-Id: 102722 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:994d:0:b0:3d9:f83d:47d9 with SMTP id k13csp1372872vqr; Fri, 2 Jun 2023 16:59:44 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ7Zo6WWnxjCjkICrMbv55udrleJxIB6Kdp7C6dEgorb7942pCwTd+ny4fFMLzc/wJvjNMs9 X-Received: by 2002:a05:6358:5291:b0:125:4dd9:cf23 with SMTP id g17-20020a056358529100b001254dd9cf23mr11875636rwa.12.1685750384224; Fri, 02 Jun 2023 16:59:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1685750384; cv=none; d=google.com; s=arc-20160816; b=0x5OPQvgOA8Tk3LtlZXAKh1n5lQziUOxggfZ5Q2VuTSLGDa4ghaqxIXjpkA5oOFw/4 AGscvQzyqoUe+a+cXakmA7pHKqr7EHGmUYrqHQmfPvPZ/6n9AEtWhfn8JAicvL6GbMJ0 hmu/IlLsWERN2CBmPFEkdaDAJhx8vIFZFbAkhX1ZZwpmULNXRWYSwokSzGAbD917Ar0n IxjtnQTVyePp3cRZ5a3txvLupXB+kZeitI+rSlHT5tPiVg47G43RBFfq4qBloGBdMiOr 0ojcNLaHHR6wOd0ZIjWiQpMOXg50jsmYvr8RE3+emVSvbs3IZzUnKGn65aomClLa6889 XrNg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:reply-to:dkim-signature; bh=5mmxUWbNXCWcSKNxzb01KGCvCtOMb6rFR6D6MsiL8rA=; b=na6JwW1dGItLmbARVSg+0eEpd2OyAeUcqnvic3etmKsTA7lgmq1jlffsfzOz5H5e/B ZSrYgf/u2czkDc08HjSFaiCHpc4bySQ6MLp3iLgadojsZconZkQUqYw3lA03y/OoRawG 3rqBq4uilmtC8NlLV/lH+x7HQZdSpC5ACCENno+qNzRsjye1CsMPVN7NSTtZnAqoEjDn 7oEQaqXZ9jmohMSkZNqkK7kL+w5SKbnM58+qFA1e6cDdaOTcI6PQcEzH4O8olPyTBz5t AlhELo5CrXyo+PT/8KMy/Zvnv8j4KP/9xJDBKsC6fNyL5Np4PcXNbstDMnNCE12JxiAe Up3Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=WoUEDQ5d; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id b18-20020aa78ed2000000b0063d23db6941si1475537pfr.111.2023.06.02.16.59.32; Fri, 02 Jun 2023 16:59:44 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=WoUEDQ5d; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236896AbjFBXdL (ORCPT + 99 others); Fri, 2 Jun 2023 19:33:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49710 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236840AbjFBXdI (ORCPT ); Fri, 2 Jun 2023 19:33:08 -0400 Received: from mail-yw1-x114a.google.com (mail-yw1-x114a.google.com [IPv6:2607:f8b0:4864:20::114a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9E1F219A for ; Fri, 2 Jun 2023 16:33:06 -0700 (PDT) Received: by mail-yw1-x114a.google.com with SMTP id 00721157ae682-568a85f180dso36615147b3.2 for ; Fri, 02 Jun 2023 16:33:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1685748786; x=1688340786; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=5mmxUWbNXCWcSKNxzb01KGCvCtOMb6rFR6D6MsiL8rA=; b=WoUEDQ5ddpi/oFfFOoBl18AoWb3GZ6rToUETa/0Sz/BJfgDYlktlML5eoKlq8u2Q+b cJBMCzxzbFBhmCaWyqTLD5b0MQi2Jlt1+Kpxpv361mlWS0fDkbi1Rtp2WT2kll/jgEpj SM+NEGAGmxKHxnlV9fh5xrJrX3GDHlJMqu5i9oE/iA0gyEOavlMdewoDkXKnwtI7A6/R OxdeBopFScxg8WK+70Qfe2uf1umiJQnX9VSojaJyXdwFYW/J0IH/OCOoMUiXgqnjZHQ2 gkU79mN3ZyosGJCBIAKfydsc54p2hbMO9A4vGUy1JsMKsCSeU+Bn4Utgm3+4y1q1438/ dj1g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1685748786; x=1688340786; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=5mmxUWbNXCWcSKNxzb01KGCvCtOMb6rFR6D6MsiL8rA=; b=gBVj+iBj28kzFvpQfHLq2uckiNEzUwmxnp/+/O5mxYxIpVmofAn0i+QLZA/lhJbR+L jTuqB+cmwgCjRdKlBJJ3vAi3Zia6IiVXEBL/j8rn7OciY4TwTSYmbESC7hnva3pE3d0F BSbXuipWVZhOftO66yGNO78gxyd0oOfWY6OTfmmsjbg3fqGdJXK6KGHvuBS0pugUwdQd 8rEvk0ULUOxTak9hTbwNiv6TSxIQBqP9eg6j4l/Q3hnwvzqY7e4NI+wsP6OBReKK7Bm9 JAPNOHSBUdPq55Q1inrmwH4FUWrn0EXVvYHYnYsnX783CxZoCkNJ9bXnDK7IiNKzPeFP VTnw== X-Gm-Message-State: AC+VfDymgEwpbPF2BvqJmD5U6kqAt3/RRKsclfKyx5v+1pC+O2rEi8fM JjI5abadh26JlFvO0aeu6r+6sOIUGQc= X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37]) (user=seanjc job=sendgmr) by 2002:a81:ac06:0:b0:561:8e86:9818 with SMTP id k6-20020a81ac06000000b005618e869818mr629972ywh.7.1685748785936; Fri, 02 Jun 2023 16:33:05 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 2 Jun 2023 16:32:49 -0700 In-Reply-To: <20230602233250.1014316-1-seanjc@google.com> Mime-Version: 1.0 References: <20230602233250.1014316-1-seanjc@google.com> X-Mailer: git-send-email 2.41.0.rc2.161.g9c6817b8e7-goog Message-ID: <20230602233250.1014316-3-seanjc@google.com> Subject: [PATCH v3 2/3] KVM: x86: Retry APIC optimized map recalc if vCPU is added/enabled From: Sean Christopherson To: Sean Christopherson , Paolo Bonzini Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Michal Luczaj X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1767637395317146001?= X-GMAIL-MSGID: =?utf-8?q?1767637395317146001?= Retry the optimized APIC map recalculation if an APIC-enabled vCPU shows up between allocating the map and filling in the map data. Conditionally reschedule before retrying even though the number of vCPUs that can be created is bounded by KVM. Retrying a few thousand times isn't so slow as to be hugely problematic, but it's not blazing fast either. Reset xapic_id_mistach on each retry as a vCPU could change its xAPIC ID between loops, but do NOT reset max_id. The map size also factors in whether or not a vCPU's local APIC is hardware-enabled, i.e. userspace and/or the guest can theoretically keep KVM retrying indefinitely. The only downside is that KVM will allocate more memory than is strictly necessary if the vCPU with the highest x2APIC ID disabled its APIC while the recalculation was in-progress. Refresh kvm->arch.apic_map_dirty to opportunistically change it from DIRTY => UPDATE_IN_PROGRESS to avoid an unnecessary recalc from a different task, i.e. if another task is waiting to attempt an update (which is likely since a retry happens if and only if an update is required). Signed-off-by: Sean Christopherson --- arch/x86/kvm/lapic.c | 29 +++++++++++++++++++++++++---- 1 file changed, 25 insertions(+), 4 deletions(-) diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c index 3c300a196bdf..cadeaba25e65 100644 --- a/arch/x86/kvm/lapic.c +++ b/arch/x86/kvm/lapic.c @@ -381,7 +381,8 @@ void kvm_recalculate_apic_map(struct kvm *kvm) struct kvm_vcpu *vcpu; unsigned long i; u32 max_id = 255; /* enough space for any xAPIC ID */ - bool xapic_id_mismatch = false; + bool xapic_id_mismatch; + int r; /* Read kvm->arch.apic_map_dirty before kvm->arch.apic_map. */ if (atomic_read_acquire(&kvm->arch.apic_map_dirty) == CLEAN) @@ -391,9 +392,14 @@ void kvm_recalculate_apic_map(struct kvm *kvm) "Dirty APIC map without an in-kernel local APIC"); mutex_lock(&kvm->arch.apic_map_lock); + +retry: /* - * Read kvm->arch.apic_map_dirty before kvm->arch.apic_map - * (if clean) or the APIC registers (if dirty). + * Read kvm->arch.apic_map_dirty before kvm->arch.apic_map (if clean) + * or the APIC registers (if dirty). Note, on retry the map may have + * not yet been marked dirty by whatever task changed a vCPU's x2APIC + * ID, i.e. the map may still show up as in-progress. In that case + * this task still needs to retry and copmlete its calculation. */ if (atomic_cmpxchg_acquire(&kvm->arch.apic_map_dirty, DIRTY, UPDATE_IN_PROGRESS) == CLEAN) { @@ -402,6 +408,15 @@ void kvm_recalculate_apic_map(struct kvm *kvm) return; } + /* + * Reset the mismatch flag between attempts so that KVM does the right + * thing if a vCPU changes its xAPIC ID, but do NOT reset max_id, i.e. + * keep max_id strictly increasing. Disallowing max_id from shrinking + * ensures KVM won't get stuck in an infinite loop, e.g. if the vCPU + * with the highest x2APIC ID is toggling its APIC on and off. + */ + xapic_id_mismatch = false; + kvm_for_each_vcpu(i, vcpu, kvm) if (kvm_apic_present(vcpu)) max_id = max(max_id, kvm_x2apic_id(vcpu->arch.apic)); @@ -420,9 +435,15 @@ void kvm_recalculate_apic_map(struct kvm *kvm) if (!kvm_apic_present(vcpu)) continue; - if (kvm_recalculate_phys_map(new, vcpu, &xapic_id_mismatch)) { + r = kvm_recalculate_phys_map(new, vcpu, &xapic_id_mismatch); + if (r) { kvfree(new); new = NULL; + if (r == -E2BIG) { + cond_resched(); + goto retry; + } + goto out; } From patchwork Fri Jun 2 23:32:50 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sean Christopherson X-Patchwork-Id: 102721 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:994d:0:b0:3d9:f83d:47d9 with SMTP id k13csp1372870vqr; Fri, 2 Jun 2023 16:59:44 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ4111oMud1+eiMiLix+SW2gGRICocA7ShUWFOyzwnR/lrs6Er5CxUAt/Lwv5KhuMXv58Eyt X-Received: by 2002:a05:6358:e497:b0:123:1637:45d1 with SMTP id by23-20020a056358e49700b00123163745d1mr12439538rwb.14.1685750384116; Fri, 02 Jun 2023 16:59:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1685750384; cv=none; d=google.com; s=arc-20160816; b=ghWPrvBjrQYl352q4SumA2rS+QADsMAeH18cMkRYCoBEhzDnKGP6i6As16JRlm0+Tj Vmhk4wo8UETQ0NyLRpG8Klf12fJILZzGEeZwEm9etMKapMqAJDDt9e8obVNeWFIKIto7 jZ1fSVhI77B4sABXBiZFmVwbcBrkruDT9nCkQitDotP4Ok0+sVWQnj2j7OqHh+o7NTN6 fzN493LiBcStuRlTVKJFvdSp1c5IfDSbY6JV8yHyPVRr0G7UDo/yiYPkjkYKMj7swXHq ltDjv3pHJYzYfGaFAssnNUaqaSvyeJQpZxs4jZ8XQvPjtaFw9m2SUVEe8QH39hiokvJ2 KkIQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:reply-to:dkim-signature; bh=j6nYf/jOBntGS2igA5vSyIxcer0Y2dnZYEhcRt0bNGM=; b=a68cFReFLnr3My07SU0lLhdHTDZjr0ezR5zhbsgLd0M6y+ZmmlCAjCLFovjI4jnw9x kNbqSQgyDUO6klfZZF5Kbwot9SPUy4aG+1yOqblfJ4kuQk9m+2jJKoS0E0nA/yxqiZwo QwYps6h9Ykt6q2X9VLQMQ2RU4OyBnpGrjrR925HrMDW32owSTbXtGHLl2h6KmbAB63wx PGNuiqY65Xzhe1TRZ5D4tCLiSQEedI0TSbXpFgWdshyyj0c1/mO0h0I866bcFZSBJ1dc KHHvWRJMlkBkh9e26AgJohXv4+b7whcSXEWXZf5wMjgeynXECurkeHwsDJRhHS2NRk44 1lIQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=Wi3H0k9B; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id w66-20020a623045000000b0063f032d78efsi1454223pfw.269.2023.06.02.16.59.32; Fri, 02 Jun 2023 16:59:44 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=Wi3H0k9B; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236889AbjFBXdP (ORCPT + 99 others); Fri, 2 Jun 2023 19:33:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49724 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236871AbjFBXdJ (ORCPT ); Fri, 2 Jun 2023 19:33:09 -0400 Received: from mail-pg1-x54a.google.com (mail-pg1-x54a.google.com [IPv6:2607:f8b0:4864:20::54a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 81025E43 for ; Fri, 2 Jun 2023 16:33:08 -0700 (PDT) Received: by mail-pg1-x54a.google.com with SMTP id 41be03b00d2f7-5343c1d114cso2557611a12.0 for ; Fri, 02 Jun 2023 16:33:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1685748788; x=1688340788; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=j6nYf/jOBntGS2igA5vSyIxcer0Y2dnZYEhcRt0bNGM=; b=Wi3H0k9BpFJWJAoAjhZGH+/ORYMPc9rbgUFp0V7StYibnfR5Xj/2eL6uRo+vy2ORjC t7IhWOLboZOtaFGAZUE5ovIvkiLsDV+67SAoJ01MJRK09U02fJoLAa4AUpOGsfC1kS7P +hjP1kmcc8hDU9rMT9LiNwBTg5BYbmCeWKvHScZv9HRM/kblDg9yNpxucaTAI3D5S7nI jQFbapqcnP3k3m32lzqRcCZH4s+IoewCx1fJp3P83YZ2/GpgKpGBLg6fcwxRiNZHIxPk 9nAJ5vbHtv8f6sqcuBQySNHOow5IdMVwxGuFB065jqUKW3dyVjnL9DouUtA0ENGMulPM nIDg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1685748788; x=1688340788; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=j6nYf/jOBntGS2igA5vSyIxcer0Y2dnZYEhcRt0bNGM=; b=OTDlYrlLmEmbYHUUpY6Idu59r0Bd/ko7S+r+rGWUPnj54TgR5GN8Uqig93EY0Aylbp PcUMXVUI6U+29wIcq27JI81JtXLi5WV2QDBcIGIusIp9t8wrJI8/AEpDKtzwJHeK+zuX kKkwTLE8lyMNIqdVEptcT1qE7SAcB8568y5qdY/ATJwRo0m3nepsUjGnbgFG7vWAOXH9 y6AKHF03neVgdApFZNl/dU40OVgUyd/i24Anf9W/LXlTqtueES0Op5LcwpcFZm0Sw5cw NaYwNKB1vZ4WNfFvrrwboBN+jzQk4qoSCj5fAh0ojUQ6XndXSBKxIWt6rJ0XY5oUEzDH lSvg== X-Gm-Message-State: AC+VfDyT9/rnVNu11ljd+5rMsj886QtOahF9YqHCnn+rttegiYlTHYfK hGUENARuiRg0TFK4FvXW2KvZwqLse3o= X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37]) (user=seanjc job=sendgmr) by 2002:a65:4284:0:b0:542:96b5:b5e4 with SMTP id j4-20020a654284000000b0054296b5b5e4mr648446pgp.11.1685748787993; Fri, 02 Jun 2023 16:33:07 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 2 Jun 2023 16:32:50 -0700 In-Reply-To: <20230602233250.1014316-1-seanjc@google.com> Mime-Version: 1.0 References: <20230602233250.1014316-1-seanjc@google.com> X-Mailer: git-send-email 2.41.0.rc2.161.g9c6817b8e7-goog Message-ID: <20230602233250.1014316-4-seanjc@google.com> Subject: [PATCH v3 3/3] KVM: selftests: Add test for race in kvm_recalculate_apic_map() From: Sean Christopherson To: Sean Christopherson , Paolo Bonzini Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Michal Luczaj X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1767637394583780513?= X-GMAIL-MSGID: =?utf-8?q?1767637394583780513?= From: Michal Luczaj Keep switching between LAPIC_MODE_X2APIC and LAPIC_MODE_DISABLED during APIC map construction to hunt for TOCTOU bugs in KVM. KVM's optimized map recalc makes multiple passes over the list of vCPUs, and the calculations ignore vCPU's whose APIC is hardware-disabled, i.e. there's a window where toggling LAPIC_MODE_DISABLED is quite interesting. Signed-off-by: Michal Luczaj Co-developed-by: Sean Christopherson Signed-off-by: Sean Christopherson --- tools/testing/selftests/kvm/Makefile | 1 + .../kvm/x86_64/recalc_apic_map_test.c | 74 +++++++++++++++++++ 2 files changed, 75 insertions(+) create mode 100644 tools/testing/selftests/kvm/x86_64/recalc_apic_map_test.c diff --git a/tools/testing/selftests/kvm/Makefile b/tools/testing/selftests/kvm/Makefile index 7a5ff646e7e7..4761b768b773 100644 --- a/tools/testing/selftests/kvm/Makefile +++ b/tools/testing/selftests/kvm/Makefile @@ -116,6 +116,7 @@ TEST_GEN_PROGS_x86_64 += x86_64/sev_migrate_tests TEST_GEN_PROGS_x86_64 += x86_64/amx_test TEST_GEN_PROGS_x86_64 += x86_64/max_vcpuid_cap_test TEST_GEN_PROGS_x86_64 += x86_64/triple_fault_event_test +TEST_GEN_PROGS_x86_64 += x86_64/recalc_apic_map_test TEST_GEN_PROGS_x86_64 += access_tracking_perf_test TEST_GEN_PROGS_x86_64 += demand_paging_test TEST_GEN_PROGS_x86_64 += dirty_log_test diff --git a/tools/testing/selftests/kvm/x86_64/recalc_apic_map_test.c b/tools/testing/selftests/kvm/x86_64/recalc_apic_map_test.c new file mode 100644 index 000000000000..4c416ebe7d66 --- /dev/null +++ b/tools/testing/selftests/kvm/x86_64/recalc_apic_map_test.c @@ -0,0 +1,74 @@ +// SPDX-License-Identifier: GPL-2.0-only +/* + * Test edge cases and race conditions in kvm_recalculate_apic_map(). + */ + +#include +#include +#include + +#include "processor.h" +#include "test_util.h" +#include "kvm_util.h" +#include "apic.h" + +#define TIMEOUT 5 /* seconds */ + +#define LAPIC_DISABLED 0 +#define LAPIC_X2APIC (MSR_IA32_APICBASE_ENABLE | X2APIC_ENABLE) +#define MAX_XAPIC_ID 0xff + +static void *race(void *arg) +{ + struct kvm_lapic_state lapic = {}; + struct kvm_vcpu *vcpu = arg; + + while (1) { + /* Trigger kvm_recalculate_apic_map(). */ + vcpu_ioctl(vcpu, KVM_SET_LAPIC, &lapic); + pthread_testcancel(); + } + + return NULL; +} + +int main(void) +{ + struct kvm_vcpu *vcpus[KVM_MAX_VCPUS]; + struct kvm_vcpu *vcpuN; + struct kvm_vm *vm; + pthread_t thread; + time_t t; + int i; + + kvm_static_assert(KVM_MAX_VCPUS > MAX_XAPIC_ID); + + /* + * Create the max number of vCPUs supported by selftests so that KVM + * has decent amount of work to do when recalculating the map, i.e. to + * make the problematic window large enough to hit. + */ + vm = vm_create_with_vcpus(KVM_MAX_VCPUS, NULL, vcpus); + + /* + * Enable x2APIC on all vCPUs so that KVM doesn't bail from the recalc + * due to vCPUs having aliased xAPIC IDs (truncated to 8 bits). + */ + for (i = 0; i < KVM_MAX_VCPUS; i++) + vcpu_set_msr(vcpus[i], MSR_IA32_APICBASE, LAPIC_X2APIC); + + ASSERT_EQ(pthread_create(&thread, NULL, race, vcpus[0]), 0); + + vcpuN = vcpus[KVM_MAX_VCPUS - 1]; + for (t = time(NULL) + TIMEOUT; time(NULL) < t;) { + vcpu_set_msr(vcpuN, MSR_IA32_APICBASE, LAPIC_X2APIC); + vcpu_set_msr(vcpuN, MSR_IA32_APICBASE, LAPIC_DISABLED); + } + + ASSERT_EQ(pthread_cancel(thread), 0); + ASSERT_EQ(pthread_join(thread, NULL), 0); + + kvm_vm_free(vm); + + return 0; +}