Received: by 2002:a05:6602:2086:0:0:0:0 with SMTP id a6csp3861663ioa; Tue, 26 Apr 2022 11:11:32 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwEhfRx6jn2+5Sq5gfjnuQR605USQi6OW3+GX4M3YwWvBzTSXS1D3YMjayw7UciVJ8gV8jC X-Received: by 2002:a17:90a:8581:b0:1b2:7541:af6c with SMTP id m1-20020a17090a858100b001b27541af6cmr28336279pjn.48.1650996692546; Tue, 26 Apr 2022 11:11:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1650996692; cv=none; d=google.com; s=arc-20160816; b=WSOudQ85B5QuMLNSIKaZy/ty+5jHdkCCMOSq3kgq9um4ZqhOtgLVTt0ve5gukwblu8 XOxn7jggHkEM0X2Itv2s5vxj9B0kdXygCFJgBjs6l6gyQjOyjECmGBKVWnaFAEntgzKc bfP9NrAPor8xRGLaKiL5NoWpzvzWSt4ZbPenl8BMKbMgqMZdma7cnfTZTFVvoZW9Mx+y qynrnjajA05J9jbS80YaQzMxuBMuBnyFaChHs2wUUCCBksBYtRfXoU6012USa9rGEhsp /cy/sSBztMoQH+rJGNq4OZXGLpCOIsW/iWNsZjdeFuKpZHHiggHfltC4aeK4Vk7uvDb/ /m0g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=SHcfjvmxIdogmwWBhJ0hBRTtSwGpKpYzshws/0t2SwA=; b=KAJ/jykPOvGGzu7nKZ21fNaUFs6aavGwFm4bXJWL2jC/8TSEA833WaQlqxdibG+UJc 3J4BMdcw+BO7Skga8rCZxWW08qELHaz8fq+u+Q6znX9x0KnXuPtcV77cttRJ/lK8cMqD 09CezJcTPTL4cgT/GCfqxnCUsrYR931LMIBCchtnQECRcnK+nQLaKEV5aoyH9rD0xz6s XhY+ArOXjCGsmokzAFblSBBziuSUT9izYaf/xiKkXYVCM3HO2N0yLW2oKHoIGgkGfhe8 o80hYeWNvzLBSJqn+mZcrzjQVpfjPVKA5VgoKGoCJD3UHxFjcYA79892Qa+0k8KnQHRH jbFw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Ma6kY+13; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i8-20020a6551c8000000b00399599c54ffsi21456275pgq.252.2022.04.26.11.11.10; Tue, 26 Apr 2022 11:11:32 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Ma6kY+13; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1347487AbiDZJUN (ORCPT + 99 others); Tue, 26 Apr 2022 05:20:13 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56192 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345563AbiDZI4h (ORCPT ); Tue, 26 Apr 2022 04:56:37 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0A690DC5B3; Tue, 26 Apr 2022 01:41:18 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id E99A9B81CF0; Tue, 26 Apr 2022 08:41:16 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3D06BC385A0; Tue, 26 Apr 2022 08:41:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1650962475; bh=OwzyLrENB5v4pbJRut7OEvQ+XADNOVu0945Fd9ZTlLY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Ma6kY+13HKQVTr/VuKdyCBv+OX2Qsp1d6AiKnymu0czIxzXsDflUGak+qMZYGZkwT vSC2cFopbC1d+XkO3nwExwOP1oVEbdxV2p4su0iXtO1kKg4bslbk4EG1Cpi0T4rR1r j7JHBqbSGXgZuG5PoAjNUkCKakmxNGJGQP3vMBAI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Gaoning Pan , Yongkang Jia , Maxim Levitsky , Sean Christopherson , Paolo Bonzini Subject: [PATCH 5.15 108/124] KVM: x86: Pend KVM_REQ_APICV_UPDATE during vCPU creation to fix a race Date: Tue, 26 Apr 2022 10:21:49 +0200 Message-Id: <20220426081750.365497316@linuxfoundation.org> X-Mailer: git-send-email 2.36.0 In-Reply-To: <20220426081747.286685339@linuxfoundation.org> References: <20220426081747.286685339@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.7 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Sean Christopherson commit 423ecfea77dda83823c71b0fad1c2ddb2af1e5fc upstream. Make a KVM_REQ_APICV_UPDATE request when creating a vCPU with an in-kernel local APIC and APICv enabled at the module level. Consuming kvm_apicv_activated() and stuffing vcpu->arch.apicv_active directly can race with __kvm_set_or_clear_apicv_inhibit(), as vCPU creation happens before the vCPU is fully onlined, i.e. it won't get the request made to "all" vCPUs. If APICv is globally inhibited between setting apicv_active and onlining the vCPU, the vCPU will end up running with APICv enabled and trigger KVM's sanity check. Mark APICv as active during vCPU creation if APICv is enabled at the module level, both to be optimistic about it's final state, e.g. to avoid additional VMWRITEs on VMX, and because there are likely bugs lurking since KVM checks apicv_active in multiple vCPU creation paths. While keeping the current behavior of consuming kvm_apicv_activated() is arguably safer from a regression perspective, force apicv_active so that vCPU creation runs with deterministic state and so that if there are bugs, they are found sooner than later, i.e. not when some crazy race condition is hit. WARNING: CPU: 0 PID: 484 at arch/x86/kvm/x86.c:9877 vcpu_enter_guest+0x2ae3/0x3ee0 arch/x86/kvm/x86.c:9877 Modules linked in: CPU: 0 PID: 484 Comm: syz-executor361 Not tainted 5.16.13 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1~cloud0 04/01/2014 RIP: 0010:vcpu_enter_guest+0x2ae3/0x3ee0 arch/x86/kvm/x86.c:9877 Call Trace: vcpu_run arch/x86/kvm/x86.c:10039 [inline] kvm_arch_vcpu_ioctl_run+0x337/0x15e0 arch/x86/kvm/x86.c:10234 kvm_vcpu_ioctl+0x4d2/0xc80 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3727 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl fs/ioctl.c:860 [inline] __x64_sys_ioctl+0x16d/0x1d0 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae The bug was hit by a syzkaller spamming VM creation with 2 vCPUs and a call to KVM_SET_GUEST_DEBUG. r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_CAP_SPLIT_IRQCHIP(r1, 0x4068aea3, &(0x7f0000000000)) (async) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) (async) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x400000000000002) ioctl$KVM_SET_GUEST_DEBUG(r3, 0x4048ae9b, &(0x7f00000000c0)={0x5dda9c14aa95f5c5}) ioctl$KVM_RUN(r2, 0xae80, 0x0) Reported-by: Gaoning Pan Reported-by: Yongkang Jia Fixes: 8df14af42f00 ("kvm: x86: Add support for dynamic APICv activation") Cc: stable@vger.kernel.org Cc: Maxim Levitsky Signed-off-by: Sean Christopherson Reviewed-by: Maxim Levitsky Message-Id: <20220420013732.3308816-4-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman --- arch/x86/kvm/x86.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -10813,8 +10813,21 @@ int kvm_arch_vcpu_create(struct kvm_vcpu r = kvm_create_lapic(vcpu, lapic_timer_advance_ns); if (r < 0) goto fail_mmu_destroy; - if (kvm_apicv_activated(vcpu->kvm)) + + /* + * Defer evaluating inhibits until the vCPU is first run, as + * this vCPU will not get notified of any changes until this + * vCPU is visible to other vCPUs (marked online and added to + * the set of vCPUs). Opportunistically mark APICv active as + * VMX in particularly is highly unlikely to have inhibits. + * Ignore the current per-VM APICv state so that vCPU creation + * is guaranteed to run with a deterministic value, the request + * will ensure the vCPU gets the correct state before VM-Entry. + */ + if (enable_apicv) { vcpu->arch.apicv_active = true; + kvm_make_request(KVM_REQ_APICV_UPDATE, vcpu); + } } else static_branch_inc(&kvm_has_noapic_vcpu);