| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 24 Jun 2021 11:16:00 +0300
From: Maxim Levitsky <mlevitsk@...hat.com>
To: Paolo Bonzini <pbonzini@...hat.com>, kvm@...r.kernel.org
Cc: Thomas Gleixner <tglx@...utronix.de>,
Sean Christopherson <seanjc@...gle.com>,
Wanpeng Li <wanpengli@...cent.com>,
Vitaly Kuznetsov <vkuznets@...hat.com>,
Joerg Roedel <joro@...tes.org>, Borislav Petkov <bp@...en8.de>,
"H. Peter Anvin" <hpa@...or.com>, Ingo Molnar <mingo@...hat.com>,
"open list:X86 ARCHITECTURE (32-BIT AND 64-BIT)"
<linux-kernel@...r.kernel.org>,
"maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT)" <x86@...nel.org>,
Jim Mattson <jmattson@...gle.com>
Subject: Re: [PATCH 07/10] KVM: SVM: use vmcb01 in
svm_refresh_apicv_exec_ctrl
On Wed, 2021-06-23 at 23:54 +0200, Paolo Bonzini wrote:
> On 23/06/21 13:29, Maxim Levitsky wrote:
> > AVIC is not supported for nesting but in some corner
> > cases it is possible to have it still be enabled,
> > after we entered nesting, and use vmcb02.
> >
> > Fix this by always using vmcb01 in svm_refresh_apicv_exec_ctrl
>
> Please be more verbose about the corner case (and then the second
> paragraph should not be necessary anymore).
I will do it.
The issue can happen only after patch 8 is applied, because then AVIC disable on
the current vCPU is always deferred.
I think that currently the problem in this patch can't happen because
kvm_request_apicv_update(..., APICV_INHIBIT_REASON_NESTED) is called on each vCPU
from svm_vcpu_after_set_cpuid, and since it disables it on current vCPU, the
AVIC is fully disabled on all vCPUs when we get to the first guest entry, even if nested
(after a migration the first guest entry can be already nested)
After patch 8, the AVIC disable is done at guest entry where we already are in
L2, thus we should toggle it in vmcb01, while vmcb02 shouldn't have AVIC enabled
in the first place.
Best regards,
Maxim Levitsky
>
> Paolo
>
> > Signed-off-by: Maxim Levitsky <mlevitsk@...hat.com>
> > ---
> > arch/x86/kvm/svm/avic.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/arch/x86/kvm/svm/avic.c b/arch/x86/kvm/svm/avic.c
> > index 1d01da64c333..a8ad78a2faa1 100644
> > --- a/arch/x86/kvm/svm/avic.c
> > +++ b/arch/x86/kvm/svm/avic.c
> > @@ -646,7 +646,7 @@ static int svm_set_pi_irte_mode(struct kvm_vcpu *vcpu, bool activate)
> > void svm_refresh_apicv_exec_ctrl(struct kvm_vcpu *vcpu)
> > {
> > struct vcpu_svm *svm = to_svm(vcpu);
> > - struct vmcb *vmcb = svm->vmcb;
> > + struct vmcb *vmcb = svm->vmcb01.ptr;
> > bool activated = kvm_vcpu_apicv_active(vcpu);
> >
> > if (!enable_apicv)
> >
Powered by blists - more mailing lists