| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20250827152754.12481-1-lifei.shirley@bytedance.com>
Date: Wed, 27 Aug 2025 23:27:54 +0800
From: Fei Li <lifei.shirley@...edance.com>
To: seanjc@...gle.com,
pbonzini@...hat.com,
tglx@...utronix.de,
mingo@...hat.com,
bp@...en8.de,
dave.hansen@...ux.intel.com,
liran.alon@...cle.com,
hpa@...or.com,
wanpeng.li@...mail.com
Cc: kvm@...r.kernel.org,
x86@...nel.org,
linux-kernel@...r.kernel.org,
Fei Li <lifei.shirley@...edance.com>,
stable@...r.kernel.org
Subject: [PATCH] KVM: x86: Latch INITs only in specific CPU states in KVM_SET_VCPU_EVENTS
Commit ff90afa75573 ("KVM: x86: Evaluate latched_init in
KVM_SET_VCPU_EVENTS when vCPU not in SMM") changes KVM_SET_VCPU_EVENTS
handler to set pending LAPIC INIT event regardless of if vCPU is in
SMM mode or not.
However, latch INIT without checking CPU state exists race condition,
which causes the loss of INIT event. This is fatal during the VM
startup process because it will cause some AP to never switch to
non-root mode. Just as commit f4ef19108608 ("KVM: X86: Fix loss of
pending INIT due to race") said:
BSP AP
kvm_vcpu_ioctl_x86_get_vcpu_events
events->smi.latched_init = 0
kvm_vcpu_block
kvm_vcpu_check_block
schedule
send INIT to AP
kvm_vcpu_ioctl_x86_set_vcpu_events
(e.g. `info registers -a` when VM starts/reboots)
if (events->smi.latched_init == 0)
clear INIT in pending_events
kvm_apic_accept_events
test_bit(KVM_APIC_INIT, &pe) == false
vcpu->arch.mp_state maintains UNINITIALIZED
send SIPI to AP
kvm_apic_accept_events
test_bit(KVM_APIC_SIPI, &pe) == false
vcpu->arch.mp_state will never change to RUNNABLE
(defy: UNINITIALIZED => INIT_RECEIVED => RUNNABLE)
AP will never switch to non-root operation
In such race result, VM hangs. E.g., BSP loops in SeaBIOS's SMPLock and
AP will never be reset, and qemu hmp "info registers -a" shows:
CPU#0
EAX=00000002 EBX=00000002 ECX=00000000 EDX=00020000
ESI=00000000 EDI=00000000 EBP=00000008 ESP=00006c6c
EIP=000ef570 EFL=00000002 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0
......
CPU#1
EAX=00000000 EBX=00000000 ECX=00000000 EDX=00080660
ESI=00000000 EDI=00000000 EBP=00000000 ESP=00000000
EIP=0000fff0 EFL=00000002 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =0000 00000000 0000ffff 00009300
CS =f000 ffff0000 0000ffff 00009b00
......
Fix this by handling latched INITs only in specific CPU states (SMM,
VMX non-root mode, SVM with GIF=0) in KVM_SET_VCPU_EVENTS.
Cc: stable@...r.kernel.org
Fixes: ff90afa75573 ("KVM: x86: Evaluate latched_init in KVM_SET_VCPU_EVENTS when vCPU not in SMM")
Signed-off-by: Fei Li <lifei.shirley@...edance.com>
---
arch/x86/kvm/x86.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index a1c49bc681c46..7001b2af00ed1 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -5556,7 +5556,7 @@ static int kvm_vcpu_ioctl_x86_set_vcpu_events(struct kvm_vcpu *vcpu,
return -EINVAL;
#endif
- if (lapic_in_kernel(vcpu)) {
+ if (!kvm_apic_init_sipi_allowed(vcpu) && lapic_in_kernel(vcpu)) {
if (events->smi.latched_init)
set_bit(KVM_APIC_INIT, &vcpu->arch.apic->pending_events);
else
--
2.39.2 (Apple Git-143)
Powered by blists - more mailing lists