| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aK8r11trXDjBnRON@google.com>
Date: Wed, 27 Aug 2025 09:01:27 -0700
From: Sean Christopherson <seanjc@...gle.com>
To: Fei Li <lifei.shirley@...edance.com>
Cc: pbonzini@...hat.com, tglx@...utronix.de, mingo@...hat.com, bp@...en8.de,
dave.hansen@...ux.intel.com, liran.alon@...cle.com, hpa@...or.com,
wanpeng.li@...mail.com, kvm@...r.kernel.org, x86@...nel.org,
linux-kernel@...r.kernel.org, stable@...r.kernel.org
Subject: Re: [PATCH] KVM: x86: Latch INITs only in specific CPU states in KVM_SET_VCPU_EVENTS
On Wed, Aug 27, 2025, Fei Li wrote:
> Commit ff90afa75573 ("KVM: x86: Evaluate latched_init in
> KVM_SET_VCPU_EVENTS when vCPU not in SMM") changes KVM_SET_VCPU_EVENTS
> handler to set pending LAPIC INIT event regardless of if vCPU is in
> SMM mode or not.
>
> However, latch INIT without checking CPU state exists race condition,
> which causes the loss of INIT event. This is fatal during the VM
> startup process because it will cause some AP to never switch to
> non-root mode. Just as commit f4ef19108608 ("KVM: X86: Fix loss of
> pending INIT due to race") said:
> BSP AP
> kvm_vcpu_ioctl_x86_get_vcpu_events
> events->smi.latched_init = 0
>
> kvm_vcpu_block
> kvm_vcpu_check_block
> schedule
>
> send INIT to AP
> kvm_vcpu_ioctl_x86_set_vcpu_events
> (e.g. `info registers -a` when VM starts/reboots)
> if (events->smi.latched_init == 0)
> clear INIT in pending_events
This is a QEMU bug, no? IIUC, it's invoking kvm_vcpu_ioctl_x86_set_vcpu_events()
with stale data. I'm also a bit confused as to how QEMU is even gaining control
of the vCPU to emit KVM_SET_VCPU_EVENTS if the vCPU is in kvm_vcpu_block().
> kvm_apic_accept_events
> test_bit(KVM_APIC_INIT, &pe) == false
> vcpu->arch.mp_state maintains UNINITIALIZED
>
> send SIPI to AP
> kvm_apic_accept_events
> test_bit(KVM_APIC_SIPI, &pe) == false
> vcpu->arch.mp_state will never change to RUNNABLE
> (defy: UNINITIALIZED => INIT_RECEIVED => RUNNABLE)
> AP will never switch to non-root operation
>
> In such race result, VM hangs. E.g., BSP loops in SeaBIOS's SMPLock and
> AP will never be reset, and qemu hmp "info registers -a" shows:
> CPU#0
> EAX=00000002 EBX=00000002 ECX=00000000 EDX=00020000
> ESI=00000000 EDI=00000000 EBP=00000008 ESP=00006c6c
> EIP=000ef570 EFL=00000002 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0
> ......
> CPU#1
> EAX=00000000 EBX=00000000 ECX=00000000 EDX=00080660
> ESI=00000000 EDI=00000000 EBP=00000000 ESP=00000000
> EIP=0000fff0 EFL=00000002 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0
> ES =0000 00000000 0000ffff 00009300
> CS =f000 ffff0000 0000ffff 00009b00
> ......
>
> Fix this by handling latched INITs only in specific CPU states (SMM,
> VMX non-root mode, SVM with GIF=0) in KVM_SET_VCPU_EVENTS.
>
> Cc: stable@...r.kernel.org
> Fixes: ff90afa75573 ("KVM: x86: Evaluate latched_init in KVM_SET_VCPU_EVENTS when vCPU not in SMM")
> Signed-off-by: Fei Li <lifei.shirley@...edance.com>
> ---
> arch/x86/kvm/x86.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
> index a1c49bc681c46..7001b2af00ed1 100644
> --- a/arch/x86/kvm/x86.c
> +++ b/arch/x86/kvm/x86.c
> @@ -5556,7 +5556,7 @@ static int kvm_vcpu_ioctl_x86_set_vcpu_events(struct kvm_vcpu *vcpu,
> return -EINVAL;
> #endif
>
> - if (lapic_in_kernel(vcpu)) {
> + if (!kvm_apic_init_sipi_allowed(vcpu) && lapic_in_kernel(vcpu)) {
> if (events->smi.latched_init)
> set_bit(KVM_APIC_INIT, &vcpu->arch.apic->pending_events);
> else
> --
> 2.39.2 (Apple Git-143)
>
Powered by blists - more mailing lists