From: Sean Christopherson <seanjc@google.com>
To: Maxim Levitsky <mlevitsk@redhat.com>
Cc: kvm@vger.kernel.org, Jim Mattson <jmattson@google.com>,
"H. Peter Anvin" <hpa@zytor.com>,
linux-kernel@vger.kernel.org,
Vitaly Kuznetsov <vkuznets@redhat.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Joerg Roedel <joro@8bytes.org>,
Thomas Gleixner <tglx@linutronix.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
Wanpeng Li <wanpengli@tencent.com>,
Borislav Petkov <bp@alien8.de>,
x86@kernel.org
Subject: Re: [PATCH 4/4] KVM: x86: lapic: don't allow to set non default apic id when not using x2apic api
Date: Tue, 1 Mar 2022 16:56:07 +0000 [thread overview]
Message-ID: <Yh5QJ4dJm63fC42n@google.com> (raw)
In-Reply-To: <20220301135526.136554-5-mlevitsk@redhat.com>
Please, please post standalone patches/fixes as standalone patches/fixes. And in
general, keep series to one topic. There is very real value in following the
established and documented process, e.g. avoids creating artificial dependencies
where a changes works only because of an "unrelated" patch earlier in the series.
And for us reviewers, it helps tremendously as it means I can scan just the cover
letter for a series to prioritize review accordingly. Bundling things together
means I have to scan through every patch to triage the series..
On Tue, Mar 01, 2022, Maxim Levitsky wrote:
> Fix a loop hole in setting the apic state that didn't check if
Heh, "loophole", took me a second to figure out there was no literal loop. :-)
> apic id == vcpu_id when x2apic is enabled but userspace is using
> a older variant of the ioctl which didn't had 32 bit apic ids.
>
> Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
> ---
> arch/x86/kvm/lapic.c | 17 ++++++++---------
> 1 file changed, 8 insertions(+), 9 deletions(-)
>
> diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
> index 80a2020c4db40..8d35f56c64020 100644
> --- a/arch/x86/kvm/lapic.c
> +++ b/arch/x86/kvm/lapic.c
> @@ -2618,15 +2618,14 @@ static int kvm_apic_state_fixup(struct kvm_vcpu *vcpu,
> u32 *ldr = (u32 *)(s->regs + APIC_LDR);
> u64 icr;
>
> - if (vcpu->kvm->arch.x2apic_format) {
> - if (*id != vcpu->vcpu_id)
> - return -EINVAL;
> - } else {
> - if (set)
> - *id >>= 24;
> - else
> - *id <<= 24;
> - }
> + if (!vcpu->kvm->arch.x2apic_format && set)
> + *id >>= 24;
> +
> + if (*id != vcpu->vcpu_id)
> + return -EINVAL;
This breaks backwards compability, userspace will start failing where it previously
succeeded. It doesn't even require a malicious userspace, e.g. if userspace creates
a vCPU with a vcpu_id > 255 vCPUs, the shift will truncate and cause failure. It'll
obviously do weird things, but this code is 5.5 years old, I don't think it's worth
trying to close a loophole that doesn't harm KVM.
If we provide a way for userspace to opt into disallowiong APICID != vcpu_id, we
can address this further upstream, e.g. reject vcpu_id > 255 without x2apic_format.
> +
> + if (!vcpu->kvm->arch.x2apic_format && !set)
> + *id <<= 24;
>
> /*
> * In x2APIC mode, the LDR is fixed and based on the id. And
> --
> 2.26.3
>
next prev parent reply other threads:[~2022-03-01 16:56 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-01 13:55 [PATCH 0/4] SVM fixes + apic fix Maxim Levitsky
2022-03-01 13:55 ` [PATCH 1/4] KVM: x86: mark synthetic SMM vmexit as SVM_EXIT_SW Maxim Levitsky
2022-03-01 16:31 ` Sean Christopherson
2022-03-01 17:13 ` Maxim Levitsky
2022-03-09 15:46 ` Paolo Bonzini
2022-03-01 13:55 ` [PATCH 2/4] KVM: x86: SVM: disable preemption in avic_refresh_apicv_exec_ctrl Maxim Levitsky
2022-03-01 17:15 ` Sean Christopherson
2022-03-01 17:20 ` Maxim Levitsky
2022-03-01 17:23 ` Paolo Bonzini
2022-03-01 13:55 ` [PATCH 3/4] KVM: x86: SVM: use vmcb01 in avic_init_vmcb Maxim Levitsky
2022-03-01 16:21 ` Sean Christopherson
2022-03-01 17:25 ` Maxim Levitsky
2022-03-01 17:35 ` Sean Christopherson
2022-03-09 15:48 ` Paolo Bonzini
2022-03-15 12:27 ` Maxim Levitsky
2022-03-01 13:55 ` [PATCH 4/4] KVM: x86: lapic: don't allow to set non default apic id when not using x2apic api Maxim Levitsky
2022-03-01 16:56 ` Sean Christopherson [this message]
2022-03-01 17:09 ` Maxim Levitsky
2022-03-01 17:46 ` Sean Christopherson
2022-03-01 17:56 ` Maxim Levitsky
2022-03-02 11:50 ` Maxim Levitsky
2022-03-03 16:51 ` Sean Christopherson
2022-03-03 18:15 ` Maxim Levitsky
2022-03-03 19:38 ` Sean Christopherson
2022-03-03 19:49 ` Sean Christopherson
2022-03-04 10:54 ` Maxim Levitsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Yh5QJ4dJm63fC42n@google.com \
--to=seanjc@google.com \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=hpa@zytor.com \
--cc=jmattson@google.com \
--cc=joro@8bytes.org \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mlevitsk@redhat.com \
--cc=pbonzini@redhat.com \
--cc=tglx@linutronix.de \
--cc=vkuznets@redhat.com \
--cc=wanpengli@tencent.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.