[patch 0/2] fix lapic_timer_advance_ns guest triggerable unlimited delays

[patch 0/2] fix lapic_timer_advance_ns guest triggerable unlimited delays

[Marcelo Tosatti]

The host timer which emulates the guest LAPIC TSC deadline
timer has its expiration diminished by lapic_timer_advance_ns
nanoseconds. Therefore if, at wait_lapic_expire, a difference
larger than lapic_timer_advance_ns is encountered, delay at most
lapic_timer_advance_ns.

This fixes a problem where the guest can cause the host
to delay for large amounts of time.

Thanks to Alan Jenkins for reporting.

[patch 1/2] KVM: x86: move nsec_to_cycles from x86.c to x86.h

[Marcelo Tosatti]

[-- Attachment #1: move-nsecs-to-cycles --]
[-- Type: text/plain, Size: 1229 bytes --]

Move the inline function nsec_to_cycles from x86.c to x86.h, as 
the next patch uses it from lapic.c.

Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>

Index: kvm/arch/x86/kvm/x86.c
===================================================================
--- kvm.orig/arch/x86/kvm/x86.c
+++ kvm/arch/x86/kvm/x86.c
@@ -1205,12 +1205,6 @@ static atomic_t kvm_guest_has_master_clo
 static DEFINE_PER_CPU(unsigned long, cpu_tsc_khz);
 static unsigned long max_tsc_khz;
 
-static inline u64 nsec_to_cycles(struct kvm_vcpu *vcpu, u64 nsec)
-{
-	return pvclock_scale_delta(nsec, vcpu->arch.virtual_tsc_mult,
-				   vcpu->arch.virtual_tsc_shift);
-}
-
 static u32 adjust_tsc_khz(u32 khz, s32 ppm)
 {
 	u64 v = (u64)khz * (1000000 + ppm);
Index: kvm/arch/x86/kvm/x86.h
===================================================================
--- kvm.orig/arch/x86/kvm/x86.h
+++ kvm/arch/x86/kvm/x86.h
@@ -174,4 +174,10 @@ extern unsigned int min_timer_period_us;
 extern unsigned int lapic_timer_advance_ns;
 
 extern struct static_key kvm_no_apic_vcpu;
+
+static inline u64 nsec_to_cycles(struct kvm_vcpu *vcpu, u64 nsec)
+{
+	return pvclock_scale_delta(nsec, vcpu->arch.virtual_tsc_mult,
+				   vcpu->arch.virtual_tsc_shift);
+}
 #endif

[patch 2/2] KVM: LAPIC: cap __delay at lapic_timer_advance_ns

[Marcelo Tosatti]

[-- Attachment #1: lapic-cap-wait --]
[-- Type: text/plain, Size: 1009 bytes --]

The host timer which emulates the guest LAPIC TSC deadline
timer has its expiration diminished by lapic_timer_advance_ns
nanoseconds. Therefore if, at wait_lapic_expire, a difference
larger than lapic_timer_advance_ns is encountered, delay at most
lapic_timer_advance_ns.

This fixes a problem where the guest can cause the host
to delay for large amounts of time.

Reported-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>

Index: kvm/arch/x86/kvm/lapic.c
===================================================================
--- kvm.orig/arch/x86/kvm/lapic.c
+++ kvm/arch/x86/kvm/lapic.c
@@ -1164,7 +1164,8 @@ void wait_lapic_expire(struct kvm_vcpu *
 
 	/* __delay is delay_tsc whenever the hardware has TSC, thus always.  */
 	if (guest_tsc < tsc_deadline)
-		__delay(tsc_deadline - guest_tsc);
+		__delay(max(tsc_deadline - guest_tsc,
+			nsec_to_cycles(vcpu, lapic_timer_advance_ns)));
 }
 
 static void start_apic_timer(struct kvm_lapic *apic)

[patch 2/2 V2] KVM: LAPIC: cap __delay at lapic_timer_advance_ns

[Marcelo Tosatti]

The host timer which emulates the guest LAPIC TSC deadline
timer has its expiration diminished by lapic_timer_advance_ns
nanoseconds. Therefore if, at wait_lapic_expire, a difference
larger than lapic_timer_advance_ns is encountered, delay at most
lapic_timer_advance_ns.

This fixes a problem where the guest can cause the host
to delay for large amounts of time.

Reported-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>

---

v2: s/max/min/ !

Index: kvm/arch/x86/kvm/lapic.c
===================================================================
--- kvm.orig/arch/x86/kvm/lapic.c
+++ kvm/arch/x86/kvm/lapic.c
@@ -1164,7 +1164,8 @@ void wait_lapic_expire(struct kvm_vcpu *
 
 	/* __delay is delay_tsc whenever the hardware has TSC, thus always.  */
 	if (guest_tsc < tsc_deadline)
-		__delay(tsc_deadline - guest_tsc);
+		__delay(min(tsc_deadline - guest_tsc,
+			nsec_to_cycles(vcpu, lapic_timer_advance_ns)));
 }
 
 static void start_apic_timer(struct kvm_lapic *apic)

Re: [patch 0/2] fix lapic_timer_advance_ns guest triggerable unlimited delays

[Paolo Bonzini]

On 21/06/2016 03:28, Marcelo Tosatti wrote:
> The host timer which emulates the guest LAPIC TSC deadline
> timer has its expiration diminished by lapic_timer_advance_ns
> nanoseconds. Therefore if, at wait_lapic_expire, a difference
> larger than lapic_timer_advance_ns is encountered, delay at most
> lapic_timer_advance_ns.
> 
> This fixes a problem where the guest can cause the host
> to delay for large amounts of time.
> 
> Thanks to Alan Jenkins for reporting.

Applying to kvm/master, thanks.

Paolo

Re: [patch 2/2 V2] KVM: LAPIC: cap __delay at lapic_timer_advance_ns

[Alan Jenkins]

On 21/06/2016, Marcelo Tosatti <mtosatti@redhat.com> wrote:
> The host timer which emulates the guest LAPIC TSC deadline
> timer has its expiration diminished by lapic_timer_advance_ns
> nanoseconds. Therefore if, at wait_lapic_expire, a difference
> larger than lapic_timer_advance_ns is encountered, delay at most
> lapic_timer_advance_ns.
>
> This fixes a problem where the guest can cause the host
> to delay for large amounts of time.
>
> Reported-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
> Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
>
> ---
>
> v2: s/max/min/ !
>
> Index: kvm/arch/x86/kvm/lapic.c
> ===================================================================
> --- kvm.orig/arch/x86/kvm/lapic.c
> +++ kvm/arch/x86/kvm/lapic.c
> @@ -1164,7 +1164,8 @@ void wait_lapic_expire(struct kvm_vcpu *
>
>  	/* __delay is delay_tsc whenever the hardware has TSC, thus always.  */
>  	if (guest_tsc < tsc_deadline)
> -		__delay(tsc_deadline - guest_tsc);
> +		__delay(min(tsc_deadline - guest_tsc,
> +			nsec_to_cycles(vcpu, lapic_timer_advance_ns)));
>  }
>
>  static void start_apic_timer(struct kvm_lapic *apic)
>

Can we make sure this is sent to -stable?

Since I tested this approach (I think complete with the same max/min
correction :) before I started trying to boil the ocean, it looks good
to me.

I expect nsec_to_cycles() always rounds down. Any rounding up would be
undesirable :) - but this way, even if host sets tsc_khz=1, all that
can happen is the guest is woken 1 tick before the deadline is met. It
wouldn't be a whole millisecond early in real time either, just as
much as lapic_timer_advance_ns.

And talking of scaling, it will cut off the other potential lockup as
well where we currently fail to scale the guest delay down into host
TSC ticks.

I also suggested guests could observe early wakeup when sysadmins tune
lapic_timer_advance_ns (i.e. it was reduced after the timer was set).
But Paolo pointed out the nice way to fix that would be to make
lapic_timer_advance_ns read-only (explicit requirement to `rmmod kvm`
before you can try a different value).

Thanks for this
Alan