From mboxrd@z Thu Jan  1 00:00:00 1970
From: Jan Kiszka <jan.kiszka@web.de>
Subject: KVM: x86: Racy mp_state manipulations
Date: Sun, 03 Mar 2013 17:48:29 +0100
Message-ID: <51337EDD.40303@web.de>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="----enig2DJTRUNOWTSTJBPOUFEJW"
Cc: kvm <kvm@vger.kernel.org>
To: Gleb Natapov <gleb@redhat.com>,
	Marcelo Tosatti <mtosatti@redhat.com>
Return-path: <kvm-owner@vger.kernel.org>
Received: from mout.web.de ([212.227.15.4]:58392 "EHLO mout.web.de"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1753790Ab3CCQsl (ORCPT <rfc822;kvm@vger.kernel.org>);
	Sun, 3 Mar 2013 11:48:41 -0500
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
------enig2DJTRUNOWTSTJBPOUFEJW
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Hi all,

KVM's mp_state on x86 is usually manipulated over the context of the
VCPU. Therefore, no locking is required. There are unfortunately two
exceptions, and one of them is definitely broken: INIT and SIPI delivery.=


The lapic may set mp_state over the context of the sending VCPU. For
SIPI, it first checks if the mp_state is INIT_RECEIVED before updating
it to SIPI_RECEIVED. We can only race here with user space setting the
state in parallel, I suppose. Probably harmless in practice.

What is critical is the update on INIT. That signal is asynchronous to
the target VCPU state. And we can loose it:

vcpu 1				vcpu 2
------				------
hlt;
vmexit
				__apic_accept_irq(APIC_DM_INIT)
				mp_state =3D KVM_MP_STATE_INIT_RECEIVED
mp_state =3D KVM_MP_STATE_HALTED

And there it goes, our INIT state. I've triggered this under heavy INIT
load and my nVMX patch for processing it while in VMXON.

I'm currently considering options to fix this:

- through a lock at mp_state manipulations, check under the lock that
  we don't perform invalid state transitions (e.g. INIT->HLT)
- signal the INIT via some KVM_REQ_INIT to the target VCPU, fully
  localizing mp_state updates, the same could be done with SIPI, just
  to play safe

I'm leaning toward the latter ATM, Any thoughts or other idea?

Jan


------enig2DJTRUNOWTSTJBPOUFEJW
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlEzfuIACgkQitSsb3rl5xSiJACdEymhhJmiqs5fJrvcr0d5ayIy
fggAn2iBMJBLDwzXIjFqfPnmKe+qP6mq
=Y21N
-----END PGP SIGNATURE-----

------enig2DJTRUNOWTSTJBPOUFEJW--