From: Sean Christopherson <seanjc@google.com>
To: Michal Luczaj <mhal@rbox.co>
Cc: pbonzini@redhat.com, kvm@vger.kernel.org, shuah@kernel.org
Subject: Re: [PATCH 0/2] sync_regs() TOCTOU issues
Date: Tue, 15 Aug 2023 08:40:31 -0700 [thread overview]
Message-ID: <ZNucb6NQ6ozi1vqz@google.com> (raw)
In-Reply-To: <2c823911-4712-4d06-bfb5-e6ee3f7023a7@rbox.co>
On Tue, Aug 15, 2023, Michal Luczaj wrote:
> On 8/15/23 02:48, Sean Christopherson wrote:
> > ...
> > Argh, apparently I didn't run these on AMD. The exception injection test hangs
> > because the vCPU hits triple fault shutdown, and because the VMCB is technically
> > undefined on shutdown, KVM synthesizes INIT. That starts the vCPU at the reset
> > vector and it happily fetches zeroes util being killed.
>
> Thank you for getting this. I should have mentioned, due to lack of access to
> AMD hardware, I've only tested on Intel.
>
> > @@ -115,6 +116,7 @@ static void *race_events_exc(void *arg)
> > for (;;) {
> > WRITE_ONCE(run->kvm_dirty_regs, KVM_SYNC_X86_EVENTS);
> > WRITE_ONCE(events->flags, 0);
> > + WRITE_ONCE(events->exception.nr, GP_VECTOR);
> > WRITE_ONCE(events->exception.pending, 1);
> > WRITE_ONCE(events->exception.nr, 255);
>
> Here you're setting events->exception.nr twice. Is it deliberate?
Heh, yes and no. It's partly leftover from a brief attempt to gracefully eat the
fault in the guest.
However, unless there's magic I'm missing, race_events_exc() needs to set a "good"
vector in every iteration, otherwise only the first iteration will be able to hit
the "check good, consume bad" scenario.
For race_events_inj_pen(), it should be sufficient to set the vector just once,
outside of the loop. I do think it should be explicitly set, as subtly relying
on '0' being a valid exception is a bit mean (though it does work).
next prev parent reply other threads:[~2023-08-15 15:41 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-28 0:12 [PATCH 0/2] sync_regs() TOCTOU issues Michal Luczaj
2023-07-28 0:12 ` [PATCH 1/2] KVM: x86: Fix KVM_CAP_SYNC_REGS's " Michal Luczaj
2023-07-31 23:49 ` Sean Christopherson
2023-08-01 12:37 ` Michal Luczaj
2023-08-02 19:18 ` Sean Christopherson
2023-08-03 0:13 ` Michal Luczaj
2023-08-03 17:48 ` Paolo Bonzini
2023-08-03 21:15 ` Michal Luczaj
2023-08-04 9:53 ` Paolo Bonzini
2023-08-04 17:50 ` Michal Luczaj
2023-08-14 22:29 ` Michal Luczaj
2023-07-28 0:12 ` [PATCH 2/2] KVM: selftests: Extend x86's sync_regs_test to check for races Michal Luczaj
2023-08-02 21:07 ` Sean Christopherson
2023-08-03 0:44 ` Michal Luczaj
2023-08-03 16:41 ` Sean Christopherson
2023-08-03 21:14 ` Michal Luczaj
2023-08-08 23:11 ` Sean Christopherson
2023-08-02 21:11 ` [PATCH 0/2] sync_regs() TOCTOU issues Sean Christopherson
2023-08-15 0:48 ` Sean Christopherson
2023-08-15 7:37 ` Michal Luczaj
2023-08-15 15:40 ` Sean Christopherson [this message]
2023-08-15 17:49 ` Michal Luczaj
2023-08-15 18:15 ` Sean Christopherson
2023-08-15 18:38 ` Michal Luczaj
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZNucb6NQ6ozi1vqz@google.com \
--to=seanjc@google.com \
--cc=kvm@vger.kernel.org \
--cc=mhal@rbox.co \
--cc=pbonzini@redhat.com \
--cc=shuah@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).