From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
Marc Zyngier <maz@kernel.org>, Anup Patel <anup@brainfault.org>,
Paul Walmsley <paul.walmsley@sifive.com>,
Palmer Dabbelt <palmer@dabbelt.com>,
Albert Ou <aou@eecs.berkeley.edu>,
Christian Borntraeger <borntraeger@linux.ibm.com>,
Janosch Frank <frankja@linux.ibm.com>,
Claudio Imbrenda <imbrenda@linux.ibm.com>,
Nathan Chancellor <nathan@kernel.org>,
Nick Desaulniers <ndesaulniers@google.com>
Cc: James Morse <james.morse@arm.com>,
Alexandru Elisei <alexandru.elisei@arm.com>,
Suzuki K Poulose <suzuki.poulose@arm.com>,
Oliver Upton <oliver.upton@linux.dev>,
Atish Patra <atishp@atishpatra.org>,
David Hildenbrand <david@redhat.com>, Tom Rix <trix@redhat.com>,
kvm@vger.kernel.org, linux-arm-kernel@lists.infradead.org,
kvmarm@lists.cs.columbia.edu, kvm-riscv@lists.infradead.org,
linux-riscv@lists.infradead.org, llvm@lists.linux.dev,
linux-kernel@vger.kernel.org,
Colton Lewis <coltonlewis@google.com>,
Peter Gonda <pgonda@google.com>,
Andrew Jones <andrew.jones@linux.dev>,
Sean Christopherson <seanjc@google.com>
Subject: [PATCH v4 5/6] KVM: selftests: Make arm64's MMIO ucall multi-VM friendly
Date: Wed, 24 Aug 2022 03:21:14 +0000 [thread overview]
Message-ID: <20220824032115.3563686-6-seanjc@google.com> (raw)
In-Reply-To: <20220824032115.3563686-1-seanjc@google.com>
Fix a mostly-theoretical bug where ARM's ucall MMIO setup could result in
different VMs stomping on each other by cloberring the global pointer.
Fix the most obvious issue by saving the MMIO gpa into the VM.
A more subtle bug is that creating VMs in parallel (on multiple tasks)
could result in a VM using the wrong address. Synchronizing a global to
a guest effectively snapshots the value on a per-VM basis, i.e. the
"global" is already prepped to work with multiple VMs, but setting the
global in the host and copying it to the guest needs to happen atomically.
To fix that bug, add atomic_sync_global_pointer_to_guest() to sync
"global" pointers that hold per-VM values, i.e. technically need to be
handled in a thread-safe manner.
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
.../selftests/kvm/include/kvm_util_base.h | 16 +++++++++++++++
.../testing/selftests/kvm/lib/aarch64/ucall.c | 20 ++++++++++++++-----
2 files changed, 31 insertions(+), 5 deletions(-)
diff --git a/tools/testing/selftests/kvm/include/kvm_util_base.h b/tools/testing/selftests/kvm/include/kvm_util_base.h
index 24fde97f6121..9ec7fbe941aa 100644
--- a/tools/testing/selftests/kvm/include/kvm_util_base.h
+++ b/tools/testing/selftests/kvm/include/kvm_util_base.h
@@ -16,6 +16,7 @@
#include <linux/kvm.h>
#include "linux/rbtree.h"
+#include <asm/atomic.h>
#include <sys/ioctl.h>
@@ -81,6 +82,7 @@ struct kvm_vm {
struct sparsebit *vpages_mapped;
bool has_irqchip;
bool pgd_created;
+ vm_paddr_t ucall_mmio_addr;
vm_paddr_t pgd;
vm_vaddr_t gdt;
vm_vaddr_t tss;
@@ -714,6 +716,20 @@ kvm_userspace_memory_region_find(struct kvm_vm *vm, uint64_t start,
memcpy(&(g), _p, sizeof(g)); \
})
+/*
+ * Sync a global pointer to the guest that has a per-VM value, in which case
+ * writes to the host copy of the "global" must be serialized (in case a test
+ * is being truly crazy and spawning multiple VMs concurrently).
+ */
+#define atomic_sync_global_pointer_to_guest(vm, g, val) ({ \
+ typeof(g) *_p = addr_gva2hva(vm, (vm_vaddr_t)&(g)); \
+ \
+ while (cmpxchg(&g, NULL, val)) \
+ ; \
+ memcpy(_p, &(g), sizeof(g)); \
+ WRITE_ONCE(g, NULL); \
+})
+
void assert_on_unhandled_exception(struct kvm_vcpu *vcpu);
void vcpu_arch_dump(FILE *stream, struct kvm_vcpu *vcpu,
diff --git a/tools/testing/selftests/kvm/lib/aarch64/ucall.c b/tools/testing/selftests/kvm/lib/aarch64/ucall.c
index f02ae27c3e43..acb47c813477 100644
--- a/tools/testing/selftests/kvm/lib/aarch64/ucall.c
+++ b/tools/testing/selftests/kvm/lib/aarch64/ucall.c
@@ -6,20 +6,30 @@
*/
#include "kvm_util.h"
+/*
+ * This "global" holds different per-VM values, it must not be accessed from
+ * host code except to sync the guest value, and that must be done atomically.
+ */
static vm_vaddr_t *ucall_exit_mmio_addr;
+static void ucall_set_mmio_addr(struct kvm_vm *vm, vm_paddr_t mmio_gpa)
+{
+ vm->ucall_mmio_addr = mmio_gpa;
+
+ atomic_sync_global_pointer_to_guest(vm, ucall_exit_mmio_addr,
+ (vm_vaddr_t *)mmio_gpa);
+}
+
void ucall_arch_init(struct kvm_vm *vm, vm_paddr_t mmio_gpa)
{
virt_pg_map(vm, mmio_gpa, mmio_gpa);
- ucall_exit_mmio_addr = (vm_vaddr_t *)mmio_gpa;
- sync_global_to_guest(vm, ucall_exit_mmio_addr);
+ ucall_set_mmio_addr(vm, mmio_gpa);
}
void ucall_arch_uninit(struct kvm_vm *vm)
{
- ucall_exit_mmio_addr = 0;
- sync_global_to_guest(vm, ucall_exit_mmio_addr);
+ ucall_set_mmio_addr(vm, (vm_paddr_t)NULL);
}
void ucall_arch_do_ucall(vm_vaddr_t uc)
@@ -32,7 +42,7 @@ void *ucall_arch_get_ucall(struct kvm_vcpu *vcpu)
struct kvm_run *run = vcpu->run;
if (run->exit_reason == KVM_EXIT_MMIO &&
- run->mmio.phys_addr == (uint64_t)ucall_exit_mmio_addr) {
+ run->mmio.phys_addr == vcpu->vm->ucall_mmio_addr) {
vm_vaddr_t gva;
TEST_ASSERT(run->mmio.is_write && run->mmio.len == 8,
--
2.37.1.595.g718a3a8f04-goog
next prev parent reply other threads:[~2022-08-24 3:21 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-24 3:21 [PATCH v4 0/6] KVM: selftests: Implement ucall "pool" (for SEV) Sean Christopherson
2022-08-24 3:21 ` [PATCH v4 1/6] KVM: selftests: Consolidate common code for populating ucall struct Sean Christopherson
2022-08-24 3:21 ` [PATCH v4 2/6] KVM: selftests: Consolidate boilerplate code in get_ucall() Sean Christopherson
2022-08-24 3:21 ` [PATCH v4 3/6] KVM: selftests: Automatically do init_ucall() for non-barebones VMs Sean Christopherson
2022-08-24 3:21 ` [PATCH v4 4/6] tools: Add atomic_test_and_set_bit() Sean Christopherson
2022-08-24 3:21 ` Sean Christopherson [this message]
2022-08-24 15:00 ` [PATCH v4 5/6] KVM: selftests: Make arm64's MMIO ucall multi-VM friendly Oliver Upton
2022-08-24 15:32 ` Sean Christopherson
2022-08-24 3:21 ` [PATCH v4 6/6] KVM: selftests: Add ucall pool based implementation Sean Christopherson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220824032115.3563686-6-seanjc@google.com \
--to=seanjc@google.com \
--cc=alexandru.elisei@arm.com \
--cc=andrew.jones@linux.dev \
--cc=anup@brainfault.org \
--cc=aou@eecs.berkeley.edu \
--cc=atishp@atishpatra.org \
--cc=borntraeger@linux.ibm.com \
--cc=coltonlewis@google.com \
--cc=david@redhat.com \
--cc=frankja@linux.ibm.com \
--cc=imbrenda@linux.ibm.com \
--cc=james.morse@arm.com \
--cc=kvm-riscv@lists.infradead.org \
--cc=kvm@vger.kernel.org \
--cc=kvmarm@lists.cs.columbia.edu \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=llvm@lists.linux.dev \
--cc=maz@kernel.org \
--cc=nathan@kernel.org \
--cc=ndesaulniers@google.com \
--cc=oliver.upton@linux.dev \
--cc=palmer@dabbelt.com \
--cc=paul.walmsley@sifive.com \
--cc=pbonzini@redhat.com \
--cc=pgonda@google.com \
--cc=suzuki.poulose@arm.com \
--cc=trix@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox