[PATCH v2 1/4] x86: KVM: SVM: always update the x2avic msr interception

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH v2 1/4] x86: KVM: SVM: always update the x2avic msr interception
       [not found] <20230928173354.217464-1-mlevitsk@redhat.com>
@ 2023-09-28 17:33 ` Maxim Levitsky
  2023-09-29  0:24   ` Sean Christopherson
  2023-09-28 17:33 ` [PATCH v2 2/4] x86: KVM: SVM: add support for Invalid IPI Vector interception Maxim Levitsky
  2023-09-28 17:33 ` [PATCH v2 3/4] x86: KVM: SVM: refresh AVIC inhibition in svm_leave_nested() Maxim Levitsky
  2 siblings, 1 reply; 7+ messages in thread
From: Maxim Levitsky @ 2023-09-28 17:33 UTC (permalink / raw)
  To: kvm
  Cc: iommu, H. Peter Anvin, Sean Christopherson, Maxim Levitsky,
	Paolo Bonzini, Thomas Gleixner, Borislav Petkov, Joerg Roedel,
	x86, Suravee Suthikulpanit, linux-kernel, Dave Hansen,
	Will Deacon, Ingo Molnar, Robin Murphy, stable

The following problem exists since x2avic was enabled in the KVM:

svm_set_x2apic_msr_interception is called to enable the interception of
the x2apic msrs.

In particular it is called at the moment the guest resets its apic.

Assuming that the guest's apic was in x2apic mode, the reset will bring
it back to the xapic mode.

The svm_set_x2apic_msr_interception however has an erroneous check for
'!apic_x2apic_mode()' which prevents it from doing anything in this case.

As a result of this, all x2apic msrs are left unintercepted, and that
exposes the bare metal x2apic (if enabled) to the guest.
Oops.

Remove the erroneous '!apic_x2apic_mode()' check to fix that.

This fixes CVE-2023-5090

Fixes: 4d1d7942e36a ("KVM: SVM: Introduce logic to (de)activate x2AVIC mode")
Cc: stable@vger.kernel.org
Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
---
 arch/x86/kvm/svm/svm.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
index 9507df93f410a63..acdd0b89e4715a3 100644
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -913,8 +913,7 @@ void svm_set_x2apic_msr_interception(struct vcpu_svm *svm, bool intercept)
 	if (intercept == svm->x2avic_msrs_intercepted)
 		return;
 
-	if (!x2avic_enabled ||
-	    !apic_x2apic_mode(svm->vcpu.arch.apic))
+	if (!x2avic_enabled)
 		return;
 
 	for (i = 0; i < MAX_DIRECT_ACCESS_MSRS; i++) {
-- 
2.26.3


^ permalink raw reply related	[flat|nested] 7+ messages in thread

* Re: [PATCH v2 1/4] x86: KVM: SVM: always update the x2avic msr interception
  2023-09-28 17:33 ` [PATCH v2 1/4] x86: KVM: SVM: always update the x2avic msr interception Maxim Levitsky
@ 2023-09-29  0:24   ` Sean Christopherson
  2023-10-03  3:17     ` Suthikulpanit, Suravee
  0 siblings, 1 reply; 7+ messages in thread
From: Sean Christopherson @ 2023-09-29  0:24 UTC (permalink / raw)
  To: Maxim Levitsky
  Cc: kvm, iommu, H. Peter Anvin, Paolo Bonzini, Thomas Gleixner,
	Borislav Petkov, Joerg Roedel, x86, Suravee Suthikulpanit,
	linux-kernel, Dave Hansen, Will Deacon, Ingo Molnar, Robin Murphy,
	stable

On Thu, Sep 28, 2023, Maxim Levitsky wrote:
> The following problem exists since x2avic was enabled in the KVM:
> 
> svm_set_x2apic_msr_interception is called to enable the interception of

Nit, svm_set_x2apic_msr_interception().

Definitely not worth another version though.

> the x2apic msrs.
> 
> In particular it is called at the moment the guest resets its apic.
> 
> Assuming that the guest's apic was in x2apic mode, the reset will bring
> it back to the xapic mode.
> 
> The svm_set_x2apic_msr_interception however has an erroneous check for
> '!apic_x2apic_mode()' which prevents it from doing anything in this case.
> 
> As a result of this, all x2apic msrs are left unintercepted, and that
> exposes the bare metal x2apic (if enabled) to the guest.
> Oops.
> 
> Remove the erroneous '!apic_x2apic_mode()' check to fix that.
> 
> This fixes CVE-2023-5090
> 
> Fixes: 4d1d7942e36a ("KVM: SVM: Introduce logic to (de)activate x2AVIC mode")
> Cc: stable@vger.kernel.org
> Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
> ---

Reviewed-by: Sean Christopherson <seanjc@google.com>

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH v2 1/4] x86: KVM: SVM: always update the x2avic msr interception
  2023-09-29  0:24   ` Sean Christopherson
@ 2023-10-03  3:17     ` Suthikulpanit, Suravee
  0 siblings, 0 replies; 7+ messages in thread
From: Suthikulpanit, Suravee @ 2023-10-03  3:17 UTC (permalink / raw)
  To: Sean Christopherson, Maxim Levitsky
  Cc: kvm, iommu, H. Peter Anvin, Paolo Bonzini, Thomas Gleixner,
	Borislav Petkov, Joerg Roedel, x86, linux-kernel, Dave Hansen,
	Will Deacon, Ingo Molnar, Robin Murphy, stable

Maxim,

Thanks for finding and fixing this.

On 9/29/2023 7:24 AM, Sean Christopherson wrote:
> On Thu, Sep 28, 2023, Maxim Levitsky wrote:
>> The following problem exists since x2avic was enabled in the KVM:
>>
>> svm_set_x2apic_msr_interception is called to enable the interception of
> 
> Nit, svm_set_x2apic_msr_interception().
> 
> Definitely not worth another version though.
> 
>> the x2apic msrs.
>>
>> In particular it is called at the moment the guest resets its apic.
>>
>> Assuming that the guest's apic was in x2apic mode, the reset will bring
>> it back to the xapic mode.
>>
>> The svm_set_x2apic_msr_interception however has an erroneous check for
>> '!apic_x2apic_mode()' which prevents it from doing anything in this case.
>>
>> As a result of this, all x2apic msrs are left unintercepted, and that
>> exposes the bare metal x2apic (if enabled) to the guest.
>> Oops.
>>
>> Remove the erroneous '!apic_x2apic_mode()' check to fix that.
>>
>> This fixes CVE-2023-5090
>>
>> Fixes: 4d1d7942e36a ("KVM: SVM: Introduce logic to (de)activate x2AVIC mode")
>> Cc: stable@vger.kernel.org
>> Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
>> ---
> 
> Reviewed-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
Tested-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [PATCH v2 2/4] x86: KVM: SVM: add support for Invalid IPI Vector interception
       [not found] <20230928173354.217464-1-mlevitsk@redhat.com>
  2023-09-28 17:33 ` [PATCH v2 1/4] x86: KVM: SVM: always update the x2avic msr interception Maxim Levitsky
@ 2023-09-28 17:33 ` Maxim Levitsky
  2023-09-29  0:42   ` Sean Christopherson
  2023-09-28 17:33 ` [PATCH v2 3/4] x86: KVM: SVM: refresh AVIC inhibition in svm_leave_nested() Maxim Levitsky
  2 siblings, 1 reply; 7+ messages in thread
From: Maxim Levitsky @ 2023-09-28 17:33 UTC (permalink / raw)
  To: kvm
  Cc: iommu, H. Peter Anvin, Sean Christopherson, Maxim Levitsky,
	Paolo Bonzini, Thomas Gleixner, Borislav Petkov, Joerg Roedel,
	x86, Suravee Suthikulpanit, linux-kernel, Dave Hansen,
	Will Deacon, Ingo Molnar, Robin Murphy, stable

In later revisions of AMD's APM, there is a new 'incomplete IPI' exit code:

"Invalid IPI Vector - The vector for the specified IPI was set to an
illegal value (VEC < 16)"

Note that tests on Zen2 machine show that this VM exit doesn't happen and
instead AVIC just does nothing.

Add support for this exit code by doing nothing, instead of filling
the kernel log with errors.

Also replace an unthrottled 'pr_err()' if another unknown incomplete
IPI exit happens with vcpu_unimpl()

(e.g in case AMD adds yet another 'Invalid IPI' exit reason)

Cc: <stable@vger.kernel.org>
Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
---
 arch/x86/include/asm/svm.h | 1 +
 arch/x86/kvm/svm/avic.c    | 5 ++++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/arch/x86/include/asm/svm.h b/arch/x86/include/asm/svm.h
index 19bf955b67e0da0..3ac0ffc4f3e202b 100644
--- a/arch/x86/include/asm/svm.h
+++ b/arch/x86/include/asm/svm.h
@@ -268,6 +268,7 @@ enum avic_ipi_failure_cause {
 	AVIC_IPI_FAILURE_TARGET_NOT_RUNNING,
 	AVIC_IPI_FAILURE_INVALID_TARGET,
 	AVIC_IPI_FAILURE_INVALID_BACKING_PAGE,
+	AVIC_IPI_FAILURE_INVALID_IPI_VECTOR,
 };
 
 #define AVIC_PHYSICAL_MAX_INDEX_MASK	GENMASK_ULL(8, 0)
diff --git a/arch/x86/kvm/svm/avic.c b/arch/x86/kvm/svm/avic.c
index 2092db892d7d052..4b74ea91f4e6bb6 100644
--- a/arch/x86/kvm/svm/avic.c
+++ b/arch/x86/kvm/svm/avic.c
@@ -529,8 +529,11 @@ int avic_incomplete_ipi_interception(struct kvm_vcpu *vcpu)
 	case AVIC_IPI_FAILURE_INVALID_BACKING_PAGE:
 		WARN_ONCE(1, "Invalid backing page\n");
 		break;
+	case AVIC_IPI_FAILURE_INVALID_IPI_VECTOR:
+		/* Invalid IPI with vector < 16 */
+		break;
 	default:
-		pr_err("Unknown IPI interception\n");
+		vcpu_unimpl(vcpu, "Unknown avic incomplete IPI interception\n");
 	}
 
 	return 1;
-- 
2.26.3


^ permalink raw reply related	[flat|nested] 7+ messages in thread

* Re: [PATCH v2 2/4] x86: KVM: SVM: add support for Invalid IPI Vector interception
  2023-09-28 17:33 ` [PATCH v2 2/4] x86: KVM: SVM: add support for Invalid IPI Vector interception Maxim Levitsky
@ 2023-09-29  0:42   ` Sean Christopherson
  0 siblings, 0 replies; 7+ messages in thread
From: Sean Christopherson @ 2023-09-29  0:42 UTC (permalink / raw)
  To: Maxim Levitsky
  Cc: kvm, iommu, H. Peter Anvin, Paolo Bonzini, Thomas Gleixner,
	Borislav Petkov, Joerg Roedel, x86, Suravee Suthikulpanit,
	linux-kernel, Dave Hansen, Will Deacon, Ingo Molnar, Robin Murphy,
	stable

On Thu, Sep 28, 2023, Maxim Levitsky wrote:
> In later revisions of AMD's APM, there is a new 'incomplete IPI' exit code:
> 
> "Invalid IPI Vector - The vector for the specified IPI was set to an
> illegal value (VEC < 16)"
> 
> Note that tests on Zen2 machine show that this VM exit doesn't happen and
> instead AVIC just does nothing.
> 
> Add support for this exit code by doing nothing, instead of filling
> the kernel log with errors.
> 
> Also replace an unthrottled 'pr_err()' if another unknown incomplete
> IPI exit happens with vcpu_unimpl()
> 
> (e.g in case AMD adds yet another 'Invalid IPI' exit reason)
> 
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
> ---

Reviewed-by: Sean Christopherson <seanjc@google.com>

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [PATCH v2 3/4] x86: KVM: SVM: refresh AVIC inhibition in svm_leave_nested()
       [not found] <20230928173354.217464-1-mlevitsk@redhat.com>
  2023-09-28 17:33 ` [PATCH v2 1/4] x86: KVM: SVM: always update the x2avic msr interception Maxim Levitsky
  2023-09-28 17:33 ` [PATCH v2 2/4] x86: KVM: SVM: add support for Invalid IPI Vector interception Maxim Levitsky
@ 2023-09-28 17:33 ` Maxim Levitsky
  2023-09-29  0:42   ` Sean Christopherson
  2 siblings, 1 reply; 7+ messages in thread
From: Maxim Levitsky @ 2023-09-28 17:33 UTC (permalink / raw)
  To: kvm
  Cc: iommu, H. Peter Anvin, Sean Christopherson, Maxim Levitsky,
	Paolo Bonzini, Thomas Gleixner, Borislav Petkov, Joerg Roedel,
	x86, Suravee Suthikulpanit, linux-kernel, Dave Hansen,
	Will Deacon, Ingo Molnar, Robin Murphy, stable

svm_leave_nested() similar to a nested VM exit, get the vCPU out of nested
mode and thus should end the local inhibition of AVIC on this vCPU.

Failure to do so, can lead to hangs on guest reboot.

Raise the KVM_REQ_APICV_UPDATE request to refresh the AVIC state of the
current vCPU in this case.

Fixes: f44509f849fe ("KVM: x86: SVM: allow AVIC to co-exist with a nested guest running")
Cc: stable@vger.kernel.org
Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
---
 arch/x86/kvm/svm/nested.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c
index dd496c9e5f91f28..3fea8c47679e689 100644
--- a/arch/x86/kvm/svm/nested.c
+++ b/arch/x86/kvm/svm/nested.c
@@ -1253,6 +1253,9 @@ void svm_leave_nested(struct kvm_vcpu *vcpu)
 
 		nested_svm_uninit_mmu_context(vcpu);
 		vmcb_mark_all_dirty(svm->vmcb);
+
+		if (kvm_apicv_activated(vcpu->kvm))
+			kvm_make_request(KVM_REQ_APICV_UPDATE, vcpu);
 	}
 
 	kvm_clear_request(KVM_REQ_GET_NESTED_STATE_PAGES, vcpu);
-- 
2.26.3


^ permalink raw reply related	[flat|nested] 7+ messages in thread

* Re: [PATCH v2 3/4] x86: KVM: SVM: refresh AVIC inhibition in svm_leave_nested()
  2023-09-28 17:33 ` [PATCH v2 3/4] x86: KVM: SVM: refresh AVIC inhibition in svm_leave_nested() Maxim Levitsky
@ 2023-09-29  0:42   ` Sean Christopherson
  0 siblings, 0 replies; 7+ messages in thread
From: Sean Christopherson @ 2023-09-29  0:42 UTC (permalink / raw)
  To: Maxim Levitsky
  Cc: kvm, iommu, H. Peter Anvin, Paolo Bonzini, Thomas Gleixner,
	Borislav Petkov, Joerg Roedel, x86, Suravee Suthikulpanit,
	linux-kernel, Dave Hansen, Will Deacon, Ingo Molnar, Robin Murphy,
	stable

On Thu, Sep 28, 2023, Maxim Levitsky wrote:
> svm_leave_nested() similar to a nested VM exit, get the vCPU out of nested
> mode and thus should end the local inhibition of AVIC on this vCPU.
> 
> Failure to do so, can lead to hangs on guest reboot.
> 
> Raise the KVM_REQ_APICV_UPDATE request to refresh the AVIC state of the
> current vCPU in this case.
> 
> Fixes: f44509f849fe ("KVM: x86: SVM: allow AVIC to co-exist with a nested guest running")
> Cc: stable@vger.kernel.org
> Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
> ---

Reviewed-by: Sean Christopherson <seanjc@google.com>

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2023-10-03  3:18 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <20230928173354.217464-1-mlevitsk@redhat.com>
2023-09-28 17:33 ` [PATCH v2 1/4] x86: KVM: SVM: always update the x2avic msr interception Maxim Levitsky
2023-09-29  0:24   ` Sean Christopherson
2023-10-03  3:17     ` Suthikulpanit, Suravee
2023-09-28 17:33 ` [PATCH v2 2/4] x86: KVM: SVM: add support for Invalid IPI Vector interception Maxim Levitsky
2023-09-29  0:42   ` Sean Christopherson
2023-09-28 17:33 ` [PATCH v2 3/4] x86: KVM: SVM: refresh AVIC inhibition in svm_leave_nested() Maxim Levitsky
2023-09-29  0:42   ` Sean Christopherson

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox