From: Oliver Upton <oupton@google.com> To: kvm@vger.kernel.org, kvmarm@lists.cs.columbia.edu Cc: Marc Zyngier <maz@kernel.org>, Peter Shier <pshier@google.com>, Ricardo Koller <ricarkol@google.com>, Jing Zhang <jingzhangos@google.com>, Raghavendra Rao Anata <rananta@google.com>, James Morse <james.morse@arm.com>, Alexandru Elisei <alexandru.elisei@arm.com>, Suzuki K Poulose <suzuki.poulose@arm.com>, Oliver Upton <oupton@google.com> Subject: [PATCH 2/4] KVM: arm64: Handle PSCI resets before userspace touches vCPU state Date: Wed, 18 Aug 2021 08:50:45 +0000 [thread overview] Message-ID: <20210818085047.1005285-3-oupton@google.com> (raw) In-Reply-To: <20210818085047.1005285-1-oupton@google.com> The CPU_ON PSCI call takes a payload that KVM uses to configure a destination vCPU to run. This payload is non-architectural state and not exposed through any existing UAPI. Effectively, we have a race between CPU_ON and userspace saving/restoring a guest: if the target vCPU isn't ran again before the VMM saves its state, the requested PC and context ID are lost. When restored, the target vCPU will be runnable and start executing at its old PC. We can avoid this race by making sure the reset payload is serviced before userspace can access a vCPU's state. This is, of course, a hairy ugly hack. A benefit of such a hack, though, is that we've managed to massage the reset state into the architected state, thereby making it migratable without forcing userspace to play our game with a UAPI addition. Fixes: 358b28f09f0a ("arm/arm64: KVM: Allow a VCPU to fully reset itself") Signed-off-by: Oliver Upton <oupton@google.com> --- I really hate this, but my imagination is failing me on any other way to cure the race without cluing in userspace. Any ideas? arch/arm64/kvm/arm.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/arch/arm64/kvm/arm.c b/arch/arm64/kvm/arm.c index 0de4b41c3706..6b124c29c663 100644 --- a/arch/arm64/kvm/arm.c +++ b/arch/arm64/kvm/arm.c @@ -1216,6 +1216,15 @@ long kvm_arch_vcpu_ioctl(struct file *filp, if (copy_from_user(®, argp, sizeof(reg))) break; + /* + * ugly hack. We could owe a reset due to PSCI and not yet + * serviced it. Prevent userspace from reading/writing state + * that will be clobbered by the eventual handling of the reset + * bit. + */ + if (kvm_check_request(KVM_REQ_VCPU_RESET, vcpu)) + kvm_reset_vcpu(vcpu); + if (ioctl == KVM_SET_ONE_REG) r = kvm_arm_set_reg(vcpu, ®); else -- 2.33.0.rc1.237.g0d66db33f3-goog
WARNING: multiple messages have this Message-ID (diff)
From: Oliver Upton <oupton@google.com> To: kvm@vger.kernel.org, kvmarm@lists.cs.columbia.edu Cc: Marc Zyngier <maz@kernel.org>, Peter Shier <pshier@google.com>, Raghavendra Rao Anata <rananta@google.com> Subject: [PATCH 2/4] KVM: arm64: Handle PSCI resets before userspace touches vCPU state Date: Wed, 18 Aug 2021 08:50:45 +0000 [thread overview] Message-ID: <20210818085047.1005285-3-oupton@google.com> (raw) In-Reply-To: <20210818085047.1005285-1-oupton@google.com> The CPU_ON PSCI call takes a payload that KVM uses to configure a destination vCPU to run. This payload is non-architectural state and not exposed through any existing UAPI. Effectively, we have a race between CPU_ON and userspace saving/restoring a guest: if the target vCPU isn't ran again before the VMM saves its state, the requested PC and context ID are lost. When restored, the target vCPU will be runnable and start executing at its old PC. We can avoid this race by making sure the reset payload is serviced before userspace can access a vCPU's state. This is, of course, a hairy ugly hack. A benefit of such a hack, though, is that we've managed to massage the reset state into the architected state, thereby making it migratable without forcing userspace to play our game with a UAPI addition. Fixes: 358b28f09f0a ("arm/arm64: KVM: Allow a VCPU to fully reset itself") Signed-off-by: Oliver Upton <oupton@google.com> --- I really hate this, but my imagination is failing me on any other way to cure the race without cluing in userspace. Any ideas? arch/arm64/kvm/arm.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/arch/arm64/kvm/arm.c b/arch/arm64/kvm/arm.c index 0de4b41c3706..6b124c29c663 100644 --- a/arch/arm64/kvm/arm.c +++ b/arch/arm64/kvm/arm.c @@ -1216,6 +1216,15 @@ long kvm_arch_vcpu_ioctl(struct file *filp, if (copy_from_user(®, argp, sizeof(reg))) break; + /* + * ugly hack. We could owe a reset due to PSCI and not yet + * serviced it. Prevent userspace from reading/writing state + * that will be clobbered by the eventual handling of the reset + * bit. + */ + if (kvm_check_request(KVM_REQ_VCPU_RESET, vcpu)) + kvm_reset_vcpu(vcpu); + if (ioctl == KVM_SET_ONE_REG) r = kvm_arm_set_reg(vcpu, ®); else -- 2.33.0.rc1.237.g0d66db33f3-goog _______________________________________________ kvmarm mailing list kvmarm@lists.cs.columbia.edu https://lists.cs.columbia.edu/mailman/listinfo/kvmarm
next prev parent reply other threads:[~2021-08-18 8:51 UTC|newest] Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-08-18 8:50 [PATCH 0/4] KVM: arm64: Fix some races in CPU_ON PSCI call Oliver Upton 2021-08-18 8:50 ` Oliver Upton 2021-08-18 8:50 ` [PATCH 1/4] KVM: arm64: Fix read-side race on updates to vcpu reset state Oliver Upton 2021-08-18 8:50 ` Oliver Upton 2021-08-18 10:06 ` Marc Zyngier 2021-08-18 10:06 ` Marc Zyngier 2021-08-18 8:50 ` Oliver Upton [this message] 2021-08-18 8:50 ` [PATCH 2/4] KVM: arm64: Handle PSCI resets before userspace touches vCPU state Oliver Upton 2021-08-18 10:38 ` Marc Zyngier 2021-08-18 10:38 ` Marc Zyngier 2021-08-18 8:50 ` [PATCH 3/4] KVM: arm64: Enforce reserved bits for PSCI target affinities Oliver Upton 2021-08-18 8:50 ` Oliver Upton 2021-08-18 11:12 ` Marc Zyngier 2021-08-18 11:12 ` Marc Zyngier 2021-08-18 8:50 ` [PATCH 4/4] selftests: KVM: Introduce psci_cpu_on_test Oliver Upton 2021-08-18 8:50 ` Oliver Upton 2021-08-18 14:42 ` Andrew Jones 2021-08-18 14:42 ` Andrew Jones 2021-08-18 11:32 ` [PATCH 0/4] KVM: arm64: Fix some races in CPU_ON PSCI call Marc Zyngier 2021-08-18 11:32 ` Marc Zyngier
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20210818085047.1005285-3-oupton@google.com \ --to=oupton@google.com \ --cc=alexandru.elisei@arm.com \ --cc=james.morse@arm.com \ --cc=jingzhangos@google.com \ --cc=kvm@vger.kernel.org \ --cc=kvmarm@lists.cs.columbia.edu \ --cc=maz@kernel.org \ --cc=pshier@google.com \ --cc=rananta@google.com \ --cc=ricarkol@google.com \ --cc=suzuki.poulose@arm.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.