From: "Radim Krčmář" <rkrcmar@redhat.com>
To: Yang Zhang <yang.zhang.wz@gmail.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>,
linux-kernel@vger.kernel.org, kvm@vger.kernel.org, "Lan,
Tianyu" <tianyu.lan@intel.com>,
Igor Mammedov <imammedo@redhat.com>,
Jan Kiszka <jan.kiszka@web.de>, Peter Xu <peterx@redhat.com>
Subject: Re: [PATCH v2 04/13] KVM: x86: dynamic kvm_apic_map
Date: Mon, 11 Jul 2016 15:48:38 +0200 [thread overview]
Message-ID: <20160711134837.GD21976@potion> (raw)
In-Reply-To: <3a5d86b6-9f1a-a6cf-8af4-ef6bf3936996@gmail.com>
2016-07-11 18:14+0800, Yang Zhang:
> On 2016/7/11 15:43, Paolo Bonzini wrote:
>> On 11/07/2016 08:07, Yang Zhang wrote:
>> > >
>> > > mutex_lock(&kvm->arch.apic_map_lock);
>> > >
>> > > + kvm_for_each_vcpu(i, vcpu, kvm)
>> > > + if (kvm_apic_present(vcpu))
>> > > + max_id = max(max_id, kvm_apic_id(vcpu->arch.apic));
>> > > +
>> > > + new = kzalloc(sizeof(struct kvm_apic_map) +
>> > > + sizeof(struct kvm_lapic *) * (max_id + 1),
>> > > GFP_KERNEL);
>> > > +
>> >
>> > I think this may cause the host runs out of memory if a malicious guest
>> > did follow thing:
>> > 1. vcpu a is doing apic map recalculation.
>> > 2. vcpu b write the apic id with 0xff
>> > 3. then vcpu b enable the x2apic: in kvm_lapic_set_base(), we will set
>> > apic_base to new value before reset the apic id.
>> > 4. vcpu a may see the x2apic enabled in vcpu b plus an old apic
>> > id(0xff), and max_id will become (0xff >> 24).
Indeed, thanks. The guest doesn't even have to be malicious ...
>> The bug is not really here but in patch 6---but you're right nevertheless!
Yes.
>> I guess the easiest solution is to replace kvm_apic_id with a field in
>> struct kvm_lapic, which is already shifted right by 24 in xAPIC mode.
(I guess the fewest LOC is to look at vcpu->vcpu_id, which is equal to
x2apic id. xapic id cannot be greater than 255 and all of those are
covered by the initial value of max_id.)
> Or we can just simply put the assignment of apic_base to the end.
Yes, this would work, I'd also remove recalculates from
kvm_apic_set_*apic_id() and add a compiler barrier with comment for good
measure, even though set_virtual_x2apic_mode() serves as one.
(What makes a bit wary is that it doesn't avoid the same problem if we
changed KVM to reset apic id to xapic id first when disabling apic.)
Races in recalculation and APIC ID changes also lead to invalid physical
maps, which haven't been taken care of properly ...
Having apic id stored in big endian, or "0-7,8-31" format, would be
safest. I wanted to change the apic map to do incremental updates with
with respect to the APIC that has changed, instead of being completely
recomputed, so maybe the time is now. :)
next prev parent reply other threads:[~2016-07-11 13:48 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-07 17:15 [PATCH v2 00/13] KVM: x86: break the xAPIC barrier Radim Krčmář
2016-07-07 17:15 ` [PATCH v2 01/13] KVM: x86: bump KVM_SOFT_MAX_VCPUS to 240 Radim Krčmář
2016-07-07 17:15 ` [PATCH v2 02/13] KVM: x86: add kvm_apic_map_get_dest_lapic Radim Krčmář
2016-07-07 17:15 ` [PATCH v2 03/13] KVM: x86: use physical LAPIC array for logical x2APIC Radim Krčmář
2016-07-07 17:15 ` [PATCH v2 04/13] KVM: x86: dynamic kvm_apic_map Radim Krčmář
2016-07-11 6:07 ` Yang Zhang
2016-07-11 7:43 ` Paolo Bonzini
2016-07-11 10:14 ` Yang Zhang
2016-07-11 13:48 ` Radim Krčmář [this message]
2016-07-11 14:14 ` Paolo Bonzini
2016-07-11 15:52 ` Radim Krčmář
2016-07-11 16:04 ` Paolo Bonzini
2016-07-12 3:27 ` Yang Zhang
2016-07-07 17:15 ` [PATCH v2 05/13] KVM: x86: use generic function for MSI parsing Radim Krčmář
2016-07-07 17:15 ` [PATCH v2 06/13] KVM: x86: use hardware-compatible format for APIC ID register Radim Krčmář
2016-07-07 17:15 ` [PATCH v2 07/13] KVM: x86: reset APIC ID when enabling LAPIC Radim Krčmář
2016-07-07 17:15 ` [PATCH v2 08/13] KVM: VMX: optimize APIC ID read with APICv Radim Krčmář
2016-07-07 17:15 ` [PATCH v2 09/13] KVM: x86: reset lapic base in kvm_lapic_reset Radim Krčmář
2016-07-07 17:15 ` [PATCH v2 10/13] KVM: pass struct kvm to kvm_set_routing_entry Radim Krčmář
2016-07-07 17:15 ` [PATCH v2 11/13] KVM: x86: add KVM_CAP_X2APIC_API Radim Krčmář
2016-07-11 6:06 ` Yang Zhang
2016-07-11 7:44 ` Paolo Bonzini
2016-07-11 8:56 ` Yang Zhang
2016-07-11 9:17 ` Paolo Bonzini
2016-07-11 10:33 ` Yang Zhang
2016-07-11 10:40 ` Paolo Bonzini
2016-07-07 17:15 ` [PATCH v2 12/13] KVM: x86: bump MAX_VCPUS to 288 Radim Krčmář
2016-07-07 17:15 ` [PATCH v2 13/13] KVM: x86: bump KVM_MAX_VCPU_ID to 1023 Radim Krčmář
2016-07-08 10:00 ` [PATCH v2 00/13] KVM: x86: break the xAPIC barrier Paolo Bonzini
2016-07-08 16:29 ` Radim Krčmář
2016-07-08 16:30 ` Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160711134837.GD21976@potion \
--to=rkrcmar@redhat.com \
--cc=imammedo@redhat.com \
--cc=jan.kiszka@web.de \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=peterx@redhat.com \
--cc=tianyu.lan@intel.com \
--cc=yang.zhang.wz@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).