From: Nitesh Lal <nilal@redhat.com>
To: Maxim Levitsky <mlevitsk@redhat.com>
Cc: Vitaly Kuznetsov <vkuznets@redhat.com>,
Eduardo Habkost <ehabkost@redhat.com>,
kvm@vger.kernel.org, Paolo Bonzini <pbonzini@redhat.com>,
Sean Christopherson <seanjc@google.com>,
Wanpeng Li <wanpengli@tencent.com>,
Jim Mattson <jmattson@google.com>,
"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
Nitesh Narayan Lal <nitesh@redhat.com>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2 4/4] KVM: x86: Fix stack-out-of-bounds memory access from ioapic_write_indirect()
Date: Mon, 30 Aug 2021 15:47:10 -0400 [thread overview]
Message-ID: <CAFki+L=1UUbNVn21rh34FMk3sajb=6rUpsqSdrK82FyD+UKcTQ@mail.gmail.com> (raw)
In-Reply-To: <2df0b6d18115fb7f2701587b7937d8ddae38e36a.camel@redhat.com>
On Tue, Aug 24, 2021 at 12:08 PM Maxim Levitsky <mlevitsk@redhat.com> wrote:
>
> On Tue, 2021-08-24 at 16:42 +0200, Vitaly Kuznetsov wrote:
> > Eduardo Habkost <ehabkost@redhat.com> writes:
> >
> > > On Tue, Aug 24, 2021 at 3:13 AM Vitaly Kuznetsov <vkuznets@redhat.com> wrote:
> > > > Eduardo Habkost <ehabkost@redhat.com> writes:
> > > >
> > > > > On Mon, Aug 23, 2021 at 04:30:28PM +0200, Vitaly Kuznetsov wrote:
> > > > > > KASAN reports the following issue:
> > > > > >
> > > > > > BUG: KASAN: stack-out-of-bounds in kvm_make_vcpus_request_mask+0x174/0x440 [kvm]
> > > > > > Read of size 8 at addr ffffc9001364f638 by task qemu-kvm/4798
> > > > > >
> > > > > > CPU: 0 PID: 4798 Comm: qemu-kvm Tainted: G X --------- ---
> > > > > > Hardware name: AMD Corporation DAYTONA_X/DAYTONA_X, BIOS RYM0081C 07/13/2020
> > > > > > Call Trace:
> > > > > > dump_stack+0xa5/0xe6
> > > > > > print_address_description.constprop.0+0x18/0x130
> > > > > > ? kvm_make_vcpus_request_mask+0x174/0x440 [kvm]
> > > > > > __kasan_report.cold+0x7f/0x114
> > > > > > ? kvm_make_vcpus_request_mask+0x174/0x440 [kvm]
> > > > > > kasan_report+0x38/0x50
> > > > > > kasan_check_range+0xf5/0x1d0
> > > > > > kvm_make_vcpus_request_mask+0x174/0x440 [kvm]
> > > > > > kvm_make_scan_ioapic_request_mask+0x84/0xc0 [kvm]
> > > > > > ? kvm_arch_exit+0x110/0x110 [kvm]
> > > > > > ? sched_clock+0x5/0x10
> > > > > > ioapic_write_indirect+0x59f/0x9e0 [kvm]
> > > > > > ? static_obj+0xc0/0xc0
> > > > > > ? __lock_acquired+0x1d2/0x8c0
> > > > > > ? kvm_ioapic_eoi_inject_work+0x120/0x120 [kvm]
> > > > > >
[...]
>
>
> I also don't like that ioapic_write_indirect calls the kvm_bitmap_or_dest_vcpus twice,
> and second time with 'old_dest_id'
>
> I am not 100% sure why old_dest_id/old_dest_mode are needed as I don't see anything in the
> function changing them.
> I think only the guest can change them, so maybe the code deals with the guest changing them
> while the code is running from a different vcpu?
>
> The commit that introduced this code is 7ee30bc132c683d06a6d9e360e39e483e3990708
> Nitesh Narayan Lal, maybe you remember something about it?
>
Apologies for the delay in responding, I just got back from my PTO and
still clearing my inbox. Since you have reviewed this patch the only open
question is the above so I will try to answer that. Please let me know
in case I missed anything.
IIRC IOAPIC can be reconfigured while the previous interrupt is pending or
still processing. In this situation, ioapic_handeld_vectors may go out of
sync as it only records the recently passed configuration. Since with this
commit, we stopped generating requests for all vCPUs we need this chunk of
code to keep ioapic_handled_vectors in sync.
Having said that perhaps there could be a better way of handling this (?).
--
Thanks
Nitesh
prev parent reply other threads:[~2021-08-30 19:47 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-23 14:30 [PATCH v2 0/4] KVM: Various fixes and improvements around kicking vCPUs Vitaly Kuznetsov
2021-08-23 14:30 ` [PATCH v2 1/4] KVM: Clean up benign vcpu->cpu data races when " Vitaly Kuznetsov
2021-08-23 14:30 ` [PATCH v2 2/4] KVM: Guard cpusmask NULL check with CONFIG_CPUMASK_OFFSTACK Vitaly Kuznetsov
2021-08-23 14:30 ` [PATCH v2 3/4] KVM: Optimize kvm_make_vcpus_request_mask() a bit Vitaly Kuznetsov
2021-08-23 14:30 ` [PATCH v2 4/4] KVM: x86: Fix stack-out-of-bounds memory access from ioapic_write_indirect() Vitaly Kuznetsov
2021-08-23 18:58 ` Eduardo Habkost
2021-08-24 7:13 ` Vitaly Kuznetsov
2021-08-24 14:23 ` Eduardo Habkost
2021-08-24 14:42 ` Vitaly Kuznetsov
2021-08-24 16:07 ` Maxim Levitsky
2021-08-24 17:40 ` Sean Christopherson
2021-08-25 8:26 ` Vitaly Kuznetsov
2021-08-25 8:21 ` Vitaly Kuznetsov
2021-08-25 9:11 ` Maxim Levitsky
2021-08-25 9:43 ` Vitaly Kuznetsov
2021-08-25 10:41 ` Maxim Levitsky
2021-08-25 13:19 ` Eduardo Habkost
2021-08-26 12:40 ` Vitaly Kuznetsov
2021-08-26 14:52 ` Eduardo Habkost
2021-08-26 18:01 ` Sean Christopherson
2021-08-26 18:13 ` Eduardo Habkost
2021-08-26 19:27 ` Eduardo Habkost
2021-08-30 19:47 ` Nitesh Lal [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAFki+L=1UUbNVn21rh34FMk3sajb=6rUpsqSdrK82FyD+UKcTQ@mail.gmail.com' \
--to=nilal@redhat.com \
--cc=dgilbert@redhat.com \
--cc=ehabkost@redhat.com \
--cc=jmattson@google.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mlevitsk@redhat.com \
--cc=nitesh@redhat.com \
--cc=pbonzini@redhat.com \
--cc=seanjc@google.com \
--cc=vkuznets@redhat.com \
--cc=wanpengli@tencent.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).