Commit b0a1637f authored by Maxim Levitsky's avatar Maxim Levitsky Committed by Paolo Bonzini

KVM: x86: APICv: fix race in kvm_request_apicv_update on SVM

Currently on SVM, the kvm_request_apicv_update toggles the APICv
memslot without doing any synchronization.

If there is a mismatch between that memslot state and the AVIC state,
on one of the vCPUs, an APIC mmio access can be lost:

For example:

VCPU0: enable the APIC_ACCESS_PAGE_PRIVATE_MEMSLOT
VCPU1: access an APIC mmio register.

Since AVIC is still disabled on VCPU1, the access will not be intercepted
by it, and neither will it cause MMIO fault, but rather it will just be
read/written from/to the dummy page mapped into the
APIC_ACCESS_PAGE_PRIVATE_MEMSLOT.

Fix that by adding a lock guarding the AVIC state changes, and carefully
order the operations of kvm_request_apicv_update to avoid this race:

1. Take the lock
2. Send KVM_REQ_APICV_UPDATE
3. Update the apic inhibit reason
4. Release the lock

This ensures that at (2) all vCPUs are kicked out of the guest mode,
but don't yet see the new avic state.
Then only after (4) all other vCPUs can update their AVIC state and resume.
Signed-off-by: default avatarMaxim Levitsky <mlevitsk@redhat.com>
Message-Id: <20210810205251.424103-10-mlevitsk@redhat.com>
Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
parent 36222b11
...@@ -1053,6 +1053,9 @@ struct kvm_arch { ...@@ -1053,6 +1053,9 @@ struct kvm_arch {
struct kvm_apic_map __rcu *apic_map; struct kvm_apic_map __rcu *apic_map;
atomic_t apic_map_dirty; atomic_t apic_map_dirty;
/* Protects apic_access_memslot_enabled and apicv_inhibit_reasons */
struct mutex apicv_update_lock;
bool apic_access_memslot_enabled; bool apic_access_memslot_enabled;
unsigned long apicv_inhibit_reasons; unsigned long apicv_inhibit_reasons;
...@@ -1736,6 +1739,9 @@ void kvm_vcpu_update_apicv(struct kvm_vcpu *vcpu); ...@@ -1736,6 +1739,9 @@ void kvm_vcpu_update_apicv(struct kvm_vcpu *vcpu);
void kvm_request_apicv_update(struct kvm *kvm, bool activate, void kvm_request_apicv_update(struct kvm *kvm, bool activate,
unsigned long bit); unsigned long bit);
void __kvm_request_apicv_update(struct kvm *kvm, bool activate,
unsigned long bit);
int kvm_emulate_hypercall(struct kvm_vcpu *vcpu); int kvm_emulate_hypercall(struct kvm_vcpu *vcpu);
int kvm_mmu_page_fault(struct kvm_vcpu *vcpu, gpa_t cr2_or_gpa, u64 error_code, int kvm_mmu_page_fault(struct kvm_vcpu *vcpu, gpa_t cr2_or_gpa, u64 error_code,
......
...@@ -8579,6 +8579,8 @@ EXPORT_SYMBOL_GPL(kvm_apicv_activated); ...@@ -8579,6 +8579,8 @@ EXPORT_SYMBOL_GPL(kvm_apicv_activated);
static void kvm_apicv_init(struct kvm *kvm) static void kvm_apicv_init(struct kvm *kvm)
{ {
mutex_init(&kvm->arch.apicv_update_lock);
if (enable_apicv) if (enable_apicv)
clear_bit(APICV_INHIBIT_REASON_DISABLE, clear_bit(APICV_INHIBIT_REASON_DISABLE,
&kvm->arch.apicv_inhibit_reasons); &kvm->arch.apicv_inhibit_reasons);
...@@ -9240,6 +9242,8 @@ void kvm_vcpu_update_apicv(struct kvm_vcpu *vcpu) ...@@ -9240,6 +9242,8 @@ void kvm_vcpu_update_apicv(struct kvm_vcpu *vcpu)
if (!lapic_in_kernel(vcpu)) if (!lapic_in_kernel(vcpu))
return; return;
mutex_lock(&vcpu->kvm->arch.apicv_update_lock);
vcpu->arch.apicv_active = kvm_apicv_activated(vcpu->kvm); vcpu->arch.apicv_active = kvm_apicv_activated(vcpu->kvm);
kvm_apic_update_apicv(vcpu); kvm_apic_update_apicv(vcpu);
static_call(kvm_x86_refresh_apicv_exec_ctrl)(vcpu); static_call(kvm_x86_refresh_apicv_exec_ctrl)(vcpu);
...@@ -9252,39 +9256,44 @@ void kvm_vcpu_update_apicv(struct kvm_vcpu *vcpu) ...@@ -9252,39 +9256,44 @@ void kvm_vcpu_update_apicv(struct kvm_vcpu *vcpu)
*/ */
if (!vcpu->arch.apicv_active) if (!vcpu->arch.apicv_active)
kvm_make_request(KVM_REQ_EVENT, vcpu); kvm_make_request(KVM_REQ_EVENT, vcpu);
mutex_unlock(&vcpu->kvm->arch.apicv_update_lock);
} }
EXPORT_SYMBOL_GPL(kvm_vcpu_update_apicv); EXPORT_SYMBOL_GPL(kvm_vcpu_update_apicv);
void kvm_request_apicv_update(struct kvm *kvm, bool activate, ulong bit) void __kvm_request_apicv_update(struct kvm *kvm, bool activate, ulong bit)
{ {
unsigned long old, new, expected; unsigned long old, new;
if (!kvm_x86_ops.check_apicv_inhibit_reasons || if (!kvm_x86_ops.check_apicv_inhibit_reasons ||
!static_call(kvm_x86_check_apicv_inhibit_reasons)(bit)) !static_call(kvm_x86_check_apicv_inhibit_reasons)(bit))
return; return;
old = READ_ONCE(kvm->arch.apicv_inhibit_reasons); old = new = kvm->arch.apicv_inhibit_reasons;
do {
expected = new = old;
if (activate) if (activate)
__clear_bit(bit, &new); __clear_bit(bit, &new);
else else
__set_bit(bit, &new); __set_bit(bit, &new);
if (new == old)
break;
old = cmpxchg(&kvm->arch.apicv_inhibit_reasons, expected, new);
} while (old != expected);
if (!!old != !!new) { if (!!old != !!new) {
trace_kvm_apicv_update_request(activate, bit); trace_kvm_apicv_update_request(activate, bit);
kvm_make_all_cpus_request(kvm, KVM_REQ_APICV_UPDATE); kvm_make_all_cpus_request(kvm, KVM_REQ_APICV_UPDATE);
kvm->arch.apicv_inhibit_reasons = new;
if (new) { if (new) {
unsigned long gfn = gpa_to_gfn(APIC_DEFAULT_PHYS_BASE); unsigned long gfn = gpa_to_gfn(APIC_DEFAULT_PHYS_BASE);
kvm_zap_gfn_range(kvm, gfn, gfn+1); kvm_zap_gfn_range(kvm, gfn, gfn+1);
} }
} } else
kvm->arch.apicv_inhibit_reasons = new;
}
EXPORT_SYMBOL_GPL(__kvm_request_apicv_update);
void kvm_request_apicv_update(struct kvm *kvm, bool activate, ulong bit)
{
mutex_lock(&kvm->arch.apicv_update_lock);
__kvm_request_apicv_update(kvm, activate, bit);
mutex_unlock(&kvm->arch.apicv_update_lock);
} }
EXPORT_SYMBOL_GPL(kvm_request_apicv_update); EXPORT_SYMBOL_GPL(kvm_request_apicv_update);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment