From patchwork Mon Jul 11 10:14:31 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yang Zhang <yang.zhang.wz@gmail.com>
X-Patchwork-Id: 9223209
Return-Path: <kvm-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	258F1604DB for <patchwork-kvm@patchwork.kernel.org>;
	Mon, 11 Jul 2016 10:15:00 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1527C22A63
	for <patchwork-kvm@patchwork.kernel.org>;
	Mon, 11 Jul 2016 10:15:00 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 09B2A26A4D; Mon, 11 Jul 2016 10:15:00 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED,FREEMAIL_FROM,RCVD_IN_DNSWL_HI,T_DKIM_INVALID
	autolearn=unavailable version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A9BDC22A63
	for <patchwork-kvm@patchwork.kernel.org>;
	Mon, 11 Jul 2016 10:14:59 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S933671AbcGKKOj (ORCPT
	<rfc822;patchwork-kvm@patchwork.kernel.org>);
	Mon, 11 Jul 2016 06:14:39 -0400
Received: from mail-oi0-f68.google.com ([209.85.218.68]:34751 "EHLO
	mail-oi0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S933615AbcGKKOg (ORCPT <rfc822;kvm@vger.kernel.org>);
	Mon, 11 Jul 2016 06:14:36 -0400
Received: by mail-oi0-f68.google.com with SMTP id c199so1827805oig.1;
	Mon, 11 Jul 2016 03:14:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20120113;
	h=subject:to:references:cc:from:message-id:date:user-agent
	:mime-version:in-reply-to:content-transfer-encoding;
	bh=XdfKr5qlY4abcQfvCASUR6LO59oroLL+ovpsEViB+MU=;
	b=ox5tAdS9vdf1KZPESwGFXAGf1JrYY88+O6F51Sxdd3cIPy7DpkMumIUX26PfgzedMm
	abJLXW0qMeuMiIdnYEZ6cNZ1R/1nzaRHBhqIw/KxUfL2vSKGoV232XXWw2QerMhEE8u4
	XKWPbXnagHdQwzoPzvml2tjdTY/sm+pygZaE9VUIsPo7V1OvsQB3uYwF19zYgNWremcq
	QmiF6hAu3a+HcbNJ7AXsiVltmnwlbCToWAGr/tMpVUsx2nkRe9FG07Z8g37smZKS710S
	Wz4b7a3aH+oHAcYTVvF+vDq4XLeFqqqb7xAMvQWVFikZHQj5pKRTnuxqLfIpPsmj87SY
	Qc5w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:subject:to:references:cc:from:message-id:date
	:user-agent:mime-version:in-reply-to:content-transfer-encoding;
	bh=XdfKr5qlY4abcQfvCASUR6LO59oroLL+ovpsEViB+MU=;
	b=SO7RM5JqisJknfABIpOgEnr10oIxuxjh9NvM2zW1fTg3gqqZurmv2JhoQb4Yx/+a5F
	YrSrcmBPAYBe5ynEnDMtPUmjXQohsWfn5mRv4/gpKh1DUEa01PB5Pghn2zmffW221Ya4
	TgrHUR86oSJd4aOfAjO727lcPscZmrz5eK2+SbTOR4mNQPrgiCFFpkCPMa/6CnIkHwiS
	tKGmtX/BmJ+QTG9otHsSFqCbUAnt9tqYmxGLI6rYsEaVcklBwfTbo8eZC3olYINoh+YH
	oJ75xZtaG8f0ExG6UzV0NFOXgL9CjM235hnpuJiQlyvQFsMqnbvQI2fCaDOR026+fd2y
	VdIQ==
X-Gm-Message-State: 
 ALyK8tJ0KPoi056Ka5HzURh79xXRpdbntTs5sVdllDevQo+IImT+oIqJQO+I9o+e1IVm4g==
X-Received: by 10.157.51.112 with SMTP id u45mr459923otd.124.1468232075794;
	Mon, 11 Jul 2016 03:14:35 -0700 (PDT)
Received: from [127.0.0.1] ([47.88.102.119])
	by smtp.gmail.com with ESMTPSA id
	t16sm17229037ott.33.2016.07.11.03.14.33
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Mon, 11 Jul 2016 03:14:35 -0700 (PDT)
Subject: Re: [PATCH v2 04/13] KVM: x86: dynamic kvm_apic_map
To: Paolo Bonzini <pbonzini@redhat.com>,
	=?UTF-8?B?UmFkaW0gS3LEjW3DocWZ?= <rkrcmar@redhat.com>,
	linux-kernel@vger.kernel.org, kvm@vger.kernel.org
References: <20160707171550.14675-1-rkrcmar@redhat.com>
	<20160707171550.14675-5-rkrcmar@redhat.com>
	<963b542a-1111-db83-8338-c32d44f98874@gmail.com>
	<c7aa9f72-33d4-ccea-2e63-049d7121e771@redhat.com>
Cc: "Lan, Tianyu" <tianyu.lan@intel.com>,
	Igor Mammedov <imammedo@redhat.com>,
	Jan Kiszka <jan.kiszka@web.de>, Peter Xu <peterx@redhat.com>
From: Yang Zhang <yang.zhang.wz@gmail.com>
Message-ID: <3a5d86b6-9f1a-a6cf-8af4-ef6bf3936996@gmail.com>
Date: Mon, 11 Jul 2016 18:14:31 +0800
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101
	Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <c7aa9f72-33d4-ccea-2e63-049d7121e771@redhat.com>
Sender: kvm-owner@vger.kernel.org
Precedence: bulk
List-ID: <kvm.vger.kernel.org>
X-Mailing-List: kvm@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

On 2016/7/11 15:43, Paolo Bonzini wrote:
>
>
> On 11/07/2016 08:07, Yang Zhang wrote:
>>>
>>>      mutex_lock(&kvm->arch.apic_map_lock);
>>>
>>> +    kvm_for_each_vcpu(i, vcpu, kvm)
>>> +        if (kvm_apic_present(vcpu))
>>> +            max_id = max(max_id, kvm_apic_id(vcpu->arch.apic));
>>> +
>>> +    new = kzalloc(sizeof(struct kvm_apic_map) +
>>> +                  sizeof(struct kvm_lapic *) * (max_id + 1),
>>> GFP_KERNEL);
>>> +
>>
>> I think this may cause the host runs out of memory if a malicious guest
>> did follow thing:
>> 1. vcpu a is doing apic map recalculation.
>> 2. vcpu b write the apic id with 0xff
>> 3. then vcpu b enable the x2apic: in kvm_lapic_set_base(), we will set
>> apic_base to new value before reset the apic id.
>> 4. vcpu a may see the x2apic enabled in vcpu b plus an old apic
>> id(0xff), and max_id will become (0xff >> 24).
>
> The bug is not really here but in patch 6---but you're right nevertheless!
>
> I guess the easiest solution is to replace kvm_apic_id with a field in
> struct kvm_lapic, which is already shifted right by 24 in xAPIC mode.

Or we can just simply put the assignment of apic_base to the end.

         if ((old_value ^ value) & MSR_IA32_APICBASE_ENABLE) {
@@ -1753,7 +1752,6 @@ void kvm_lapic_set_base(struct kvm_vcpu *vcpu, u64 
value)
                         static_key_slow_dec_deferred(&apic_hw_disabled);
                 else
                         static_key_slow_inc(&apic_hw_disabled.key);
-               recalculate_apic_map(vcpu->kvm);
         }

         if ((old_value ^ value) & X2APIC_ENABLE) {
@@ -1764,6 +1762,8 @@ void kvm_lapic_set_base(struct kvm_vcpu *vcpu, u64 
value)
                         kvm_x86_ops->set_virtual_x2apic_mode(vcpu, false);
         }

+       vcpu->arch.apic_base = value;
+       recalculate_apic_map(vcpu->kvm);
         apic->base_address = apic->vcpu->arch.apic_base &
                              MSR_IA32_APICBASE_BASE;


btw, i noticed that there is no apic map recalculation after turn off 
the x2apic mode.Is it correct?

diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
index fdc05ae..9c69059 100644
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -1745,7 +1745,6 @@ void kvm_lapic_set_base(struct kvm_vcpu *vcpu, u64 
value)
                 return;
         }

-       vcpu->arch.apic_base = value;

         /* update jump label if enable bit changes */