From nobody Fri Oct 14 10:03:51 2022 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Mphmm21Rjz4g4vj; Fri, 14 Oct 2022 10:03:52 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Mphmm1FL2z3mTq; Fri, 14 Oct 2022 10:03:52 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1665741832; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=zOjcFE6VOfSmZVRx19YJg6Ju3s7hoiBgy8tHZiwW6DI=; b=I6x/HCTELNiwh4ApIvHJWtGEnhrlu98+MKMe4WbLSa/4p6r6IsPC99CeBVjoilgHF8Vx4p pcYtRzl97zj0y32K+dcyZ1Zd3E3mTCR/vMK5jMwkevEOruy4iOGPaloe51aiW/SysQXIVL ddlqMJlEjDUZ0CnEDFeBXZAjH9Sragf0M1rVLwpOo0qy1ya8lJJSN5dcWlOHZaaCuX/D+b /Twc6TInzWDRZFYdIDJjhFtnCyAQuFItCUbnVIpX09lgrwho9ePhRtpLvVFttZS5KjzouQ azQt7/Vah28e6lGdorjXQn/DBkhlhFAuZqb13QMoNfic98OksAoWch36kWqSbQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Mphmm06ptzl0w; Fri, 14 Oct 2022 10:03:52 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 29EA3pEa091076; Fri, 14 Oct 2022 10:03:51 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 29EA3pHG091075; Fri, 14 Oct 2022 10:03:51 GMT (envelope-from git) Date: Fri, 14 Oct 2022 10:03:51 GMT Message-Id: <202210141003.29EA3pHG091075@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Emmanuel Vadot Subject: git: 2a2a64c4b93f - main - vmm: validate icr value List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: manu X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 2a2a64c4b93f1a135f62f54db54f4ec2f89f9127 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1665741832; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=zOjcFE6VOfSmZVRx19YJg6Ju3s7hoiBgy8tHZiwW6DI=; b=UEeyVlmtDRZa7ElLsh9im5A8w04SsNBH2EJQIB1vhmvVI/gOL4TzqM+abmGxzuutMM4mIK CK98x+Rcgi2WOigEX8lKuWpEiTEbcnmAFWRc0OxeYvMdetFOkjwRhBx0D66NVPVmvjJD9U dUwpCQ3aQFFJizuBPSOXm+K284A+OuWO8JGhghqcOTzQrmly8oqjY3+cGECMw8EfzUnh6p fSgtnBo1KjFiK5wtbh8cfSuCNdsK+kn/c6rtd4UwpljvhmI8gzqTh8KeiXHB8Og8+WU1Ix ytzAs8TjKu6MjKnFrc1GFh22lO8qKUBy+UatPGJ2smxahFaJAOVHb66olzK2NA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1665741832; a=rsa-sha256; cv=none; b=r8dfE7EGlBW8gq3ap24rQLKNZ1obJBpxHwsaNXjgaOHzJctwwHc3xFPE9pSDnjuz8/ls7V LqnP1iFDVcDCphlNccArjNR4hkw/FuPwmsNesx8pLg2u5+6D2c6e6gYZ38T3WTUjhLCKID 6J2XshJjyOGODgdU15EzVos5k7EzP+hsWN3E8ZipznWZ3osKmDOxjcEVMc7mTBBirIkru5 VMjEmDy/Ib2omEPWeYCB4bFLABFbqKzdFQ5JWwK1nPQsK+EWAB7Wzv+bWY0D0BPp94C/Un rUo+P5fFwroMBVyEMqnFFhQksz6bhuF4Jp+xLgSkqnDV/uzojx98AbUq/l/LRQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by manu: URL: https://cgit.FreeBSD.org/src/commit/?id=2a2a64c4b93f1a135f62f54db54f4ec2f89f9127 commit 2a2a64c4b93f1a135f62f54db54f4ec2f89f9127 Author: Corvin Köhne AuthorDate: 2022-10-12 09:19:32 +0000 Commit: Emmanuel Vadot CommitDate: 2022-10-14 10:03:05 +0000 vmm: validate icr value Not all combinations of icr values are allowed. Neither Intel nor AMD document what happens when an invalid value is written to the icr. Ignore the IPI. So, the guest will note that the IPI wasn't delivered. Reviewed by: jhb Differential Revision: https://reviews.freebsd.org/D36946 Sponsored by: Beckhoff Automation GmbH & Co. KG --- sys/amd64/vmm/io/vlapic.c | 91 +++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 88 insertions(+), 3 deletions(-) diff --git a/sys/amd64/vmm/io/vlapic.c b/sys/amd64/vmm/io/vlapic.c index c5db5af0ca95..8b547d9a9453 100644 --- a/sys/amd64/vmm/io/vlapic.c +++ b/sys/amd64/vmm/io/vlapic.c @@ -953,6 +953,86 @@ vlapic_get_cr8(struct vlapic *vlapic) return (tpr >> 4); } +static bool +vlapic_is_icr_valid(uint64_t icrval) +{ + uint32_t mode = icrval & APIC_DELMODE_MASK; + uint32_t level = icrval & APIC_LEVEL_MASK; + uint32_t trigger = icrval & APIC_TRIGMOD_MASK; + uint32_t shorthand = icrval & APIC_DEST_MASK; + + switch (mode) { + case APIC_DELMODE_FIXED: + if (trigger == APIC_TRIGMOD_EDGE) + return (true); + /* + * AMD allows a level assert IPI and Intel converts a level + * assert IPI into an edge IPI. + */ + if (trigger == APIC_TRIGMOD_LEVEL && level == APIC_LEVEL_ASSERT) + return (true); + break; + case APIC_DELMODE_LOWPRIO: + case APIC_DELMODE_SMI: + case APIC_DELMODE_NMI: + case APIC_DELMODE_INIT: + if (trigger == APIC_TRIGMOD_EDGE && + (shorthand == APIC_DEST_DESTFLD || + shorthand == APIC_DEST_ALLESELF)) + return (true); + /* + * AMD allows a level assert IPI and Intel converts a level + * assert IPI into an edge IPI. + */ + if (trigger == APIC_TRIGMOD_LEVEL && + level == APIC_LEVEL_ASSERT && + (shorthand == APIC_DEST_DESTFLD || + shorthand == APIC_DEST_ALLESELF)) + return (true); + /* + * An level triggered deassert INIT is defined in the Intel + * Multiprocessor Specification and the Intel Software Developer + * Manual. Due to the MPS it's required to send a level assert + * INIT to a cpu and then a level deassert INIT. Some operating + * systems e.g. FreeBSD or Linux use that algorithm. According + * to the SDM a level deassert INIT is only supported by Pentium + * and P6 processors. It's always send to all cpus regardless of + * the destination or shorthand field. It resets the arbitration + * id register. This register is not software accessible and + * only required for the APIC bus arbitration. So, the level + * deassert INIT doesn't need any emulation and we should ignore + * it. The SDM also defines that newer processors don't support + * the level deassert INIT and it's not valid any more. As it's + * defined for older systems, it can't be invalid per se. + * Otherwise, backward compatibility would be broken. However, + * when returning false here, it'll be ignored which is the + * desired behaviour. + */ + if (mode == APIC_DELMODE_INIT && + trigger == APIC_TRIGMOD_LEVEL && + level == APIC_LEVEL_DEASSERT) + return (false); + break; + case APIC_DELMODE_STARTUP: + if (shorthand == APIC_DEST_DESTFLD || + shorthand == APIC_DEST_ALLESELF) + return (true); + break; + case APIC_DELMODE_RR: + /* Only available on AMD! */ + if (trigger == APIC_TRIGMOD_EDGE && + shorthand == APIC_DEST_DESTFLD) + return (true); + break; + case APIC_DELMODE_RESV: + return (false); + default: + __assert_unreachable(); + } + + return (false); +} + int vlapic_icrlo_write_handler(struct vlapic *vlapic, bool *retu) { @@ -998,6 +1078,14 @@ vlapic_icrlo_write_handler(struct vlapic *vlapic, bool *retu) __assert_unreachable(); } + /* + * Ignore invalid combinations of the icr. + */ + if (!vlapic_is_icr_valid(icrval)) { + VLAPIC_CTR1(vlapic, "Ignoring invalid ICR %016lx", icrval); + return (0); + } + /* * ipimask is a set of vCPUs needing userland handling of the current * IPI. @@ -1031,9 +1119,6 @@ vlapic_icrlo_write_handler(struct vlapic *vlapic, bool *retu) break; case APIC_DELMODE_INIT: - if ((icrval & APIC_LEVEL_MASK) == APIC_LEVEL_DEASSERT) - break; - CPU_FOREACH_ISSET(i, &dmask) { /* * Userland which doesn't support the IPI exit requires