From nobody Thu Dec 22 09:22:45 2022 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Nd4bV1JpWz1Gn2M; Thu, 22 Dec 2022 09:22:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Nd4bV0khBz43Pm; Thu, 22 Dec 2022 09:22:46 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1671700966; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Ab2noXtDoXYBGncOe5qGj8vYVeUbiMFHWD+WgpbFKe4=; b=GciB4LB5tAHv8GSM1TESzU8vjy0ONBSS2dHeQC6wBzFiUG+0xtahwbSY1ryJeZxG4ybfOn uAjh0w/2AHoAqq5v62AgfJfcHrKcttZSBtkiCd1zo4stkcSxI5uTvxCEcXLbVr/O7n7ij/ judPG37QXzOnTQj9+y2FUaIosl+S0/M0HhqnB9FpSMblcCSM7ZPLQZB4SrZKYkhqZt+1cK pBXhMleWu2QF/h/+q4si8pM7F8k30+8KCld+MkHQV/8ZDwB+WfeJ2TOBQnnlzHPnWEdeNp OdJlQbKh2es746BHZiCEzdPA6+ob9joeadxpnPRqOeLJo2TiADdvz/QirJ8iOA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1671700966; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Ab2noXtDoXYBGncOe5qGj8vYVeUbiMFHWD+WgpbFKe4=; b=grviZY2XZBIDuYWLAhWjrB5u9I+yqUPokNFJAOdHwxf5BUHOul9O44ghq/KgK71A4VjNS7 oYO/Ojcbn5awNctg/gh5szkbSbPUxij9G9WVU3SE311Bjl+HwBqA8rRQfdYiS3Xhc3rdJH SzZeXGQWkRbWuTJZ6EyadKa4OirfJn48Z6/j8uSstf2tVIoDUd28u2uI+5IW0h4eE9/dVS UxiO/vurLUCqu3wr2IlzhqGAGH7yi5EZAJryVe08/KC0FonRpRiVIzs8Oc/69pubWOv2bn xNWmj08xr0OIVY8bPUk0B553c8yKN+hOo+KwrCq1B7iu/BBTXfb4bsyGkbV4oQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1671700966; a=rsa-sha256; cv=none; b=xTzl17mTm5h9i5bGjet32z1smr3/wHhgUoL3ruAGcMT5T45vQUy9Cv7wftmzDz8ATRAEav +ab9dH7zJQFejtt+wkX0uqCRu5Kpnpq992/x8meHWg3QuaLy/Z8EPzhxSzdOw79AidCpXr kVe9VI4g7ZOA0+0lWNCKLfwluAvb2FEV2NXRKXQLOPj9/d4/74BMAyRUTmbmwe+uvHXC/e zPxJ5lWZJp0KAOY/F/imZmaSPnOE0tiOjozpOKkBLxca0BKRBjKzx08Ty6YsWwQ+jHG0QW FjuA+ZlJf34c1BmFQp9aXN02pfytP/mmMnOMEswZzbAr95ZUIGqDBJ9cswz5pQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Nd4bT6tD4zpy6; Thu, 22 Dec 2022 09:22:45 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 2BM9MjMC038692; Thu, 22 Dec 2022 09:22:45 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 2BM9MjdY038691; Thu, 22 Dec 2022 09:22:45 GMT (envelope-from git) Date: Thu, 22 Dec 2022 09:22:45 GMT Message-Id: <202212220922.2BM9MjdY038691@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: =?utf-8?Q?Corvin=20K=C3=B6hne?= Subject: git: 168726513cdf - stable/13 - vmm: validate icr value List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-branches@freebsd.org X-BeenThere: dev-commits-src-branches@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: corvink X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 168726513cdf93a18d2dae3862dcffbd8d7a6ccc Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch stable/13 has been updated by corvink: URL: https://cgit.FreeBSD.org/src/commit/?id=168726513cdf93a18d2dae3862dcffbd8d7a6ccc commit 168726513cdf93a18d2dae3862dcffbd8d7a6ccc Author: Corvin Köhne AuthorDate: 2022-10-12 09:19:32 +0000 Commit: Corvin Köhne CommitDate: 2022-12-22 09:12:22 +0000 vmm: validate icr value Not all combinations of icr values are allowed. Neither Intel nor AMD document what happens when an invalid value is written to the icr. Ignore the IPI. So, the guest will note that the IPI wasn't delivered. Reviewed by: jhb Differential Revision: https://reviews.freebsd.org/D36946 Sponsored by: Beckhoff Automation GmbH & Co. KG (cherry picked from commit 2a2a64c4b93f1a135f62f54db54f4ec2f89f9127) --- sys/amd64/vmm/io/vlapic.c | 91 +++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 88 insertions(+), 3 deletions(-) diff --git a/sys/amd64/vmm/io/vlapic.c b/sys/amd64/vmm/io/vlapic.c index d660b0a3f195..e1a57c4abcfc 100644 --- a/sys/amd64/vmm/io/vlapic.c +++ b/sys/amd64/vmm/io/vlapic.c @@ -953,6 +953,86 @@ vlapic_get_cr8(struct vlapic *vlapic) return (tpr >> 4); } +static bool +vlapic_is_icr_valid(uint64_t icrval) +{ + uint32_t mode = icrval & APIC_DELMODE_MASK; + uint32_t level = icrval & APIC_LEVEL_MASK; + uint32_t trigger = icrval & APIC_TRIGMOD_MASK; + uint32_t shorthand = icrval & APIC_DEST_MASK; + + switch (mode) { + case APIC_DELMODE_FIXED: + if (trigger == APIC_TRIGMOD_EDGE) + return (true); + /* + * AMD allows a level assert IPI and Intel converts a level + * assert IPI into an edge IPI. + */ + if (trigger == APIC_TRIGMOD_LEVEL && level == APIC_LEVEL_ASSERT) + return (true); + break; + case APIC_DELMODE_LOWPRIO: + case APIC_DELMODE_SMI: + case APIC_DELMODE_NMI: + case APIC_DELMODE_INIT: + if (trigger == APIC_TRIGMOD_EDGE && + (shorthand == APIC_DEST_DESTFLD || + shorthand == APIC_DEST_ALLESELF)) + return (true); + /* + * AMD allows a level assert IPI and Intel converts a level + * assert IPI into an edge IPI. + */ + if (trigger == APIC_TRIGMOD_LEVEL && + level == APIC_LEVEL_ASSERT && + (shorthand == APIC_DEST_DESTFLD || + shorthand == APIC_DEST_ALLESELF)) + return (true); + /* + * An level triggered deassert INIT is defined in the Intel + * Multiprocessor Specification and the Intel Software Developer + * Manual. Due to the MPS it's required to send a level assert + * INIT to a cpu and then a level deassert INIT. Some operating + * systems e.g. FreeBSD or Linux use that algorithm. According + * to the SDM a level deassert INIT is only supported by Pentium + * and P6 processors. It's always send to all cpus regardless of + * the destination or shorthand field. It resets the arbitration + * id register. This register is not software accessible and + * only required for the APIC bus arbitration. So, the level + * deassert INIT doesn't need any emulation and we should ignore + * it. The SDM also defines that newer processors don't support + * the level deassert INIT and it's not valid any more. As it's + * defined for older systems, it can't be invalid per se. + * Otherwise, backward compatibility would be broken. However, + * when returning false here, it'll be ignored which is the + * desired behaviour. + */ + if (mode == APIC_DELMODE_INIT && + trigger == APIC_TRIGMOD_LEVEL && + level == APIC_LEVEL_DEASSERT) + return (false); + break; + case APIC_DELMODE_STARTUP: + if (shorthand == APIC_DEST_DESTFLD || + shorthand == APIC_DEST_ALLESELF) + return (true); + break; + case APIC_DELMODE_RR: + /* Only available on AMD! */ + if (trigger == APIC_TRIGMOD_EDGE && + shorthand == APIC_DEST_DESTFLD) + return (true); + break; + case APIC_DELMODE_RESV: + return (false); + default: + __assert_unreachable(); + } + + return (false); +} + int vlapic_icrlo_write_handler(struct vlapic *vlapic, bool *retu) { @@ -998,6 +1078,14 @@ vlapic_icrlo_write_handler(struct vlapic *vlapic, bool *retu) __assert_unreachable(); } + /* + * Ignore invalid combinations of the icr. + */ + if (!vlapic_is_icr_valid(icrval)) { + VLAPIC_CTR1(vlapic, "Ignoring invalid ICR %016lx", icrval); + return (0); + } + /* * ipimask is a set of vCPUs needing userland handling of the current * IPI. @@ -1031,9 +1119,6 @@ vlapic_icrlo_write_handler(struct vlapic *vlapic, bool *retu) break; case APIC_DELMODE_INIT: - if ((icrval & APIC_LEVEL_MASK) == APIC_LEVEL_DEASSERT) - break; - CPU_FOREACH_ISSET(i, &dmask) { /* * Userland which doesn't support the IPI exit requires