On 14/08/19 05:37, Bandan Das wrote:
>
> recalculate_apic_map does not santize ldr and it's possible that
> multiple bits are set. In that case, a previous valid entry
> can potentially be overwritten by an invalid one.
>
> This condition is hit when booting a 32 bit, >8 CPU, RHEL6 guest and then
> triggering a crash to boot a kdump kernel. This is the sequence of
> events:
> 1. Linux boots in bigsmp mode and enables PhysFlat, however, it still
> writes to the LDR which probably will never be used.
> 2. However, when booting into kdump, the stale LDR values remain as
> they are not cleared by the guest and there isn't a apic reset.
> 3. kdump boots with 1 cpu, and uses Logical Destination Mode but the
> logical map has been overwritten and points to an inactive vcpu.
>
> Signed-off-by: Radim Krcmar <rkrcmar@xxxxxxxxxx>
> Signed-off-by: Bandan Das <bsd@xxxxxxxxxx>
> ---
> arch/x86/kvm/lapic.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
> index 685d17c11461..e904ff06a83d 100644
> --- a/arch/x86/kvm/lapic.c
> +++ b/arch/x86/kvm/lapic.c
> @@ -216,6 +216,9 @@ static void recalculate_apic_map(struct kvm *kvm)
> if (!apic_x2apic_mode(apic) && !new->phys_map[xapic_id])
> new->phys_map[xapic_id] = apic;
>
> + if (!kvm_apic_sw_enabled(apic))
> + continue;
> +
> ldr = kvm_lapic_get_reg(apic, APIC_LDR);
>
> if (apic_x2apic_mode(apic)) {
> @@ -258,6 +261,8 @@ static inline void apic_set_spiv(struct kvm_lapic *apic, u32 val)
> static_key_slow_dec_deferred(&apic_sw_disabled);
> else
> static_key_slow_inc(&apic_sw_disabled.key);
> +
> + recalculate_apic_map(apic->vcpu->kvm);
> }
> }
>
>
Queued, thanks.
Paolo
