From nobody Sat May 4 05:20:51 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+64660+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+64660+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1598480505; cv=none; d=zohomail.com; s=zohoarc; b=jqUKtVMt4lKr0yTFxVpHag98uaT4yaJJ/1grErw+SWOU8pNEf4bslEKLCdbOebRRG4a5zFijDMaXpo5TgENfJIh5f2oiZn9rkF2hTaq+LH7nqPVcRE8XENVz9k4Rxmx7kK6uVZSvH1V0NMJYzrqXcJOK28euyhXtYnzLWrhWDYQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1598480505; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=16kCdE96minXN2v4Q2qn/uEUCz3sMaJp+peSH5kixQ4=; b=PagmG9Q6Tla0BKYvHaKuqPUTbk4jp1io3v2I1cbc/LS0jCW1MdlhL4PhwtF8+Fnet8ts2CoVEjgvECHy4mUeUtW99b8JUOxjS/tojoGct1vlK9ggfvmsM1/rrFZNrYYUzGgB1oquLYe5386OGdZUiL5cj5dOIiJR+7dtOrlxJhw= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+64660+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1598480505987805.9731610570567; Wed, 26 Aug 2020 15:21:45 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id NZDhYY1788612xO5j4NqU7Kh; Wed, 26 Aug 2020 15:21:44 -0700 X-Received: from us-smtp-delivery-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.81]) by mx.groups.io with SMTP id smtpd.web12.6361.1598480504101657760 for ; Wed, 26 Aug 2020 15:21:44 -0700 X-Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-359--7kueF2vNQGUKmHnQoPb5A-1; Wed, 26 Aug 2020 18:21:36 -0400 X-MC-Unique: -7kueF2vNQGUKmHnQoPb5A-1 X-Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id DF024E75D; Wed, 26 Aug 2020 22:21:34 +0000 (UTC) X-Received: from lacos-laptop-7.usersys.redhat.com (ovpn-114-182.ams2.redhat.com [10.36.114.182]) by smtp.corp.redhat.com (Postfix) with ESMTP id A16E05C1A3; Wed, 26 Aug 2020 22:21:32 +0000 (UTC) From: "Laszlo Ersek" To: edk2-devel-groups-io Cc: Ard Biesheuvel , Igor Mammedov , Jordan Justen , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Subject: [edk2-devel] [PATCH 1/2] OvmfPkg/CpuHotplugSmm: fix CPU hotplug race just before SMI broadcast Date: Thu, 27 Aug 2020 00:21:28 +0200 Message-Id: <20200826222129.25798-2-lersek@redhat.com> In-Reply-To: <20200826222129.25798-1-lersek@redhat.com> References: <20200826222129.25798-1-lersek@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Mimecast-Spam-Score: 0.002 X-Mimecast-Originator: redhat.com Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,lersek@redhat.com X-Gm-Message-State: qQDuONQaTzItfQq62pAMyv5Px1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1598480504; bh=16kCdE96minXN2v4Q2qn/uEUCz3sMaJp+peSH5kixQ4=; h=Cc:Content-Type:Date:From:Reply-To:Subject:To; b=RM+KrrKPNeP74mKmnMUGkVJpNtCXFIa9E+t6G7ZBsliQ+6XwwTxQ+/ylje0BkVVhOpo LMtbpx2ndcEI1YpLUgEOR7wEvhNsB2NnD/2jV8F8ruH6TqkgIH913FMbJ30OrB8c2yz25 jVDXydn2JWqYXfe3Oocenz9D3C+c3eFWjkc= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" The "virsh setvcpus" (plural) command may hot-plug several VCPUs in quick succession -- it means a series of "device_add" QEMU monitor commands, back-to-back. If a "device_add" occurs *just before* ACPI raises the broadcast SMI, then: - OVMF processes the hot-added CPU well. - However, QEMU's post-SMI ACPI loop -- which clears the pending events for the hot-added CPUs that were collected before raising the SMI -- is unaware of the stray CPU. Thus, the pending event is not cleared for it. As a result of the stuck event, at the next hot-plug, OVMF tries to re-add (relocate for the 2nd time) the already-known CPU. At that time, the AP is already in the normal edk2 SMM busy-wait however, so it doesn't respond to the exchange that the BSP intends to do in SmbaseRelocate(). Thus the VM gets stuck in SMM. (Because of the above symptom, this is not considered a security patch; it doesn't seem exploitable by a malicious guest OS.) In CpuHotplugMmi(), skip the supposedly hot-added CPU if it's already known. The post-SMI ACPI loop will clear the pending event for it this time. Cc: Ard Biesheuvel Cc: Igor Mammedov Cc: Jordan Justen Cc: Philippe Mathieu-Daud=C3=A9 Fixes: bc498ac4ca7590479cfd91ad1bb8a36286b0dc21 Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2929 Signed-off-by: Laszlo Ersek Reviewed-by: Ard Biesheuvel --- OvmfPkg/CpuHotplugSmm/CpuHotplug.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/OvmfPkg/CpuHotplugSmm/CpuHotplug.c b/OvmfPkg/CpuHotplugSmm/Cpu= Hotplug.c index 20e6bec04f41..cfe698ed2b5e 100644 --- a/OvmfPkg/CpuHotplugSmm/CpuHotplug.c +++ b/OvmfPkg/CpuHotplugSmm/CpuHotplug.c @@ -193,9 +193,28 @@ CpuHotplugMmi ( NewSlot =3D 0; while (PluggedIdx < PluggedCount) { APIC_ID NewApicId; + UINT32 CheckSlot; UINTN NewProcessorNumberByProtocol; =20 NewApicId =3D mPluggedApicIds[PluggedIdx]; + + // + // Check if the supposedly hot-added CPU is already known to us. + // + for (CheckSlot =3D 0; + CheckSlot < mCpuHotPlugData->ArrayLength; + CheckSlot++) { + if (mCpuHotPlugData->ApicId[CheckSlot] =3D=3D NewApicId) { + break; + } + } + if (CheckSlot < mCpuHotPlugData->ArrayLength) { + DEBUG ((DEBUG_VERBOSE, "%a: APIC ID " FMT_APIC_ID " was hot-plugged " + "before; ignoring it\n", __FUNCTION__, NewApicId)); + PluggedIdx++; + continue; + } + // // Find the first empty slot in CPU_HOT_PLUG_DATA. // --=20 2.19.1.3.g30247aa5d201 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#64660): https://edk2.groups.io/g/devel/message/64660 Mute This Topic: https://groups.io/mt/76439554/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat May 4 05:20:51 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+64661+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+64661+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1598480507; cv=none; d=zohomail.com; s=zohoarc; b=j2f45LuUMltJV32KJbnjh3hC+5vjXKtD2yUcpK58bWIP0WlUO++qGrejZv4gWcqcnwyuqLi1yXi528F2nqhqcdiDB+cLrm1Icr15uVuRt6blw2D2JKwQ9yJoZGHFDPX2pDWrmA4JWG5qIKYHlJaygEeYiEq5T8r6rtRzo7kUQHo= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1598480507; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=HU9q0FewxdybWabduJuFVR3ER95V/u7OA3LdOQLWW8I=; b=EvK/htZyluxNB3eC4YzUA3JgI4K54TtdbsYb3DNbnIDlFGroyVwPwNIGwHY/oXkV4yvH2o6490YXwMTjVl9BXvziTr4jePAyNHHxlj+i51vui/3/4f3BcYG42xZNElnHG/0R2EtmKybP1DstRCwS2OP3f6WS8QFGiFThvOP9Brg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+64661+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 15984805073991023.1522400203846; Wed, 26 Aug 2020 15:21:47 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id AQ8LYY1788612xhRAINfyYtq; Wed, 26 Aug 2020 15:21:47 -0700 X-Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124]) by mx.groups.io with SMTP id smtpd.web11.6263.1598480504812664815 for ; Wed, 26 Aug 2020 15:21:45 -0700 X-Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-420-OITkDpJrNyu9COQbstSraw-1; Wed, 26 Aug 2020 18:21:37 -0400 X-MC-Unique: OITkDpJrNyu9COQbstSraw-1 X-Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 81786E75F; Wed, 26 Aug 2020 22:21:36 +0000 (UTC) X-Received: from lacos-laptop-7.usersys.redhat.com (ovpn-114-182.ams2.redhat.com [10.36.114.182]) by smtp.corp.redhat.com (Postfix) with ESMTP id 3C5325C1A3; Wed, 26 Aug 2020 22:21:35 +0000 (UTC) From: "Laszlo Ersek" To: edk2-devel-groups-io Cc: Ard Biesheuvel , Igor Mammedov , Jordan Justen , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Subject: [edk2-devel] [PATCH 2/2] OvmfPkg/CpuHotplugSmm: fix CPU hotplug race just after SMI broadcast Date: Thu, 27 Aug 2020 00:21:29 +0200 Message-Id: <20200826222129.25798-3-lersek@redhat.com> In-Reply-To: <20200826222129.25798-1-lersek@redhat.com> References: <20200826222129.25798-1-lersek@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Mimecast-Spam-Score: 0.003 X-Mimecast-Originator: redhat.com Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,lersek@redhat.com X-Gm-Message-State: hB0zM3sXMtlXkeBeyY1RGmPyx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1598480507; bh=HU9q0FewxdybWabduJuFVR3ER95V/u7OA3LdOQLWW8I=; h=Cc:Content-Type:Date:From:Reply-To:Subject:To; b=BzkNyWQZuNqp2lPWU9qDPceM22ZK7UePZ3W6gNOUcsKdNVwOYbRIld2brJk9t0F7Lhy B8IEbanZu0TvU2adKDWWZDqQSA4AC1hVgkkyOjHr/wKb/sGmtyVPAGXxjhX4KILJAxZZe ZdVlo4Rtm/s7a2oDMAhZR6/Kp5GJyIFas2k= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" The "virsh setvcpus" (plural) command may hot-plug several VCPUs in quick succession -- it means a series of "device_add" QEMU monitor commands, back-to-back. If a "device_add" occurs *just after* ACPI raises the broadcast SMI, then: - the CPU_FOREACH() loop in QEMU's ich9_apm_ctrl_changed() cannot make the SMI pending for the new CPU -- at that time, the new CPU doesn't even exist yet, - OVMF will find the new CPU however (in the CPU hotplug register block), in QemuCpuhpCollectApicIds(). As a result, when the firmware sends an INIT-SIPI-SIPI to the new CPU in SmbaseRelocate(), expecting it to boot into SMM (due to the pending SMI), the new CPU instead boots straight into the post-RSM (normal mode) "pen", skipping its initial SMI handler. The CPU halts nicely in the pen, but its SMBASE is never relocated, and the SMRAM message exchange with the BSP falls apart -- the BSP gets stuck in the following loop: // // Wait until the hot-added CPU is just about to execute RSM. // while (Context->AboutToLeaveSmm =3D=3D 0) { CpuPause (); } because the new CPU's initial SMI handler never sets the flag to nonzero. Fix this by sending a directed SMI to the new CPU just before sending it the INIT-SIPI-SIPI. The various scenarios are documented in the code -- the cases affected by the patch are documented under point (2). Note that this is not considered a security patch, as for a malicious guest OS, the issue is not exploitable -- the symptom is a hang on the BSP, in the above-noted loop in SmbaseRelocate(). Instead, the patch fixes behavior for a benign guest OS. Cc: Ard Biesheuvel Cc: Igor Mammedov Cc: Jordan Justen Cc: Philippe Mathieu-Daud=C3=A9 Fixes: 51a6fb41181529e4b50ea13377425bda6bb69ba6 Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2929 Signed-off-by: Laszlo Ersek Reviewed-by: Ard Biesheuvel --- OvmfPkg/CpuHotplugSmm/Smbase.c | 35 ++++++++++++++++---- 1 file changed, 29 insertions(+), 6 deletions(-) diff --git a/OvmfPkg/CpuHotplugSmm/Smbase.c b/OvmfPkg/CpuHotplugSmm/Smbase.c index 170571221d84..d8f45c431324 100644 --- a/OvmfPkg/CpuHotplugSmm/Smbase.c +++ b/OvmfPkg/CpuHotplugSmm/Smbase.c @@ -220,14 +220,37 @@ SmbaseRelocate ( // // Boot the hot-added CPU. // - // If the OS is benign, and so the hot-added CPU is still in RESET state, - // then the broadcast SMI is still pending for it; it will now launch - // directly into SMM. + // There are 2*2 cases to consider: // - // If the OS is malicious, the hot-added CPU has been booted already, an= d so - // it is already spinning on the APIC ID gate. In that case, the - // INIT-SIPI-SIPI below will be ignored. + // (1) The CPU was hot-added before the SMI was broadcast. // + // (1.1) The OS is benign. + // + // The hot-added CPU is in RESET state, with the broadcast SMI pen= ding + // for it. The directed SMI below will be ignored (it's idempotent= ), + // and the INIT-SIPI-SIPI will launch the CPU directly into SMM. + // + // (1.2) The OS is malicious. + // + // The hot-added CPU has been booted, by the OS. Thus, the hot-add= ed + // CPU is spinning on the APIC ID gate. In that case, both the SMI= and + // the INIT-SIPI-SIPI below will be ignored. + // + // (2) The CPU was hot-added after the SMI was broadcast. + // + // (2.1) The OS is benign. + // + // The hot-added CPU is in RESET state, with no SMI pending for it= . The + // directed SMI will latch the SMI for the CPU. Then the INIT-SIPI= -SIPI + // will launch the CPU into SMM. + // + // (2.2) The OS is malicious. + // + // The hot-added CPU is executing OS code. The directed SMI will p= ull + // the hot-added CPU into SMM, where it will start spinning on the= APIC + // ID gate. The INIT-SIPI-SIPI will be ignored. + // + SendSmiIpi (ApicId); SendInitSipiSipi (ApicId, PenAddress); =20 // --=20 2.19.1.3.g30247aa5d201 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#64661): https://edk2.groups.io/g/devel/message/64661 Mute This Topic: https://groups.io/mt/76439555/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-