From nobody Mon Feb  9 05:59:05 2026
Return-Path: <linux-kernel-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 19272C7EE2C
	for <linux-kernel@archiver.kernel.org>; Fri, 26 May 2023 23:51:07 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S238076AbjEZXvD (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Fri, 26 May 2023 19:51:03 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35488 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S237428AbjEZXu7 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 26 May 2023 19:50:59 -0400
Received: from mail-pf1-x449.google.com (mail-pf1-x449.google.com
 [IPv6:2607:f8b0:4864:20::449])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B97881A2
        for <linux-kernel@vger.kernel.org>;
 Fri, 26 May 2023 16:50:56 -0700 (PDT)
Received: by mail-pf1-x449.google.com with SMTP id
 d2e1a72fcca58-64d1c53cad8so1632233b3a.3
        for <linux-kernel@vger.kernel.org>;
 Fri, 26 May 2023 16:50:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20221208; t=1685145056; x=1687737056;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:from:to:cc:subject:date:message-id:reply-to;
        bh=Bk1UDmvPC4i4QcCcByGound/sEkJg+oDBKjGWlXb8JU=;
        b=b/S5rioSyiILJQs6UKnM3duZoCNlAbzAiw9wfNE+A0VSgXSpbWDc9bAXYZ0cLdL+DZ
         2uEnOSwSL/9N6VTbCO+GDRzecVuGUcIp1MW7e/WVy3U+6EXro8ItKlYOl2uhHuvWrsOg
         p6JSZ3CtSyfneC1g5UW5/tU7cDnIK/CmNCczY+MlhjqwAH6wBmtxSHcNTRF6h6B+41uc
         vMBYdeJ0HzcoKczzVjIvuHERnJDS2dopnEyzqp2e/YZ8edaTDKqz8JbytR4XMFerZFBE
         FJlWWkSzYrPKODDIxJfZfd0LKpiUyKP6bhpDYzO3DCZ0YLH9zhVCqo48cSABG2v9SAmc
         ChFw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1685145056; x=1687737056;
        h=cc:to:from:subject:message-id:references:mime-version:in-reply-to
         :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=Bk1UDmvPC4i4QcCcByGound/sEkJg+oDBKjGWlXb8JU=;
        b=V6LAO0JQc0fRbQPaBNwCgJokCElvPqoendw7dgtxTXPJqOwGN7zJeoEskd7pS4drUd
         0wBMEOn8HZfO/WydJz94o7Mhkj0FoWcptKZ3m+cr7CZERsdfBQiqSJFaSq9KT1SYzor1
         HeKjogjv1hZG2iXqbIfUzeTCeKr7h8WGB1CpAxGyxR+eff6Ts+Cw6O9MRp8fcjUGDani
         5IJCJ/6yHnhxBP/r5etvD9uzelaRKu6qPYDO7lKdfRRFSyoCdYRq54YyYnmlnKniAWJK
         kaJ54v8nNPiV03sC3W/rlU00Hjs8wq45kItlnTH8arGqEGyeEvI5WvJJMCj5n1qFQyDF
         7j/A==
X-Gm-Message-State: AC+VfDxyCftgLhJwuMntY2yArxkZ+jAITlgCMj+WnviQftA9VG3BeGRy
        7C8ERuZa2oq6lo+RSRU77+x3m+Y1h44=
X-Google-Smtp-Source: 
 ACHHUZ7ArsgmHv0yWzcONkKvqEmpBg7NHyT7G/Hn9x2wjF9AX2PY4+i2iveyzvhp6VelanZocecUjEBT6oY=
X-Received: from zagreus.c.googlers.com
 ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37])
 (user=seanjc job=sendgmr) by 2002:a05:6a00:1797:b0:64f:c0b1:6967 with SMTP id
 s23-20020a056a00179700b0064fc0b16967mr4749pfg.1.1685145056321; Fri, 26 May
 2023 16:50:56 -0700 (PDT)
Reply-To: Sean Christopherson <seanjc@google.com>
Date: Fri, 26 May 2023 16:50:48 -0700
In-Reply-To: <20230526235048.2842761-1-seanjc@google.com>
Mime-Version: 1.0
References: <20230526235048.2842761-1-seanjc@google.com>
X-Mailer: git-send-email 2.41.0.rc0.172.g3f132b7071-goog
Message-ID: <20230526235048.2842761-4-seanjc@google.com>
Subject: [PATCH v2 3/3] KVM: selftests: Add test for race in
 kvm_recalculate_apic_map()
From: Sean Christopherson <seanjc@google.com>
To: Sean Christopherson <seanjc@google.com>,
        Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
        Michal Luczaj <mhal@rbox.co>
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Michal Luczaj <mhal@rbox.co>

Keep switching between LAPIC_MODE_X2APIC and LAPIC_MODE_DISABLED during
APIC map construction to hunt for TOCTOU bugs in KVM.  KVM's optimized map
recalc makes multiple passes over the list of vCPUs, and the calculations
ignore vCPU's whose APIC is hardware-disabled, i.e. there's a window where
toggling LAPIC_MODE_DISABLED is quite interesting.

Signed-off-by: Michal Luczaj <mhal@rbox.co>
Co-developed-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 tools/testing/selftests/kvm/Makefile          |  1 +
 .../kvm/x86_64/recalc_apic_map_race.c         | 76 +++++++++++++++++++
 2 files changed, 77 insertions(+)
 create mode 100644 tools/testing/selftests/kvm/x86_64/recalc_apic_map_race=
.c

diff --git a/tools/testing/selftests/kvm/Makefile b/tools/testing/selftests=
/kvm/Makefile
index 7a5ff646e7e7..c9b8f16fb23f 100644
--- a/tools/testing/selftests/kvm/Makefile
+++ b/tools/testing/selftests/kvm/Makefile
@@ -116,6 +116,7 @@ TEST_GEN_PROGS_x86_64 +=3D x86_64/sev_migrate_tests
 TEST_GEN_PROGS_x86_64 +=3D x86_64/amx_test
 TEST_GEN_PROGS_x86_64 +=3D x86_64/max_vcpuid_cap_test
 TEST_GEN_PROGS_x86_64 +=3D x86_64/triple_fault_event_test
+TEST_GEN_PROGS_x86_64 +=3D x86_64/recalc_apic_map_race
 TEST_GEN_PROGS_x86_64 +=3D access_tracking_perf_test
 TEST_GEN_PROGS_x86_64 +=3D demand_paging_test
 TEST_GEN_PROGS_x86_64 +=3D dirty_log_test
diff --git a/tools/testing/selftests/kvm/x86_64/recalc_apic_map_race.c b/to=
ols/testing/selftests/kvm/x86_64/recalc_apic_map_race.c
new file mode 100644
index 000000000000..09516548c11a
--- /dev/null
+++ b/tools/testing/selftests/kvm/x86_64/recalc_apic_map_race.c
@@ -0,0 +1,76 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ * recalc_apic_map_race
+ *
+ * Test for a race condition in kvm_recalculate_apic_map().
+ */
+
+#include <sys/ioctl.h>
+#include <pthread.h>
+#include <time.h>
+
+#include "processor.h"
+#include "test_util.h"
+#include "kvm_util.h"
+#include "apic.h"
+
+#define TIMEOUT		5	/* seconds */
+
+#define LAPIC_DISABLED	0
+#define LAPIC_X2APIC	(MSR_IA32_APICBASE_ENABLE | X2APIC_ENABLE)
+#define MAX_XAPIC_ID	0xff
+
+static void *race(void *arg)
+{
+	struct kvm_lapic_state lapic =3D {};
+	struct kvm_vcpu *vcpu =3D arg;
+
+	while (1) {
+		/* Trigger kvm_recalculate_apic_map(). */
+		vcpu_ioctl(vcpu, KVM_SET_LAPIC, &lapic);
+		pthread_testcancel();
+	}
+
+	return NULL;
+}
+
+int main(void)
+{
+	struct kvm_vcpu *vcpus[KVM_MAX_VCPUS];
+	struct kvm_vcpu *vcpuN;
+	struct kvm_vm *vm;
+	pthread_t thread;
+	time_t t;
+	int i;
+
+	kvm_static_assert(KVM_MAX_VCPUS > MAX_XAPIC_ID);
+
+	/*
+	 * Creating the max number of vCPUs supported by selftests so that KVM
+	 * has decent amount of work to do when recalculating the map, i.e. to
+	 * make the problematic window large enough to hit.
+	 */
+	vm =3D vm_create_with_vcpus(KVM_MAX_VCPUS, NULL, vcpus);
+
+	/*
+	 * Enable x2APIC on all vCPUs so that KVM doesn't bail from the recalc
+	 * due to vCPUs having aliased xAPIC IDs (truncated to 8 bits).
+	 */
+	for (i =3D 0; i < KVM_MAX_VCPUS; i++)
+		vcpu_set_msr(vcpus[i], MSR_IA32_APICBASE, LAPIC_X2APIC);
+
+	ASSERT_EQ(pthread_create(&thread, NULL, race, vcpus[0]), 0);
+
+	vcpuN =3D vcpus[KVM_MAX_VCPUS - 1];
+	for (t =3D time(NULL) + TIMEOUT; time(NULL) < t;) {
+		vcpu_set_msr(vcpuN, MSR_IA32_APICBASE, LAPIC_X2APIC);
+		vcpu_set_msr(vcpuN, MSR_IA32_APICBASE, LAPIC_DISABLED);
+	}
+
+	ASSERT_EQ(pthread_cancel(thread), 0);
+	ASSERT_EQ(pthread_join(thread, NULL), 0);
+
+	kvm_vm_release(vm);
+
+	return 0;
+}
--=20
2.41.0.rc0.172.g3f132b7071-goog