From nobody Sun Feb 8 20:34:22 2026 Received: from mail-pl1-f201.google.com (mail-pl1-f201.google.com [209.85.214.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 07EEF15AF6 for ; Sat, 1 Feb 2025 01:14:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1738372447; cv=none; b=rsWd6rmtsSMIoiSnYn2/RHmDHuRCDeyYl76i9sezn8KZzgK7r1Ah0U/k7bbViJyY/RMp9emkJSuN/KOpNLGsZFtRQMJueXaKN/uiQkmDYjL7YowBpe9oosrnY2KjcKovJTbiaXm9lbKtrx7p3B0dTDzc0LsyoCm96cLEVbQcEmw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1738372447; c=relaxed/simple; bh=UDiTXSTfBH0EOp+MejDSxKgfdfI3+KOE+dUN4Gwb0KE=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=m6s0kMx0IfTGyS7SnIWfPBThSUTMBs3yksA3PWOMoDVyJe5xH0EI6ri2HnqS5PSVmPjS83DbMzoEKVFsnFe0za3lCK2HCssUthVxw6io1BTiwryve1wKblx4yVZJyCni032oiyDHBpv5cteF3e39QZyBMzD5kJPD/sccK5xV56g= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=Tf82DaQi; arc=none smtp.client-ip=209.85.214.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="Tf82DaQi" Received: by mail-pl1-f201.google.com with SMTP id d9443c01a7336-216717543b7so67071705ad.0 for ; Fri, 31 Jan 2025 17:14:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1738372445; x=1738977245; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=0Ic4S96V5xW2k4uiIcyvRxni7wZ7oCZzN7I2/Wa5niQ=; b=Tf82DaQi6NZHjwUHyhlWWkSQGnGayAv8C0ooCyBW/ZqQLfusoEfshKxsbGhdK+wA8T ewSWfwlQAj/RHSUq7xwESUT4Q8bGytN1/M6bt5PuXYtPIM+o9+CY/Y8EWVUkYLfQSKb2 NIj/2pc97yG1z0TvfOwpFZ2lCuakIKfHNzJtiwFokvo/TKwB5SIoy/Of3eLbQEvYtGEU LK+YIXR5kYYbg9p3SvDB04RDfJ2nw5OjsJ3cly8EnbMes74xHpoKKtHp4MxeOnseMlwU So6UmAkzlRRMOd8TaYEk1BJCuYA0naUdDQl8ZsZhRzhEL2n6tqF8OMLGw8fJrqkeCyuv bB0Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1738372445; x=1738977245; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=0Ic4S96V5xW2k4uiIcyvRxni7wZ7oCZzN7I2/Wa5niQ=; b=FtTjGq2WSy7V5Utruqke64RfE8Myi29wQ43QtH8swlnvYIWW65jNgSpmEv8uYQyVdu 7ZvhAwpUi8ZjmduKCwQSvyTg01QXXRI1Weavu2FPEE6hwOhlCRSf4DOoeKwnoGLHQGJC mabuf3IuxDnyaZ/YdoS8H2SLtH1t5ncIJhlxvUdIs6aSmGGVV4ZUoQ568+3jgRRA+oCS MT9p/ER3SbE8PGB3tkhbhQbDnYxSqjFcYX/ucdKBjdo58u6PDtQHyP5rDJSmXmY28c8H Ut+uDlzsVS+UcpCbp59TVRuhtTnGmsj9YatWZiRZMAh9bqR94ffFNyYdAnBp4Uf+EFf/ IoxA== X-Forwarded-Encrypted: i=1; AJvYcCUkwpo2nGo02yKgPr0Wk/UY3YjHWdevN/fRYiKU1vq+puCBQwyZoYgtzH2xk+0OTCKEpHmRqs2FFuQyGNE=@vger.kernel.org X-Gm-Message-State: AOJu0YwSVfD/2c+UnKFXXk9zq/L8nnsqEZh0MAz+FG4tx5t3YGsLEypz jXf6acgA5UY8EurX0keq6KViD+cW+Gs7KSAt36XC6SYP1FrpeQKRTYNrTQx8c2VQJyE3xsvUfo9 vcg== X-Google-Smtp-Source: AGHT+IGGOiNfAsKcc7I2Ois69n1RIN8U53iejt27njRVZnAgVIYEYR+WxCnPB5UeMYUjhcsFHlqBySEAKcY= X-Received: from plck17.prod.google.com ([2002:a17:902:f291:b0:21a:8476:ecc3]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:902:d48c:b0:215:b01a:627f with SMTP id d9443c01a7336-21dd7c4457emr223500625ad.4.1738372445221; Fri, 31 Jan 2025 17:14:05 -0800 (PST) Reply-To: Sean Christopherson Date: Fri, 31 Jan 2025 17:13:56 -0800 In-Reply-To: <20250201011400.669483-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250201011400.669483-1-seanjc@google.com> X-Mailer: git-send-email 2.48.1.362.g079036d154-goog Message-ID: <20250201011400.669483-2-seanjc@google.com> Subject: [PATCH 1/5] KVM: x86/xen: Restrict hypercall MSR to unofficial synthetic range From: Sean Christopherson To: Sean Christopherson , Paolo Bonzini , David Woodhouse , Paul Durrant Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+cdeaeec70992eca2d920@syzkaller.appspotmail.com, Joao Martins , David Woodhouse Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Reject userspace attempts to set the Xen hypercall page MSR to an index outside of the "standard" virtualization range [0x40000000, 0x4fffffff], as KVM is not equipped to handle collisions with real MSRs, e.g. KVM doesn't update MSR interception, conflicts with VMCS/VMCB fields, special case writes in KVM, etc. Allowing userspace to redirect any MSR write can also be used to attack the kernel, as kvm_xen_write_hypercall_page() takes multiple locks and writes to guest memory. E.g. if userspace sets the MSR to MSR_IA32_XSS, KVM's write to MSR_IA32_XSS during vCPU creation will trigger an SRCU violation due to writing guest memory: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D WARNING: suspicious RCU usage 6.13.0-rc3 ----------------------------- include/linux/kvm_host.h:1046 suspicious rcu_dereference_check() usage! stack backtrace: CPU: 6 UID: 1000 PID: 1101 Comm: repro Not tainted 6.13.0-rc3 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Call Trace: dump_stack_lvl+0x7f/0x90 lockdep_rcu_suspicious+0x176/0x1c0 kvm_vcpu_gfn_to_memslot+0x259/0x280 kvm_vcpu_write_guest+0x3a/0xa0 kvm_xen_write_hypercall_page+0x268/0x300 kvm_set_msr_common+0xc44/0x1940 vmx_set_msr+0x9db/0x1fc0 kvm_vcpu_reset+0x857/0xb50 kvm_arch_vcpu_create+0x37e/0x4d0 kvm_vm_ioctl+0x669/0x2100 __x64_sys_ioctl+0xc1/0xf0 do_syscall_64+0xc5/0x210 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7feda371b539 While the MSR index isn't strictly ABI, i.e. can theoretically float to any value, in practice no known VMM sets the MSR index to anything other than 0x40000000 or 0x40000200. Reported-by: syzbot+cdeaeec70992eca2d920@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/679258d4.050a0220.2eae65.000a.GAE@googl= e.com Cc: Joao Martins Cc: Paul Durrant Cc: David Woodhouse Signed-off-by: Sean Christopherson Reviewed-by: David Woodhouse Reviewed-by: Paul Durrant --- arch/x86/kvm/xen.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/arch/x86/kvm/xen.c b/arch/x86/kvm/xen.c index a909b817b9c0..35ecafc410f0 100644 --- a/arch/x86/kvm/xen.c +++ b/arch/x86/kvm/xen.c @@ -1324,6 +1324,14 @@ int kvm_xen_hvm_config(struct kvm *kvm, struct kvm_x= en_hvm_config *xhc) xhc->blob_size_32 || xhc->blob_size_64)) return -EINVAL; =20 + /* + * Restrict the MSR to the range that is unofficially reserved for + * synthetic, virtualization-defined MSRs, e.g. to prevent confusing + * KVM by colliding with a real MSR that requires special handling. + */ + if (xhc->msr && (xhc->msr < 0x40000000 || xhc->msr > 0x4fffffff)) + return -EINVAL; + mutex_lock(&kvm->arch.xen.xen_lock); =20 if (xhc->msr && !kvm->arch.xen_hvm_config.msr) --=20 2.48.1.362.g079036d154-goog From nobody Sun Feb 8 20:34:22 2026 Received: from mail-pl1-f202.google.com (mail-pl1-f202.google.com [209.85.214.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A003920330 for ; Sat, 1 Feb 2025 01:14:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1738372449; cv=none; b=mHSjYjCR0MNrTgSRtlF5ynk5kJrjYUrgV3fiXDZJJIgKqBSdnwv0vNNIEm4QdmKeNB+NndqL+9eJzDvIIOcyOXuQw0IlR0OFMU4YiSj1iugPizv9twFxVX0gwdCnxMlwAsEjTTUUTVfenOZw1HVMRW+aDO1kViTcnMi1ZobdseE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1738372449; c=relaxed/simple; bh=Tg8GhNLpPA34vQJNweaMVYaIAHTcnBOATqkxrRePjzk=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=Rp+wrZ52HbaKFOQzBBMxQaZ4OWe3kInX1EAmUh6PuK4Vb+scLUNp9V5DqHBs0n4cnDhelt+eSTp0ULmXXgfFkGA02y+a1/LGjR2W4mePYhJmMk48Gm36pK0jNxYpdqgNlLPTtgnJ5ZLupcCGcAVpVLkYhgqqaUUNDoWhNyTlnkw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=lmLuxJA4; arc=none smtp.client-ip=209.85.214.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="lmLuxJA4" Received: by mail-pl1-f202.google.com with SMTP id d9443c01a7336-216387ddda8so54658155ad.3 for ; Fri, 31 Jan 2025 17:14:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1738372447; x=1738977247; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=8BJ4lYogToOhLZ7GzltFe2z01ZGXRRujJHAawRGlx94=; b=lmLuxJA4T+03nwub+046KPHLq8suX77ujRsOzsS7TQeDMEossCYNNtJh76lPdkR5cn bjiOFuyY299Q7+OWDjBKxkhWc0ah54ftu9s/U6rqxMcoQs2+48bTg/VJXwp6CCxhdb59 KsGUtr8bG1t2xQyhnNRxQ8f+SLThnSSbf5zQYMcVmWKZ+51HQpyxkYziDyLOoMyto8uG E7SMTbmREK8QAuIPC6w/kuNLtRcUVSxYMvOpCCyDC+51vO5XJ7rlsuQD1xz9fV6zzjrC wZ9+cJ9fX/LYadqf86+7RD38vgdWMvOlpO0MDylXsXykpV5HVfVAENakcXMkvFdq2+CK gqag== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1738372447; x=1738977247; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=8BJ4lYogToOhLZ7GzltFe2z01ZGXRRujJHAawRGlx94=; b=f+Z6MndgcNIDo2kS6xaYiYpmlgjsbx80HtqvanfvKOcyl+uMdjpNZR+62/aP2KkYYC 6FP079Bz6kc3xa94JKP98e3gOwLeogndEoDYPBNLFzbdsJmFfDuY+S/Gw0Tbf/tV6hX0 xU3uNqvshU4L7iayP8vMewJ9fk1S43pKqB+IFRijD1U2R+xeLt+lJcXJ4nOPWLMIbyPD 1SV4qZlYmJRkd7Zpt880uRPZ3wN+iGaatecs1KGHQEMRmMzCPQEvoIegNHgocKk+tzSD gOHWcXkF3rP0xC92qKtUwaRD+aX8EwTOsBtdYY+dqH9+0cqSnhkklN2/y/hkSJn1isoS 4Hxg== X-Forwarded-Encrypted: i=1; AJvYcCXKjmpL8HAKx0Ln0Qb5LTs0HveEKwuPMLo1uR2WCI5qqxK/93W0NZAF6s9UQUS4VOL90Xb7cWsr5MvrTVU=@vger.kernel.org X-Gm-Message-State: AOJu0YyIyiBTLHRh/bEAC8wYKT/trcs18nRUvZOrhie3ltDFPP6n6I3G gmkKvNDPm24v5EvOMdom2wWBJzmxqxJ+tk37dkz/cB4Z6irI2PP2Pn9cUfXIhbc+3p7F8J4YkC7 pRQ== X-Google-Smtp-Source: AGHT+IHtd/xn8X4/ZTBhWNwmLHwRcrXbBlCFmDpoSEG9bkywbg9XeRZ2Td6Ob3lUwcyyzNaiLUtTD89OvYA= X-Received: from pgjz10.prod.google.com ([2002:a63:e54a:0:b0:7fd:50ab:dc45]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6a20:7343:b0:1e1:ab8b:dda1 with SMTP id adf61e73a8af0-1ed7a6e0999mr25109821637.35.1738372446922; Fri, 31 Jan 2025 17:14:06 -0800 (PST) Reply-To: Sean Christopherson Date: Fri, 31 Jan 2025 17:13:57 -0800 In-Reply-To: <20250201011400.669483-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250201011400.669483-1-seanjc@google.com> X-Mailer: git-send-email 2.48.1.362.g079036d154-goog Message-ID: <20250201011400.669483-3-seanjc@google.com> Subject: [PATCH 2/5] KVM: x86/xen: Add an #ifdef'd helper to detect writes to Xen MSR From: Sean Christopherson To: Sean Christopherson , Paolo Bonzini , David Woodhouse , Paul Durrant Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+cdeaeec70992eca2d920@syzkaller.appspotmail.com, Joao Martins , David Woodhouse Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add a helper to detect writes to the Xen hypercall page MSR, and provide a stub for CONFIG_KVM_XEN=3Dn to optimize out the check for kernels built without Xen support. Signed-off-by: Sean Christopherson Reviewed-by: David Woodhouse Reviewed-by: Paul Durrant --- arch/x86/kvm/x86.c | 2 +- arch/x86/kvm/xen.h | 10 ++++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index b2d9a16fd4d3..f13d9d3f7c60 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -3733,7 +3733,7 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct = msr_data *msr_info) u32 msr =3D msr_info->index; u64 data =3D msr_info->data; =20 - if (msr && msr =3D=3D vcpu->kvm->arch.xen_hvm_config.msr) + if (kvm_xen_is_hypercall_page_msr(vcpu->kvm, msr)) return kvm_xen_write_hypercall_page(vcpu, data); =20 switch (msr) { diff --git a/arch/x86/kvm/xen.h b/arch/x86/kvm/xen.h index f5841d9000ae..e92e06926f76 100644 --- a/arch/x86/kvm/xen.h +++ b/arch/x86/kvm/xen.h @@ -56,6 +56,11 @@ static inline bool kvm_xen_msr_enabled(struct kvm *kvm) kvm->arch.xen_hvm_config.msr; } =20 +static inline bool kvm_xen_is_hypercall_page_msr(struct kvm *kvm, u32 msr) +{ + return msr && msr =3D=3D kvm->arch.xen_hvm_config.msr; +} + static inline bool kvm_xen_hypercall_enabled(struct kvm *kvm) { return static_branch_unlikely(&kvm_xen_enabled.key) && @@ -124,6 +129,11 @@ static inline bool kvm_xen_msr_enabled(struct kvm *kvm) return false; } =20 +static inline bool kvm_xen_is_hypercall_page_msr(struct kvm *kvm, u32 msr) +{ + return false; +} + static inline bool kvm_xen_hypercall_enabled(struct kvm *kvm) { return false; --=20 2.48.1.362.g079036d154-goog From nobody Sun Feb 8 20:34:22 2026 Received: from mail-pj1-f73.google.com (mail-pj1-f73.google.com [209.85.216.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 29A2E3597C for ; Sat, 1 Feb 2025 01:14:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1738372450; cv=none; b=tEsXqvqH6OMH3+ZSPh+Sj2JZ4enyN7AVY/a1e3UhPFIAgjOgRvIG5sToYA7R72n426fUgJ6rLn9cx8qZ+T/ddcnjG05XVKZ+9adUTv0K2z9JbvnQMQOQNw9xSsva1efCV4/c11Jtr8BdPyCUF3WLV9tdjP2r76wc1imp+I0jvYE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1738372450; c=relaxed/simple; bh=OFd/w/+tQL5wnrtXX2mRa0QEN0vkaY5t6IadhKHz+Lc=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=g291384S8F3q5iCtFU6G5HS05WV8/K+qLa/vipXC4ArkAaQYJfmfn/pJ2dMu7JvGFetcUCjnSc+y/sUqq3VmtnQyjXIa00BuiX0iK9G52Yj94MmPHQnX59RYCAv+lieGTdhCfnFlG3BgDl/xr2tgCyHRd3qOGvB4TrlWhaPv7GQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=QxDaEz3+; arc=none smtp.client-ip=209.85.216.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="QxDaEz3+" Received: by mail-pj1-f73.google.com with SMTP id 98e67ed59e1d1-2ef7fbd99a6so4933150a91.1 for ; Fri, 31 Jan 2025 17:14:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1738372448; x=1738977248; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=UtIlwPLorJtN8uqaYIAxjcSWyabjL0SN/uMOv7FI8DM=; b=QxDaEz3+lCCYN0Uqxyh4/kjWl5RFPhXWWLjcqv3IuINW6RVjN1OETOjK9xCefL5jsT i+XH28+MQzVwzWdXErWO8XxRtwtS3D5crYIAmpLcK1s1I1i6oGjBgd/B8BMgE7IOu8su sjEOF2XBY0FXOsCkKejh0zIhWk0aWNwyubCtagau7NthcltvVWvqFUZaTq3HFFGPVNyT gHd4RH/s8tR/e/ssdeOkjl1x3Y9UG4QKZCpx3ldxReuosK0BvKvdiQITiFDmzGMakabV Z+VjiCL0rS3WP8KOm+FuDzngwZ50tXvscnkwa/gD5ynEeWU9lS9EzvpLBT5e3jJNorbF xw8g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1738372448; x=1738977248; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=UtIlwPLorJtN8uqaYIAxjcSWyabjL0SN/uMOv7FI8DM=; b=VArmsVFcSyPjuunfPkO6qU++Wp9anjOzTXkKBHLfr0eMf8fg6dAs48sPe7r/zy/Q1V A2f1pgG6v+IKFWvt3tU2YpK1c5qYwSJOVcUi7JpsvWqotmQ8fXTINIyhhzjq2B3eVddA yjqe47UoJLkuKXjYdHBhY9n41fHVMxXIFw7ud8QjnJBZBofhqwuarOYer2H0g9mjFWRe EQWSP2TOOagxIGUVWScY5a/wXKmzRc2Q/1iK3Kab6QOc+Rv0y7WcAH5FgenjLIDarDGW rZwbOxGiQvbDqh5xWtWJXfqckXnCYmvO3p1uiiOc3URErDfwSMrt+slOCEwMotuihZ0E zfrg== X-Forwarded-Encrypted: i=1; AJvYcCUexGOOvpx9YCghACli7JNfyQufaCFFdMbnMvYYJ/kUSf7B9fRylY6Y5gabDDjyfiKZvCpcgy3uzO6ENIs=@vger.kernel.org X-Gm-Message-State: AOJu0YxcEesIRi2BvPSjWDxWAL+1BgyFByHTdbzTMVc9TrNacGcxHqKE dZDoewzcRMsweoYkvnlArt+DnuU4U9JYjzkeZoW0QkJPojmV/iyUGbzniFOWfHsBKfxR49LRsDn L7A== X-Google-Smtp-Source: AGHT+IHdUP2wvkGWbJcC9vX8Zc2oaH78eyzzFFqJr7Tskwb7JAaDibUYRzKX3cLLCkGiVN2YpFq9EmueqBw= X-Received: from pjbnb8.prod.google.com ([2002:a17:90b:35c8:b0:2ef:71b9:f22f]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:90a:c2c7:b0:2ef:33a4:ae6e with SMTP id 98e67ed59e1d1-2f83abd996dmr22783400a91.12.1738372448494; Fri, 31 Jan 2025 17:14:08 -0800 (PST) Reply-To: Sean Christopherson Date: Fri, 31 Jan 2025 17:13:58 -0800 In-Reply-To: <20250201011400.669483-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250201011400.669483-1-seanjc@google.com> X-Mailer: git-send-email 2.48.1.362.g079036d154-goog Message-ID: <20250201011400.669483-4-seanjc@google.com> Subject: [PATCH 3/5] KVM: x86/xen: Consult kvm_xen_enabled when checking for Xen MSR writes From: Sean Christopherson To: Sean Christopherson , Paolo Bonzini , David Woodhouse , Paul Durrant Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+cdeaeec70992eca2d920@syzkaller.appspotmail.com, Joao Martins , David Woodhouse Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Query kvm_xen_enabled when detecting writes to the Xen hypercall page MSR so that the check is optimized away in the likely scenario that Xen isn't enabled for the VM. Deliberately open code the check instead of using kvm_xen_msr_enabled() in order to avoid a double load of xen_hvm_config.msr (which is admittedly rather pointless given the widespread lack of READ_ONCE() usage on the plethora of vCPU-scoped accesses to kvm->arch.xen state). No functional change intended. Signed-off-by: Sean Christopherson Reviewed-by: David Woodhouse Reviewed-by: Paul Durrant --- arch/x86/kvm/xen.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/x86/kvm/xen.h b/arch/x86/kvm/xen.h index e92e06926f76..1e3a913dfb94 100644 --- a/arch/x86/kvm/xen.h +++ b/arch/x86/kvm/xen.h @@ -58,6 +58,9 @@ static inline bool kvm_xen_msr_enabled(struct kvm *kvm) =20 static inline bool kvm_xen_is_hypercall_page_msr(struct kvm *kvm, u32 msr) { + if (!static_branch_unlikely(&kvm_xen_enabled.key)) + return false; + return msr && msr =3D=3D kvm->arch.xen_hvm_config.msr; } =20 --=20 2.48.1.362.g079036d154-goog From nobody Sun Feb 8 20:34:22 2026 Received: from mail-pl1-f202.google.com (mail-pl1-f202.google.com [209.85.214.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0B575136E21 for ; Sat, 1 Feb 2025 01:14:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1738372454; cv=none; b=RfE1WA5eL53jLpCgHVk9U26KmdEoakec26ygRtGOqISleAhHSF0pQa5IS4wy8OL2+tttbr3NS8iCZgaOwROYVyoZupzDc0cVn/j4MqbuZd4msKvbUjTD5sbnpVutQYG8HsTQ9B7Gdfb87QTb7i+1FFrrQmsHdka50E2m0n5OIU4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1738372454; c=relaxed/simple; bh=nQ+kS3OisfJcraTufDITt8+LXlQftkTYQ+rT/BSf7qk=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=NT9mhGcgQN+l58B6bBoYZgxQZb7tfsfQEF4NvccDUxqEWBlcSb53PtlMcS8rZnfhLfhiSZIiCYYTbMYF5ZvxiV4SaiA9BpR/p9zfG5V1EVCFcCHBXtBKFfrUp6wjoIYNK1KztXMFPERDKbvlqmjJWH3bH7pu9rkyo7Z1i0OOSQE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=xvy1Evqo; arc=none smtp.client-ip=209.85.214.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="xvy1Evqo" Received: by mail-pl1-f202.google.com with SMTP id d9443c01a7336-2161d5b3eb5so50280975ad.3 for ; Fri, 31 Jan 2025 17:14:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1738372450; x=1738977250; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=LJrvKjeAKyqO/F6ebF2NAkHhUdXXGXXObzqZ1bzPsRo=; b=xvy1Evqoy9wvNjsgLqUCcYfVDBx4Qo7DRJtaVpPw6H9V0VrRTpeh5nmKSETDpaCXTB 5xukqFXz2BSKPeiFMPwR6XPe1X8zdRd4Ttr+Q1uH6ABnuj8Q/g2IvgiDN57+0lWcLYHU +k2oyKC23llG3b8NIaC5v/f5NSps+we29/cZvHT6SHw8tPDtC3OGmX0zsUD167GMOxAG u/b0VxsDSH7QHVbbyjs+v3TFtfF5A0yW4hyDtfvk60ztaaLTVKHhjZzNN8ITIIOImawe QgEUQnOep3ou/u088aT2MZ3/pRtso3VFTWigm1+spklPc3TN+NXYQMii3tp9zmecihKn vb4g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1738372450; x=1738977250; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=LJrvKjeAKyqO/F6ebF2NAkHhUdXXGXXObzqZ1bzPsRo=; b=m9UWmeWwYu0qsrjcnV/DHxqYPhX44scRjaRDo9TXA5X0cyJzBMIyOS7g4YJqac/KOU 0iLr2MIBnrxEo+UaPFfYUgtqcFamv5SyUEkdNLpkpHKGbu7GdKLJUNNclZRBr7Z+6t7w 2zAeepTmTWnyl42rAoDSJiVKKRig1htjQJys3oTutBeU4iLhnXMNB+NT01aecsyFStxR Gg5T0JXKgzeJWva/Ns52UzuBdRMNQ52ktuRnMVdZoKv3/3hqTareHzZYL76PZCrOg8q6 Kf6bUlDAiU1FlHqijVzrNZVPkCsrrFQj/81X+qlpO0DjSk2/ptVZiD7r/X4h8cYfZXQT qiZw== X-Forwarded-Encrypted: i=1; AJvYcCWNd+pztibfgLWDyJifMmwFrr6Q0Wo4N+jugZe3eaUVtvjMfLfpfxpKrZIDAuE69D3NPG3Wqq5fOJG6Ej4=@vger.kernel.org X-Gm-Message-State: AOJu0Yxo3j0YGbvCygniOknKRnjglsz5eV2umkW8LXzqCAoiNmpZuZe8 RQqh3lsnFwqXdLQAcJ+vr3NqQvJLZQ6e5J9B8eAnai6IAA5eFG0aj9kDfDIbQaEgJmmrFnJM6St HEw== X-Google-Smtp-Source: AGHT+IEYlUfqd6A5Aj96yRwdP4ZObhFRmvU9ZVL70lUJyS5rZhH4M3tJR1haMPbVdKWzhFgSF0mEex6ADm4= X-Received: from pjbse7.prod.google.com ([2002:a17:90b:5187:b0:2ea:61ba:b8f7]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:902:e5c9:b0:216:7cbf:951f with SMTP id d9443c01a7336-21dd7d82d98mr211620785ad.21.1738372450219; Fri, 31 Jan 2025 17:14:10 -0800 (PST) Reply-To: Sean Christopherson Date: Fri, 31 Jan 2025 17:13:59 -0800 In-Reply-To: <20250201011400.669483-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250201011400.669483-1-seanjc@google.com> X-Mailer: git-send-email 2.48.1.362.g079036d154-goog Message-ID: <20250201011400.669483-5-seanjc@google.com> Subject: [PATCH 4/5] KVM: x86/xen: Bury xen_hvm_config behind CONFIG_KVM_XEN=y From: Sean Christopherson To: Sean Christopherson , Paolo Bonzini , David Woodhouse , Paul Durrant Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+cdeaeec70992eca2d920@syzkaller.appspotmail.com, Joao Martins , David Woodhouse Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Now that all references to kvm_vcpu_arch.xen_hvm_config are wrapped with CONFIG_KVM_XEN #ifdefs, bury the field itself behind CONFIG_KVM_XEN=3Dy. No functional change intended. Signed-off-by: Sean Christopherson Reviewed-by: David Woodhouse Reviewed-by: Paul Durrant --- arch/x86/include/asm/kvm_host.h | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_hos= t.h index 5193c3dfbce1..7f9e00004db2 100644 --- a/arch/x86/include/asm/kvm_host.h +++ b/arch/x86/include/asm/kvm_host.h @@ -1402,8 +1402,6 @@ struct kvm_arch { struct delayed_work kvmclock_update_work; struct delayed_work kvmclock_sync_work; =20 - struct kvm_xen_hvm_config xen_hvm_config; - /* reads protected by irq_srcu, writes by irq_lock */ struct hlist_head mask_notifier_list; =20 @@ -1413,6 +1411,7 @@ struct kvm_arch { =20 #ifdef CONFIG_KVM_XEN struct kvm_xen xen; + struct kvm_xen_hvm_config xen_hvm_config; #endif =20 bool backwards_tsc_observed; --=20 2.48.1.362.g079036d154-goog From nobody Sun Feb 8 20:34:22 2026 Received: from mail-pj1-f73.google.com (mail-pj1-f73.google.com [209.85.216.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 66C32136E3B for ; Sat, 1 Feb 2025 01:14:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1738372454; cv=none; b=qXwuFz6gT0U8pEtohhWIaeDFGTbQImdVNVE/aI2VbMJx4XHUTfGsOca2QPhLmVKyALpqABzjCS6F4MmCGoyz51kn2Ary9yEL3LQrcNHWRaaCWqU96uwotjRQPmaYNfeE4h1dUTUlP6bD63p+KuqR94xw0lFOXfSkMNbYqGFWSEo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1738372454; c=relaxed/simple; bh=gmfQBBKbtVIQGUfDtmdL7tTLbIrBQrlYCQuHcr8oi38=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=NPz55qHGAsWI8z3X8Dqo8lga39POdH9O42a3Jhu6g0++MllLzKkNQBlx1NcHVOJ1qC+qFbBABDZGNwdE9++XuJvMEfQt9mOV/md6lKckmqTsdkCNue3Tg3fpEF5iDVfgBK7lLkdu/ADOwAOk80DDQIP3WLUiWwZPED7lxRj+HIU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=mOiooC+F; arc=none smtp.client-ip=209.85.216.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="mOiooC+F" Received: by mail-pj1-f73.google.com with SMTP id 98e67ed59e1d1-2ef728e36d5so4992181a91.3 for ; Fri, 31 Jan 2025 17:14:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1738372452; x=1738977252; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=zo8e7usXx7CJFB7yvSC/9n7CtYEg74QEVFvX1f2FIKc=; b=mOiooC+F6LD7cXPyt8cHYkjWj4SAbkEdtNSp0U9C9DfsIrX6PgCisrhWP16TFHUSAP CyLRKcCNSO0pXBvwgDEjK/sRGeAiZgQBHfUh0ac+1LBpH8njBdIKiTDas9LewPfafxJB +pGh/BAxqfAtqEXhRib7OIhQclxHyQRODDcpa5mGyI4zESUFfhkUojKgkm7N1ev2ocuP CNm/CQC0nIjTLEit4KFdrnVX3l71LNz4tV/2+QAmrRivbAZYKRzjB54mBSff3qP3vZrF SwQKjokPTdnE7Zbc6HONRfONynSKRdofXs5A3LI4LV0scgFYUN/etH/A0ror941dvAM/ YwBw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1738372452; x=1738977252; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=zo8e7usXx7CJFB7yvSC/9n7CtYEg74QEVFvX1f2FIKc=; b=pXY2ydi1/cz0+/ADRdathmyNQnb8LA6Zwl+bdizk7GPLQ/5Ahg5QvHRPsIHNWMERYH M2x9Pd88LxqV6lat1drbHoAP/uQbBR8WG0yW0blhfhF52PHDT/JAQSdhgh94yCPAvxkF LvOJZ7+zsEp9R+wWTgkQVXC1mA4dbjJNXlHKdBi1Q542HKi7jYesX8z3mfhEGPjRZOUQ JI1vsC+H34oxn3L04B0866nCfG/WM8AUpH20qjIOksDsF75JdyhnjhU4ULGn+hywg7MG YrQ/PDqjqND3jjWCt2pMrf//UY481XrRH8Mb0OreDpqv/DDtK9gTsG8MVw0tZ/1kIE3i GRMg== X-Forwarded-Encrypted: i=1; AJvYcCVsPpW3xzmYTCzW5XVnqehmfvRsedGqdW4l1Ii11GES881XBOm9NNGpb1XWJ/2MsR0HXTS9iQ7ruPQGVrY=@vger.kernel.org X-Gm-Message-State: AOJu0Ywye4NuFeqBWF8GVSYaaisABifq7WQGY0QXkZ+7ZF2QHvTT+ZAE BLBHLRHvvtkLdWcHqQU6IIH5Atvr3T477WF6jnF9uFHWCMkhdXdMi2DYZJkTxCRXgYSy5Eq5kFe W1A== X-Google-Smtp-Source: AGHT+IE9nZyv3byQJztPPuSt3eQgyUGggpNKDLxk0FqIQjZbmzSHUbiIVphoViaHsQTXXXDXmLBCD6n4DDU= X-Received: from pjbsb15.prod.google.com ([2002:a17:90b:50cf:b0:2ef:701e:21c1]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:90b:534b:b0:2ee:48bf:7dc3 with SMTP id 98e67ed59e1d1-2f83ac00cd3mr19713341a91.15.1738372451786; Fri, 31 Jan 2025 17:14:11 -0800 (PST) Reply-To: Sean Christopherson Date: Fri, 31 Jan 2025 17:14:00 -0800 In-Reply-To: <20250201011400.669483-1-seanjc@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250201011400.669483-1-seanjc@google.com> X-Mailer: git-send-email 2.48.1.362.g079036d154-goog Message-ID: <20250201011400.669483-6-seanjc@google.com> Subject: [PATCH 5/5] KVM: x86/xen: Move kvm_xen_hvm_config field into kvm_xen From: Sean Christopherson To: Sean Christopherson , Paolo Bonzini , David Woodhouse , Paul Durrant Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+cdeaeec70992eca2d920@syzkaller.appspotmail.com, Joao Martins , David Woodhouse Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Now that all KVM usage of the Xen HVM config information is buried behind CONFIG_KVM_XEN=3Dy, move the per-VM kvm_xen_hvm_config field out of kvm_arch and into kvm_xen. No functional change intended. Signed-off-by: Sean Christopherson Reviewed-by: David Woodhouse Reviewed-by: Paul Durrant --- arch/x86/include/asm/kvm_host.h | 3 ++- arch/x86/kvm/x86.c | 2 +- arch/x86/kvm/xen.c | 20 ++++++++++---------- arch/x86/kvm/xen.h | 6 +++--- 4 files changed, 16 insertions(+), 15 deletions(-) diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_hos= t.h index 7f9e00004db2..e9ebd6d6492c 100644 --- a/arch/x86/include/asm/kvm_host.h +++ b/arch/x86/include/asm/kvm_host.h @@ -1180,6 +1180,8 @@ struct kvm_xen { struct gfn_to_pfn_cache shinfo_cache; struct idr evtchn_ports; unsigned long poll_mask[BITS_TO_LONGS(KVM_MAX_VCPUS)]; + + struct kvm_xen_hvm_config hvm_config; }; #endif =20 @@ -1411,7 +1413,6 @@ struct kvm_arch { =20 #ifdef CONFIG_KVM_XEN struct kvm_xen xen; - struct kvm_xen_hvm_config xen_hvm_config; #endif =20 bool backwards_tsc_observed; diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index f13d9d3f7c60..b03c67d53e5f 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -3188,7 +3188,7 @@ static int kvm_guest_time_update(struct kvm_vcpu *v) * problems if they observe PVCLOCK_TSC_STABLE_BIT in the pvclock flags. */ bool xen_pvclock_tsc_unstable =3D - ka->xen_hvm_config.flags & KVM_XEN_HVM_CONFIG_PVCLOCK_TSC_UNSTABLE; + ka->xen.hvm_config.flags & KVM_XEN_HVM_CONFIG_PVCLOCK_TSC_UNSTABLE; #endif =20 kernel_ns =3D 0; diff --git a/arch/x86/kvm/xen.c b/arch/x86/kvm/xen.c index 35ecafc410f0..142018b9cdd2 100644 --- a/arch/x86/kvm/xen.c +++ b/arch/x86/kvm/xen.c @@ -1280,10 +1280,10 @@ int kvm_xen_write_hypercall_page(struct kvm_vcpu *v= cpu, u64 data) * Note, truncation is a non-issue as 'lm' is guaranteed to be * false for a 32-bit kernel, i.e. when hva_t is only 4 bytes. */ - hva_t blob_addr =3D lm ? kvm->arch.xen_hvm_config.blob_addr_64 - : kvm->arch.xen_hvm_config.blob_addr_32; - u8 blob_size =3D lm ? kvm->arch.xen_hvm_config.blob_size_64 - : kvm->arch.xen_hvm_config.blob_size_32; + hva_t blob_addr =3D lm ? kvm->arch.xen.hvm_config.blob_addr_64 + : kvm->arch.xen.hvm_config.blob_addr_32; + u8 blob_size =3D lm ? kvm->arch.xen.hvm_config.blob_size_64 + : kvm->arch.xen.hvm_config.blob_size_32; u8 *page; int ret; =20 @@ -1334,13 +1334,13 @@ int kvm_xen_hvm_config(struct kvm *kvm, struct kvm_= xen_hvm_config *xhc) =20 mutex_lock(&kvm->arch.xen.xen_lock); =20 - if (xhc->msr && !kvm->arch.xen_hvm_config.msr) + if (xhc->msr && !kvm->arch.xen.hvm_config.msr) static_branch_inc(&kvm_xen_enabled.key); - else if (!xhc->msr && kvm->arch.xen_hvm_config.msr) + else if (!xhc->msr && kvm->arch.xen.hvm_config.msr) static_branch_slow_dec_deferred(&kvm_xen_enabled); =20 - old_flags =3D kvm->arch.xen_hvm_config.flags; - memcpy(&kvm->arch.xen_hvm_config, xhc, sizeof(*xhc)); + old_flags =3D kvm->arch.xen.hvm_config.flags; + memcpy(&kvm->arch.xen.hvm_config, xhc, sizeof(*xhc)); =20 mutex_unlock(&kvm->arch.xen.xen_lock); =20 @@ -1421,7 +1421,7 @@ static bool kvm_xen_schedop_poll(struct kvm_vcpu *vcp= u, bool longmode, int i; =20 if (!lapic_in_kernel(vcpu) || - !(vcpu->kvm->arch.xen_hvm_config.flags & KVM_XEN_HVM_CONFIG_EVTCHN_SE= ND)) + !(vcpu->kvm->arch.xen.hvm_config.flags & KVM_XEN_HVM_CONFIG_EVTCHN_SE= ND)) return false; =20 if (IS_ENABLED(CONFIG_64BIT) && !longmode) { @@ -2299,6 +2299,6 @@ void kvm_xen_destroy_vm(struct kvm *kvm) } idr_destroy(&kvm->arch.xen.evtchn_ports); =20 - if (kvm->arch.xen_hvm_config.msr) + if (kvm->arch.xen.hvm_config.msr) static_branch_slow_dec_deferred(&kvm_xen_enabled); } diff --git a/arch/x86/kvm/xen.h b/arch/x86/kvm/xen.h index 1e3a913dfb94..d191103d8163 100644 --- a/arch/x86/kvm/xen.h +++ b/arch/x86/kvm/xen.h @@ -53,7 +53,7 @@ static inline void kvm_xen_sw_enable_lapic(struct kvm_vcp= u *vcpu) static inline bool kvm_xen_msr_enabled(struct kvm *kvm) { return static_branch_unlikely(&kvm_xen_enabled.key) && - kvm->arch.xen_hvm_config.msr; + kvm->arch.xen.hvm_config.msr; } =20 static inline bool kvm_xen_is_hypercall_page_msr(struct kvm *kvm, u32 msr) @@ -61,13 +61,13 @@ static inline bool kvm_xen_is_hypercall_page_msr(struct= kvm *kvm, u32 msr) if (!static_branch_unlikely(&kvm_xen_enabled.key)) return false; =20 - return msr && msr =3D=3D kvm->arch.xen_hvm_config.msr; + return msr && msr =3D=3D kvm->arch.xen.hvm_config.msr; } =20 static inline bool kvm_xen_hypercall_enabled(struct kvm *kvm) { return static_branch_unlikely(&kvm_xen_enabled.key) && - (kvm->arch.xen_hvm_config.flags & + (kvm->arch.xen.hvm_config.flags & KVM_XEN_HVM_CONFIG_INTERCEPT_HCALL); } =20 --=20 2.48.1.362.g079036d154-goog From nobody Sun Feb 8 20:34:22 2026 Received: from casper.infradead.org (casper.infradead.org [90.155.50.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E9DAB157A5C; Thu, 6 Feb 2025 19:14:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=90.155.50.34 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1738869265; cv=none; b=L1PhikR8Osx9P/foV2312vBJcOzFynbVQykRp63KZSEbGVFfnamAF4d7YZb58AZwQ11cJ7RvGD2JfmbDYRW44xSE/iXsYSMpqK5dP1oex+ICmZeUrWQEbrRnKEJdjXOz03KYgLcAs9+XbvaXpACjpH+2jd/H8Nnqs6dm4BRDtpo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1738869265; c=relaxed/simple; bh=/rvTmKr7CewI3fbsjrwC7pXY5Kdi3H9Z6hoKIIMIXGs=; h=Message-ID:Subject:From:To:Cc:Date:In-Reply-To:References: Content-Type:MIME-Version; b=upLy37+hNPli+mxfvpPppTqBkZVbrfioJ4IvqY54VHlFw58UD6zsjSsCInGGoOOCCfx7RHbKv56Y/+dq3zxH4mzVp/pJA4+B0HP1Tsdd7reNJhCaF+3Jcf0OjF+QkJfwtAAp9lCa4Ku6U5iWVC1eRHk/hKgDDXc9H5KOaiOWsAU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=infradead.org; spf=none smtp.mailfrom=casper.srs.infradead.org; dkim=pass (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b=tFpZrykP; arc=none smtp.client-ip=90.155.50.34 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=infradead.org Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=casper.srs.infradead.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b="tFpZrykP" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=MIME-Version:Content-Type:References: In-Reply-To:Date:Cc:To:From:Subject:Message-ID:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=ll2i3T0YRlhVDLedVhyY2yx6BXxbwqLSoBAkfsC86y8=; b=tFpZrykPGR/zXNxgLII+KuCkQE HcnDxGAWTBBPZ3yIJufvvCrGUGpKdk4cwgegFODS613dEsEIsSZg0IdZT1NA4UvhiFDBxFRddHPVI dVo9c5UHHBVXvhn5o8mGBgT/mcT1IF7kMH9v4+WFqbbIiH6pykbYMWYPc3N+epp1WkjK2rqPzHaNz SW5DVMCjg3d0xGTajK0sROoz6MByw1XhxcoWr8lqwFOhOpIhm6Uq8SRVzXg1LNwWHfXPRqwkFYqtC 5+w8alN8LjVMHpcYV4AqC1D/ZZgxyFkZpBD2es4KytGpuEtn3LL03V59cJ8dtz14qijT5+RvCWq9j dPhu1/sg==; Received: from [54.239.6.187] (helo=freeip.amazon.com) by casper.infradead.org with esmtpsa (Exim 4.98 #2 (Red Hat Linux)) id 1tg7KO-00000006TUU-34lm; Thu, 06 Feb 2025 19:14:20 +0000 Message-ID: Subject: [PATCH] KVM: x86/xen: Only write Xen hypercall page for guest writes to MSR From: David Woodhouse To: Sean Christopherson , Paolo Bonzini , Paul Durrant Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+cdeaeec70992eca2d920@syzkaller.appspotmail.com, Joao Martins Date: Thu, 06 Feb 2025 19:14:19 +0000 In-Reply-To: <20250201011400.669483-1-seanjc@google.com> References: <20250201011400.669483-1-seanjc@google.com> Content-Type: multipart/signed; micalg="sha-256"; protocol="application/pkcs7-signature"; boundary="=-HyYAhgqaiJP9jFFF5NZG" User-Agent: Evolution 3.52.3-0ubuntu1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-SRS-Rewrite: SMTP reverse-path rewritten from by casper.infradead.org. See http://www.infradead.org/rpr.html --=-HyYAhgqaiJP9jFFF5NZG Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: David Woodhouse The Xen hypercall page MSR is write-only. When the guest writes an address to the MSR, the hypervisor populates the referenced page with hypercall functions. There is no reason for the host ever to write to the MSR, and it isn't even readable. Allowing host writes to trigger the hypercall page allows userspace to attack the kernel, as kvm_xen_write_hypercall_page() takes multiple locks and writes to guest memory. E.g. if userspace sets the MSR to MSR_IA32_XSS, KVM's write to MSR_IA32_XSS during vCPU creation will trigger an SRCU violation due to writing guest memory: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D WARNING: suspicious RCU usage 6.13.0-rc3 ----------------------------- include/linux/kvm_host.h:1046 suspicious rcu_dereference_check() usage! stack backtrace: CPU: 6 UID: 1000 PID: 1101 Comm: repro Not tainted 6.13.0-rc3 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Call Trace: dump_stack_lvl+0x7f/0x90 lockdep_rcu_suspicious+0x176/0x1c0 kvm_vcpu_gfn_to_memslot+0x259/0x280 kvm_vcpu_write_guest+0x3a/0xa0 kvm_xen_write_hypercall_page+0x268/0x300 kvm_set_msr_common+0xc44/0x1940 vmx_set_msr+0x9db/0x1fc0 kvm_vcpu_reset+0x857/0xb50 kvm_arch_vcpu_create+0x37e/0x4d0 kvm_vm_ioctl+0x669/0x2100 __x64_sys_ioctl+0xc1/0xf0 do_syscall_64+0xc5/0x210 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7feda371b539 While the MSR index isn't strictly ABI, i.e. can theoretically float to any value, in practice no known VMM sets the MSR index to anything other than 0x40000000 or 0x40000200. Reported-by: syzbot+cdeaeec70992eca2d920@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/679258d4.050a0220.2eae65.000a.GAE@googl= e.com Signed-off-by: David Woodhouse --- arch/x86/kvm/x86.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 6d4a6734b2d6..f1ecba788d0a 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -3733,7 +3733,13 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct= msr_data *msr_info) u32 msr =3D msr_info->index; u64 data =3D msr_info->data; =20 - if (msr && msr =3D=3D vcpu->kvm->arch.xen_hvm_config.msr) + /* + * Do not allow host-initiated writes to trigger the Xen hypercall + * page setup; it could incur locking paths which are not expected + * if userspace sets the MSR in an unusual location. + */ + if (msr && msr =3D=3D vcpu->kvm->arch.xen_hvm_config.msr && + !msr_info->host_initiated) return kvm_xen_write_hypercall_page(vcpu, data); =20 switch (msr) { --=20 2.48.1 --=-HyYAhgqaiJP9jFFF5NZG Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Disposition: attachment; filename="smime.p7s" Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCD9Aw ggSOMIIDdqADAgECAhAOmiw0ECVD4cWj5DqVrT9PMA0GCSqGSIb3DQEBCwUAMGUxCzAJBgNVBAYT AlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAi BgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTAeFw0yNDAxMzAwMDAwMDBaFw0zMTEx MDkyMzU5NTlaMEExCzAJBgNVBAYTAkFVMRAwDgYDVQQKEwdWZXJva2V5MSAwHgYDVQQDExdWZXJv a2V5IFNlY3VyZSBFbWFpbCBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMjvgLKj jfhCFqxYyRiW8g3cNFAvltDbK5AzcOaR7yVzVGadr4YcCVxjKrEJOgi7WEOH8rUgCNB5cTD8N/Et GfZI+LGqSv0YtNa54T9D1AWJy08ZKkWvfGGIXN9UFAPMJ6OLLH/UUEgFa+7KlrEvMUupDFGnnR06 aDJAwtycb8yXtILj+TvfhLFhafxroXrflspavejQkEiHjNjtHnwbZ+o43g0/yxjwnarGI3kgcak7 nnI9/8Lqpq79tLHYwLajotwLiGTB71AGN5xK+tzB+D4eN9lXayrjcszgbOv2ZCgzExQUAIt98mre 8EggKs9mwtEuKAhYBIP/0K6WsoMnQCcCAwEAAaOCAVwwggFYMBIGA1UdEwEB/wQIMAYBAf8CAQAw HQYDVR0OBBYEFIlICOogTndrhuWByNfhjWSEf/xwMB8GA1UdIwQYMBaAFEXroq/0ksuCMS1Ri6en IZ3zbcgPMA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDBAYIKwYBBQUHAwIweQYI KwYBBQUHAQEEbTBrMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wQwYIKwYB BQUHMAKGN2h0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RD QS5jcnQwRQYDVR0fBD4wPDA6oDigNoY0aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0 QXNzdXJlZElEUm9vdENBLmNybDARBgNVHSAECjAIMAYGBFUdIAAwDQYJKoZIhvcNAQELBQADggEB ACiagCqvNVxOfSd0uYfJMiZsOEBXAKIR/kpqRp2YCfrP4Tz7fJogYN4fxNAw7iy/bPZcvpVCfe/H /CCcp3alXL0I8M/rnEnRlv8ItY4MEF+2T/MkdXI3u1vHy3ua8SxBM8eT9LBQokHZxGUX51cE0kwa uEOZ+PonVIOnMjuLp29kcNOVnzf8DGKiek+cT51FvGRjV6LbaxXOm2P47/aiaXrDD5O0RF5SiPo6 xD1/ClkCETyyEAE5LRJlXtx288R598koyFcwCSXijeVcRvBB1cNOLEbg7RMSw1AGq14fNe2cH1HG W7xyduY/ydQt6gv5r21mDOQ5SaZSWC/ZRfLDuEYwggWbMIIEg6ADAgECAhAH5JEPagNRXYDiRPdl c1vgMA0GCSqGSIb3DQEBCwUAMEExCzAJBgNVBAYTAkFVMRAwDgYDVQQKEwdWZXJva2V5MSAwHgYD VQQDExdWZXJva2V5IFNlY3VyZSBFbWFpbCBHMjAeFw0yNDEyMzAwMDAwMDBaFw0yODAxMDQyMzU5 NTlaMB4xHDAaBgNVBAMME2R3bXcyQGluZnJhZGVhZC5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4IC DwAwggIKAoICAQDali7HveR1thexYXx/W7oMk/3Wpyppl62zJ8+RmTQH4yZeYAS/SRV6zmfXlXaZ sNOE6emg8WXLRS6BA70liot+u0O0oPnIvnx+CsMH0PD4tCKSCsdp+XphIJ2zkC9S7/yHDYnqegqt w4smkqUqf0WX/ggH1Dckh0vHlpoS1OoxqUg+ocU6WCsnuz5q5rzFsHxhD1qGpgFdZEk2/c//ZvUN i12vPWipk8TcJwHw9zoZ/ZrVNybpMCC0THsJ/UEVyuyszPtNYeYZAhOJ41vav1RhZJzYan4a1gU0 kKBPQklcpQEhq48woEu15isvwWh9/+5jjh0L+YNaN0I//nHSp6U9COUG9Z0cvnO8FM6PTqsnSbcc 0j+GchwOHRC7aP2t5v2stVx3KbptaYEzi4MQHxm/0+HQpMEVLLUiizJqS4PWPU6zfQTOMZ9uLQRR ci+c5xhtMEBszlQDOvEQcyEG+hc++fH47K+MmZz21bFNfoBxLP6bjR6xtPXtREF5lLXxp+CJ6KKS blPKeVRg/UtyJHeFKAZXO8Zeco7TZUMVHmK0ZZ1EpnZbnAhKE19Z+FJrQPQrlR0gO3lBzuyPPArV hvWxjlO7S4DmaEhLzarWi/ze7EGwWSuI2eEa/8zU0INUsGI4ywe7vepQz7IqaAovAX0d+f1YjbmC VsAwjhLmveFjNwIDAQABo4IBsDCCAawwHwYDVR0jBBgwFoAUiUgI6iBOd2uG5YHI1+GNZIR//HAw HQYDVR0OBBYEFFxiGptwbOfWOtMk5loHw7uqWUOnMDAGA1UdEQQpMCeBE2R3bXcyQGluZnJhZGVh ZC5vcmeBEGRhdmlkQHdvb2Rob3Uuc2UwFAYDVR0gBA0wCzAJBgdngQwBBQEBMA4GA1UdDwEB/wQE AwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwewYDVR0fBHQwcjA3oDWgM4YxaHR0 cDovL2NybDMuZGlnaWNlcnQuY29tL1Zlcm9rZXlTZWN1cmVFbWFpbEcyLmNybDA3oDWgM4YxaHR0 cDovL2NybDQuZGlnaWNlcnQuY29tL1Zlcm9rZXlTZWN1cmVFbWFpbEcyLmNybDB2BggrBgEFBQcB AQRqMGgwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBABggrBgEFBQcwAoY0 aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL1Zlcm9rZXlTZWN1cmVFbWFpbEcyLmNydDANBgkq hkiG9w0BAQsFAAOCAQEAQXc4FPiPLRnTDvmOABEzkIumojfZAe5SlnuQoeFUfi+LsWCKiB8Uextv iBAvboKhLuN6eG/NC6WOzOCppn4mkQxRkOdLNThwMHW0d19jrZFEKtEG/epZ/hw/DdScTuZ2m7im 8ppItAT6GXD3aPhXkXnJpC/zTs85uNSQR64cEcBFjjoQDuSsTeJ5DAWf8EMyhMuD8pcbqx5kRvyt JPsWBQzv1Dsdv2LDPLNd/JUKhHSgr7nbUr4+aAP2PHTXGcEBh8lTeYea9p4d5k969pe0OHYMV5aL xERqTagmSetuIwolkAuBCzA9vulg8Y49Nz2zrpUGfKGOD0FMqenYxdJHgDCCBZswggSDoAMCAQIC EAfkkQ9qA1FdgOJE92VzW+AwDQYJKoZIhvcNAQELBQAwQTELMAkGA1UEBhMCQVUxEDAOBgNVBAoT B1Zlcm9rZXkxIDAeBgNVBAMTF1Zlcm9rZXkgU2VjdXJlIEVtYWlsIEcyMB4XDTI0MTIzMDAwMDAw MFoXDTI4MDEwNDIzNTk1OVowHjEcMBoGA1UEAwwTZHdtdzJAaW5mcmFkZWFkLm9yZzCCAiIwDQYJ KoZIhvcNAQEBBQADggIPADCCAgoCggIBANqWLse95HW2F7FhfH9bugyT/danKmmXrbMnz5GZNAfj Jl5gBL9JFXrOZ9eVdpmw04Tp6aDxZctFLoEDvSWKi367Q7Sg+ci+fH4KwwfQ8Pi0IpIKx2n5emEg nbOQL1Lv/IcNiep6Cq3DiyaSpSp/RZf+CAfUNySHS8eWmhLU6jGpSD6hxTpYKye7PmrmvMWwfGEP WoamAV1kSTb9z/9m9Q2LXa89aKmTxNwnAfD3Ohn9mtU3JukwILRMewn9QRXK7KzM+01h5hkCE4nj W9q/VGFknNhqfhrWBTSQoE9CSVylASGrjzCgS7XmKy/BaH3/7mOOHQv5g1o3Qj/+cdKnpT0I5Qb1 nRy+c7wUzo9OqydJtxzSP4ZyHA4dELto/a3m/ay1XHcpum1pgTOLgxAfGb/T4dCkwRUstSKLMmpL g9Y9TrN9BM4xn24tBFFyL5znGG0wQGzOVAM68RBzIQb6Fz758fjsr4yZnPbVsU1+gHEs/puNHrG0 9e1EQXmUtfGn4InoopJuU8p5VGD9S3Ikd4UoBlc7xl5yjtNlQxUeYrRlnUSmdlucCEoTX1n4UmtA 9CuVHSA7eUHO7I88CtWG9bGOU7tLgOZoSEvNqtaL/N7sQbBZK4jZ4Rr/zNTQg1SwYjjLB7u96lDP sipoCi8BfR35/ViNuYJWwDCOEua94WM3AgMBAAGjggGwMIIBrDAfBgNVHSMEGDAWgBSJSAjqIE53 a4blgcjX4Y1khH/8cDAdBgNVHQ4EFgQUXGIam3Bs59Y60yTmWgfDu6pZQ6cwMAYDVR0RBCkwJ4ET ZHdtdzJAaW5mcmFkZWFkLm9yZ4EQZGF2aWRAd29vZGhvdS5zZTAUBgNVHSAEDTALMAkGB2eBDAEF AQEwDgYDVR0PAQH/BAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDB7BgNVHR8E dDByMDegNaAzhjFodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vVmVyb2tleVNlY3VyZUVtYWlsRzIu Y3JsMDegNaAzhjFodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vVmVyb2tleVNlY3VyZUVtYWlsRzIu Y3JsMHYGCCsGAQUFBwEBBGowaDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29t MEAGCCsGAQUFBzAChjRodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vVmVyb2tleVNlY3VyZUVt YWlsRzIuY3J0MA0GCSqGSIb3DQEBCwUAA4IBAQBBdzgU+I8tGdMO+Y4AETOQi6aiN9kB7lKWe5Ch 4VR+L4uxYIqIHxR7G2+IEC9ugqEu43p4b80LpY7M4KmmfiaRDFGQ50s1OHAwdbR3X2OtkUQq0Qb9 6ln+HD8N1JxO5nabuKbymki0BPoZcPdo+FeRecmkL/NOzzm41JBHrhwRwEWOOhAO5KxN4nkMBZ/w QzKEy4PylxurHmRG/K0k+xYFDO/UOx2/YsM8s138lQqEdKCvudtSvj5oA/Y8dNcZwQGHyVN5h5r2 nh3mT3r2l7Q4dgxXlovERGpNqCZJ624jCiWQC4ELMD2+6WDxjj03PbOulQZ8oY4PQUyp6djF0keA MYIDuzCCA7cCAQEwVTBBMQswCQYDVQQGEwJBVTEQMA4GA1UEChMHVmVyb2tleTEgMB4GA1UEAxMX VmVyb2tleSBTZWN1cmUgRW1haWwgRzICEAfkkQ9qA1FdgOJE92VzW+AwDQYJYIZIAWUDBAIBBQCg ggE3MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTI1MDIwNjE5MTQx OVowLwYJKoZIhvcNAQkEMSIEILCMyUc3iHHSUEVIilb0p2jxJnaEyVDjmLIIZS47XjFCMGQGCSsG AQQBgjcQBDFXMFUwQTELMAkGA1UEBhMCQVUxEDAOBgNVBAoTB1Zlcm9rZXkxIDAeBgNVBAMTF1Zl cm9rZXkgU2VjdXJlIEVtYWlsIEcyAhAH5JEPagNRXYDiRPdlc1vgMGYGCyqGSIb3DQEJEAILMVeg VTBBMQswCQYDVQQGEwJBVTEQMA4GA1UEChMHVmVyb2tleTEgMB4GA1UEAxMXVmVyb2tleSBTZWN1 cmUgRW1haWwgRzICEAfkkQ9qA1FdgOJE92VzW+AwDQYJKoZIhvcNAQEBBQAEggIADWWxrRREeCNM sH0hnoMrBrPHqilQJXWWtj72XOdDX4yu2WOtUeaGUtWCFp4HxcGI/BYsjRGOF/iCJtjSDRqAPIfb HpsX4AtCM9A/Nvy9HJ4vbK1r0hOfknz8BjuW7jWJHeBQwQ9R8txlkOA8CjxScP6e/KwSSQnbwnnK 6pxapukuVDfMXZpeHBkdzBuFgK6nZXq8sqkP7VMvnC5FPbzHZIALfd/PRqjR6yIlEDD8Ix4S6phS tEh+ZFXkQAa0q6Sypc9BvTkSO83uld56ObHoCV7dMw0f5xssqjyXZLb/lBkgKeFNlWkJNTGKWifE 6/17MPlpqMJuGcmDwHsDcwAH9dOuiGTq7W2PWeySbPfRGklyWdHmkwJiCj5gWB4iRbK+fupexwnw 68XW250vJ6KwRTkFsWibarfXJMIyTSLFc041nck85O2cpeYNfLmBLSGCnIveqdaz2a93j8RShXt+ +Oh38hm0oYodASWkETN4CqgtIL9YpeeiXgJZOKxS5jogAJj9+gOlUuqVJPIPjluQdIotUIdhBs+A 3EGkfb04Jb+SMlm3noIuvk21ksNrsi/mUVqyDl+qo+FE8snfpXgOjiHin7O+qXg8gqkSd9mhifbS MWKS/6Pr18k3qThGgkFpZNWK1CdAxPQcKrnmtpQKU6/QJx6E+2BdFopGl5Rsm2IAAAAAAAA= --=-HyYAhgqaiJP9jFFF5NZG--