From nobody Fri Oct 3 16:44:19 2025 Received: from mail-pl1-f193.google.com (mail-pl1-f193.google.com [209.85.214.193]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BEEC128488D for ; Wed, 27 Aug 2025 15:28:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.193 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1756308487; cv=none; b=sJKHH+1NOJKgBeZPcKMvRVK3qQz/M63P7+g0IGBE3cFGNMxYBi55aAzgCLATSA/RpsJIIJBBqUECIqXZ2GaT+gLIXLCVoE/CHT/PHDKvQ7Gsyy0bNIfcZDGQ98GAjimec/Rcn43hMnTuaufkrAPXTe99pC/o56BpsChJSjbn/fE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1756308487; c=relaxed/simple; bh=HSDP9rXntbbo/SzNMmXdiyg1N9BxuBhjXVJ/uBQBUrs=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=lcBelR5uUt1m1gm0YV8h36PmdbaUPzkZCXqAftG8Zs96PtAZ1TwqIIEIzzVF9ZCRgmmDi3cs46AYLBKBj+8YQfi0Mlbmm5Z961VtffwjzDsVytrYWDftiXwzzNKYcVo6ff4Ct2my28Qgc9LJtPXqWIAO8mLpdPdTbJSRtNUA9KM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=bytedance.com; spf=pass smtp.mailfrom=bytedance.com; dkim=pass (2048-bit key) header.d=bytedance.com header.i=@bytedance.com header.b=KDVR+Z3K; arc=none smtp.client-ip=209.85.214.193 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=bytedance.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=bytedance.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=bytedance.com header.i=@bytedance.com header.b="KDVR+Z3K" Received: by mail-pl1-f193.google.com with SMTP id d9443c01a7336-248a9e8b7b0so5506605ad.1 for ; Wed, 27 Aug 2025 08:28:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bytedance.com; s=google; t=1756308484; x=1756913284; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=HLD5dyrFNqX9W25nsuFMTaYiQlg+FPGuA0/e2agvvXA=; b=KDVR+Z3Kqi1a7p3UAmc8wova5FRZgodWGOYGPCA2LDDfAdZ1lmzFgAMVjIsnmvGdep nRa3EGwS18wK83sU99GqlFUp2W4ZU7RS8ogt2Cg01wvvY1j/1w9+BYUCq1AuShZIjuUL hm/lKrQQUOQ3UliKPhaRZ0xN6mLSstflABfZl0uRn3R+InoN1NPFAEXlg21H/GQh0VxL PPqyZkW4oua5+wjmDm55uAMRbSaVYaESIeuOkp51vfC/3YEc6Swlj0rS14/E6hYkiY/c azuP13CVYdTGwTaplDT9s68WbF/rqKbruvJ/k8Ic62Copg6dCb6H7zHACzMVHqQKGBAS pBRQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1756308484; x=1756913284; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=HLD5dyrFNqX9W25nsuFMTaYiQlg+FPGuA0/e2agvvXA=; b=Jp9OcNyEW1PbirjkByTkphcCVDaM4ZM5pOkpYus9hoaX0XfhA9ThO60Xcx4pTHWPmW hsREitPdiyPHCxfkTHmjKC0tCdwvjKpHMnRKgoa2ic8SVjgaY+ujVNJLC6vkfuEwYTEH 9iRA7EwJnHQEszUEUFZ2d4O/jnt5Gi7EN9UlJ4/tnnuvz9pxn3OeemtippDnnx5j+5os Gt1nawe9Ws62Yy00yMnhVLcdgj118l6n3TMLKIYZJIIbfF4F3mt9kv2jnwVq7dilhI/Z aDZffVzwWgvq0If1wALo7iH0kdsyf1KnNruxNrBAVWwh1byrMzcIg6jZM6H01ufA/Yb8 hRQA== X-Forwarded-Encrypted: i=1; AJvYcCXh9WruvepQ/W7S2GuIBmop2TZaSq5WLLmi+SFOBz78pa3fPw4vPiSnbcl+0aLmTb3Y34RAMS4a32Wpe2M=@vger.kernel.org X-Gm-Message-State: AOJu0YysV0UjUK2ncOQajRfsKApPRdPik9M01NQgGCoBdhcGbrN6vFI6 32E5m2XGWY+gAwCiB0mJSbIGOG03u/NCPTZwbDXlLJBNFRbSNIeICdOb9McCnE+codA= X-Gm-Gg: ASbGnctwWMCfkTKLUUtX0Dwax09hbodjo78bXX4APnCqjoAbJHhlS6UJDkJ2RNC6iYh Zxgkkf7+8TOPQQ9LP6NKsO3A7bVJtB78yuqzxq2tDBwEKLtp9rtiXoQvbWVIeamCvMR6IWZUGq8 j2U8BfGNGnh9sIXl1KIFCVc+SJQ7woBvt4wiKmP9GAYtxR4pXFZaUgPxxOGoKbfmma2efDJAA1a k2q0ec1ESB1uVQ8hLmnoEG4yNAKhtiySkp9GeJecIbSMi0i4IR2qlE3GlKycYbIlf5JfI31/hni 6SpDoDoWT4oQFdXQqV+iNS+MN9FLm0eyw7wz0/g6Jnbu3rkrLURVuxvN8Ek+T9RLI5hltvVStDf aIb7y1CbKDEqSqykMwi+s2j9WM7vOt4MPY1iaaI0q21pA/GE7Ns/NXyhYk1vAoklA X-Google-Smtp-Source: AGHT+IFjVJzj3KAq04af7jyaKVQPUw7/lh0Km2Xbvr3GuzkxjwaVXH1UDcAoO+QMmNUmibC3628sRw== X-Received: by 2002:a17:903:3b83:b0:248:c96e:f46 with SMTP id d9443c01a7336-248c96e17f8mr4293005ad.60.1756308483845; Wed, 27 Aug 2025 08:28:03 -0700 (PDT) Received: from localhost.localdomain ([139.177.225.238]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-b4c1b2f5a3csm7630507a12.4.2025.08.27.08.27.58 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Wed, 27 Aug 2025 08:28:03 -0700 (PDT) From: Fei Li To: seanjc@google.com, pbonzini@redhat.com, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com, liran.alon@oracle.com, hpa@zytor.com, wanpeng.li@hotmail.com Cc: kvm@vger.kernel.org, x86@kernel.org, linux-kernel@vger.kernel.org, Fei Li , stable@vger.kernel.org Subject: [PATCH] KVM: x86: Latch INITs only in specific CPU states in KVM_SET_VCPU_EVENTS Date: Wed, 27 Aug 2025 23:27:54 +0800 Message-Id: <20250827152754.12481-1-lifei.shirley@bytedance.com> X-Mailer: git-send-email 2.39.2 (Apple Git-143) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Commit ff90afa75573 ("KVM: x86: Evaluate latched_init in KVM_SET_VCPU_EVENTS when vCPU not in SMM") changes KVM_SET_VCPU_EVENTS handler to set pending LAPIC INIT event regardless of if vCPU is in SMM mode or not. However, latch INIT without checking CPU state exists race condition, which causes the loss of INIT event. This is fatal during the VM startup process because it will cause some AP to never switch to non-root mode. Just as commit f4ef19108608 ("KVM: X86: Fix loss of pending INIT due to race") said: BSP AP kvm_vcpu_ioctl_x86_get_vcpu_events events->smi.latched_init =3D 0 kvm_vcpu_block kvm_vcpu_check_block schedule send INIT to AP kvm_vcpu_ioctl_x86_set_vcpu_events (e.g. `info registers -a` when VM starts/reboots) if (events->smi.latched_init =3D=3D 0) clear INIT in pending_events kvm_apic_accept_events test_bit(KVM_APIC_INIT, &pe) =3D=3D false vcpu->arch.mp_state maintains UNINITIALIZED send SIPI to AP kvm_apic_accept_events test_bit(KVM_APIC_SIPI, &pe) =3D=3D false vcpu->arch.mp_state will never change to RUNNABLE (defy: UNINITIALIZED =3D> INIT_RECEIVED =3D> RUNNA= BLE) AP will never switch to non-root operation In such race result, VM hangs. E.g., BSP loops in SeaBIOS's SMPLock and AP will never be reset, and qemu hmp "info registers -a" shows: CPU#0 EAX=3D00000002 EBX=3D00000002 ECX=3D00000000 EDX=3D00020000 ESI=3D00000000 EDI=3D00000000 EBP=3D00000008 ESP=3D00006c6c EIP=3D000ef570 EFL=3D00000002 [-------] CPL=3D0 II=3D0 A20=3D1 SMM=3D0 HLT= =3D0 ...... CPU#1 EAX=3D00000000 EBX=3D00000000 ECX=3D00000000 EDX=3D00080660 ESI=3D00000000 EDI=3D00000000 EBP=3D00000000 ESP=3D00000000 EIP=3D0000fff0 EFL=3D00000002 [-------] CPL=3D0 II=3D0 A20=3D1 SMM=3D0 HLT= =3D0 ES =3D0000 00000000 0000ffff 00009300 CS =3Df000 ffff0000 0000ffff 00009b00 ...... Fix this by handling latched INITs only in specific CPU states (SMM, VMX non-root mode, SVM with GIF=3D0) in KVM_SET_VCPU_EVENTS. Cc: stable@vger.kernel.org Fixes: ff90afa75573 ("KVM: x86: Evaluate latched_init in KVM_SET_VCPU_EVENT= S when vCPU not in SMM") Signed-off-by: Fei Li --- arch/x86/kvm/x86.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index a1c49bc681c46..7001b2af00ed1 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -5556,7 +5556,7 @@ static int kvm_vcpu_ioctl_x86_set_vcpu_events(struct = kvm_vcpu *vcpu, return -EINVAL; #endif =20 - if (lapic_in_kernel(vcpu)) { + if (!kvm_apic_init_sipi_allowed(vcpu) && lapic_in_kernel(vcpu)) { if (events->smi.latched_init) set_bit(KVM_APIC_INIT, &vcpu->arch.apic->pending_events); else --=20 2.39.2 (Apple Git-143)