From: Paolo Bonzini <pbonzini@redhat.com>
To: Hou Wenlong <houwenlong93@linux.alibaba.com>, kvm@vger.kernel.org
Subject: Re: [PATCH 0/2] KVM: some fixes about RDMSR/WRMSR instruction emulation
Date: Fri, 22 Oct 2021 11:46:17 +0200 [thread overview]
Message-ID: <bebc39f8-0ebc-c8cb-413e-bb4e30397057@redhat.com> (raw)
In-Reply-To: <cover.1634870747.git.houwenlong93@linux.alibaba.com>
On 22/10/21 04:59, Hou Wenlong wrote:
> When KVM_CAP_X86_USER_SPACE_MSR cap is enabled, userspace can control
> MSR accesses. In normal scenario, RDMSR/WRMSR can be interceped, but
> when kvm.force_emulation_prefix is enabled, RDMSR/WRMSR with kvm prefix
> would trigger an UD and cause instruction emulation. If MSR accesses is
> filtered, em_rdmsr()/em_wrmsr() returns X86EMUL_IO_NEEDED, but it is
> ignored by x86_emulate_instruction(). Then guest continues execution,
> but RIP has been updated to point to RDMSR/WRMSR in handle_ud(), so
> RDMSR/WRMSR can be interceped and guest exits to userspace finnaly by
> mistake. Such behaviour leads to two vm exits and wastes one instruction
> emulation.
>
> After let x86_emulate_instruction() returns 0 for RDMSR/WRMSR emulation,
> if it needs to exit to userspace, its complete_userspace_io callback
> would call kvm_skip_instruction() to skip instruction. But for vmx,
> VMX_EXIT_INSTRUCTION_LEN in vmcs is invalid for UD, it can't be used to
> update RIP, kvm_emulate_instruction() should be used instead. As for
> svm, nRIP in vmcb is 0 for UD, so kvm_emulate_instruction() is used.
> But for nested svm, I'm not sure, since svm_check_intercept() would
> change nRIP.
Hi, can you provide a testcase for this bug using the
tools/testing/selftests/kvm framework?
Thanks,
Paolo
next prev parent reply other threads:[~2021-10-22 9:46 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-22 2:59 [PATCH 0/2] KVM: some fixes about RDMSR/WRMSR instruction emulation Hou Wenlong
2021-10-22 2:59 ` [PATCH 1/2] KVM: VMX: fix instruction skipping when handling UD exception Hou Wenlong
2021-10-26 16:37 ` Sean Christopherson
2021-10-27 7:00 ` Hou Wenlong
2021-10-29 10:57 ` Hou Wenlong
2021-11-01 17:03 ` Sean Christopherson
2021-10-22 2:59 ` [PATCH 2/2] KVM: X86: Exit to userspace if RDMSR/WRMSR emulation returns X86EMUL_IO_NEEDED Hou Wenlong
2021-10-22 9:46 ` Paolo Bonzini [this message]
2021-10-22 15:10 ` [PATCH 0/2] KVM: some fixes about RDMSR/WRMSR instruction emulation Hou Wenlong
2021-11-02 9:15 ` [PATCH v2 0/4] KVM: x86: some fixes about msr access emulation Hou Wenlong
2021-11-02 9:15 ` [PATCH v2 1/4] KVM: x86: Handle 32-bit wrap of EIP for EMULTYPE_SKIP with flat code seg Hou Wenlong
2021-11-02 9:15 ` [PATCH v2 2/4] KVM: x86: Add an emulation type to handle completion of user exits Hou Wenlong
2021-11-02 9:15 ` [PATCH v2 3/4] KVM: x86: Use different callback if msr access comes from the emulator Hou Wenlong
2021-11-26 17:39 ` Paolo Bonzini
2021-11-02 9:15 ` [PATCH v2 4/4] KVM: x86: Exit to userspace if RDMSR/WRMSR emulation returns X86EMUL_IO_NEEDED Hou Wenlong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bebc39f8-0ebc-c8cb-413e-bb4e30397057@redhat.com \
--to=pbonzini@redhat.com \
--cc=houwenlong93@linux.alibaba.com \
--cc=kvm@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).