From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-23.3 required=3.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B32CDC4320E for ; Thu, 26 Aug 2021 16:01:13 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 98988608FE for ; Thu, 26 Aug 2021 16:01:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243018AbhHZQCA (ORCPT ); Thu, 26 Aug 2021 12:02:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53074 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232677AbhHZQB6 (ORCPT ); Thu, 26 Aug 2021 12:01:58 -0400 Received: from mail-pg1-x535.google.com (mail-pg1-x535.google.com [IPv6:2607:f8b0:4864:20::535]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2D307C061757 for ; Thu, 26 Aug 2021 09:01:11 -0700 (PDT) Received: by mail-pg1-x535.google.com with SMTP id c17so3529454pgc.0 for ; Thu, 26 Aug 2021 09:01:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=I1bph11Wd0ZbjyAzIWa4mfAM/Oiqq+VnKfVLVM9GnTQ=; b=cl1CixXlMCeneZwlE0PUc0DQwS9ypz/ka6GAIANMo+Lj11uONEBvtKdu0h40aMDBLK 41X6v49U06VxoJcLS31r19WsGKw38AdOBRj1Cutxpb4NOWPMpyg3TBiHhRWxSd5tAUL+ p7CokmWxRViGk5POtKIdg+H0NGjoD3RLFFtpWe3aia/+SNJLwY7Tj0P5msdE2ntwjyNd Zq1tsI+CLUto2DQ97YMQjHgNrjBeM9F/LXX2UiRZTY1VD+bV7VzTXikIJdIYswyUM05F LdmhCjOEyfnh0ixVqYZNLzDsl/YRun9tpZkZJXOezAgmLZupVOTXQKCWadTjag0KcK6j dN6Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=I1bph11Wd0ZbjyAzIWa4mfAM/Oiqq+VnKfVLVM9GnTQ=; b=ULyHCvOrutUUlVzFecKLmi7tq6opunJHegCzvv7jGslSRuXEWQkWU9YCV/cDt3VqK6 hn9dnjuOY/pSvNM+bXIca2A7UHcw0Pft0dY1O8/ORNg6YpKsFN1qYcEeRr+y3lRZSFvh 6O1humVLjuMhrrxxF+dsV2a05O/88Y3x9+38+Dgf4DYfFfauQIPypSVyr4UDfqF2XedQ YtCCsou5+cNLuiqEo/ycgP3QKnXf7QcOm6dCV02DsDQ25x3h3dx68XVzI04mmD56WRmQ eoX/kMcyLk7i1N12suVNgV28GlXWVsJtJ8+/pcCCSd1BgTc/nsZuVm9MjcktzWznciqE s4Xw== X-Gm-Message-State: AOAM531bBv2WOh/ji+vUHhE/XCA6KTw42Lc6a27CmHsERV9W82fNDIVK Z6khMTa+x25SubU2T0prEJZvQQ== X-Google-Smtp-Source: ABdhPJxXWQqP2E26c8cgG68T7KQcAPfejUNZcRWq7HEkud5KhiFuKuvan24jNgscOC3rRnqF2L6Xcw== X-Received: by 2002:aa7:93b0:0:b0:3f1:bb85:a37d with SMTP id x16-20020aa793b0000000b003f1bb85a37dmr4539509pff.10.1629993670310; Thu, 26 Aug 2021 09:01:10 -0700 (PDT) Received: from google.com (157.214.185.35.bc.googleusercontent.com. [35.185.214.157]) by smtp.gmail.com with ESMTPSA id gm5sm3095339pjb.32.2021.08.26.09.01.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 26 Aug 2021 09:01:09 -0700 (PDT) Date: Thu, 26 Aug 2021 16:01:06 +0000 From: Sean Christopherson To: Maxim Levitsky Cc: kvm@vger.kernel.org, Thomas Gleixner , Wanpeng Li , Joerg Roedel , "H. Peter Anvin" , Jim Mattson , Ingo Molnar , Paolo Bonzini , Vitaly Kuznetsov , "maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT)" , Borislav Petkov , "open list:X86 ARCHITECTURE (32-BIT AND 64-BIT)" Subject: Re: [PATCH 1/2] KVM: VMX: avoid running vmx_handle_exit_irqoff in case of emulation Message-ID: References: <20210826095750.1650467-1-mlevitsk@redhat.com> <20210826095750.1650467-2-mlevitsk@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210826095750.1650467-2-mlevitsk@redhat.com> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Aug 26, 2021, Maxim Levitsky wrote: > If we are emulating an invalid guest state, we don't have a correct > exit reason, and thus we shouldn't do anything in this function. > > Signed-off-by: Maxim Levitsky This should have Cc: stable. I believe userspace could fairly easily trick KVM into "handling" a spurious IRQ, e.g. trigger SIGALRM and stuff invalid state. For all those evil folks running CPUs that are almost old enough to drive :-) > --- > arch/x86/kvm/vmx/vmx.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c > index fada1055f325..0c2c0d5ae873 100644 > --- a/arch/x86/kvm/vmx/vmx.c > +++ b/arch/x86/kvm/vmx/vmx.c > @@ -6382,6 +6382,9 @@ static void vmx_handle_exit_irqoff(struct kvm_vcpu *vcpu) > { > struct vcpu_vmx *vmx = to_vmx(vcpu); > > + if (vmx->emulation_required) > + return; Rather than play whack-a-mole with flows consuming stale state, I'd much prefer to synthesize a VM-Exit(INVALID_GUEST_STATE). Alternatively, just skip ->run() entirely by adding hooks in vcpu_enter_guest(), but that's a much larger change and probably not worth the risk at this juncture. --- arch/x86/kvm/vmx/vmx.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index 32e3a8b35b13..12fe63800889 100644 --- a/arch/x86/kvm/vmx/vmx.c +++ b/arch/x86/kvm/vmx/vmx.c @@ -6618,10 +6618,21 @@ static fastpath_t vmx_vcpu_run(struct kvm_vcpu *vcpu) vmx->loaded_vmcs->soft_vnmi_blocked)) vmx->loaded_vmcs->entry_time = ktime_get(); - /* Don't enter VMX if guest state is invalid, let the exit handler - start emulation until we arrive back to a valid state */ - if (vmx->emulation_required) + /* + * Don't enter VMX if guest state is invalid, let the exit handler + * start emulation until we arrive back to a valid state. Synthesize a + * consistency check VM-Exit due to invalid guest state and bail. + */ + if (unlikely(vmx->emulation_required)) { + vmx->fail = 0; + vmx->exit_reason.full = EXIT_REASON_INVALID_STATE; + vmx->exit_reason.failed_vmentry = 1; + kvm_register_mark_available(vcpu, VCPU_EXREG_EXIT_INFO_1); + vmx->exit_qualification = ENTRY_FAIL_DEFAULT; + kvm_register_mark_available(vcpu, VCPU_EXREG_EXIT_INFO_2); + vmx->exit_intr_info = 0; return EXIT_FASTPATH_NONE; + } trace_kvm_entry(vcpu); -- or the beginnings of an aggressive refactor... diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index cf8fb6eb676a..a4fe0f78898a 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -9509,6 +9509,9 @@ static int vcpu_enter_guest(struct kvm_vcpu *vcpu) goto cancel_injection; } + if (unlikely(static_call(kvm_x86_emulation_required)(vcpu))) + return static_call(kvm_x86_emulate_invalid_guest_state)(vcpu); + preempt_disable(); static_call(kvm_x86_prepare_guest_switch)(vcpu); > + > if (vmx->exit_reason.basic == EXIT_REASON_EXTERNAL_INTERRUPT) > handle_external_interrupt_irqoff(vcpu); > else if (vmx->exit_reason.basic == EXIT_REASON_EXCEPTION_NMI) > -- > 2.26.3 >