Re: [PATCH 1/2] KVM: X86: Move ignore_msrs handling upper the stack

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Sean Christopherson <sean.j.christopherson@intel.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: Peter Xu <peterx@redhat.com>,
	linux-kernel@vger.kernel.org, kvm@vger.kernel.org,
	Vitaly Kuznetsov <vkuznets@redhat.com>
Subject: Re: [PATCH 1/2] KVM: X86: Move ignore_msrs handling upper the stack
Date: Thu, 25 Jun 2020 10:45:37 -0700	[thread overview]
Message-ID: <20200625174537.GE3437@linux.intel.com> (raw)
In-Reply-To: <20200625162540.GC3437@linux.intel.com>

On Thu, Jun 25, 2020 at 09:25:40AM -0700, Sean Christopherson wrote:
> On Thu, Jun 25, 2020 at 10:09:13AM +0200, Paolo Bonzini wrote:
> > On 25/06/20 08:15, Sean Christopherson wrote:
> > > IMO, kvm_cpuid() is simply buggy.  If KVM attempts to access a non-existent
> > > MSR then it darn well should warn.
> > > 
> > > diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
> > > index 8a294f9747aa..7ef7283011d6 100644
> > > --- a/arch/x86/kvm/cpuid.c
> > > +++ b/arch/x86/kvm/cpuid.c
> > > @@ -1013,7 +1013,8 @@ bool kvm_cpuid(struct kvm_vcpu *vcpu, u32 *eax, u32 *ebx,
> > >                 *ebx = entry->ebx;
> > >                 *ecx = entry->ecx;
> > >                 *edx = entry->edx;
> > > -               if (function == 7 && index == 0) {
> > > +               if (function == 7 && index == 0 && (*ebx | (F(RTM) | F(HLE))) &&
> > > +                   (vcpu->arch.arch_capabilities & ARCH_CAP_TSX_CTRL_MSR)) {
> > >                         u64 data;
> > >                         if (!__kvm_get_msr(vcpu, MSR_IA32_TSX_CTRL, &data, true) &&
> > >                             (data & TSX_CTRL_CPUID_CLEAR))
> > > 
> > 
> > That works too, but I disagree that warning is the correct behavior
> > here.  It certainly should warn as long as kvm_get_msr blindly returns
> > zero.  However, for a guest it's fine to access a potentially
> > non-existent MSR if you're ready to trap the #GP, and the point of this
> > series is to let cpuid.c or any other KVM code do the same.
> 
> I get the "what" of the change, and even the "why" to some extent, but I
> dislike the idea of supporting/encouraging blind reads/writes to MSRs.
> Blind writes are just asking for problems, and suppressing warnings on reads
> is almost guaranteed to be suppressing a KVM bug.
> 
> Case in point, looking at the TSX thing again, I actually think the fix
> should be:
> 
> diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
> index 5eb618dbf211..64322446e590 100644
> --- a/arch/x86/kvm/cpuid.c
> +++ b/arch/x86/kvm/cpuid.c
> @@ -1013,9 +1013,9 @@ bool kvm_cpuid(struct kvm_vcpu *vcpu, u32 *eax, u32 *ebx,
>                 *ebx = entry->ebx;
>                 *ecx = entry->ecx;
>                 *edx = entry->edx;
> -               if (function == 7 && index == 0) {
> +               if (function == 7 && index == 0 && (*ebx | (F(RTM) | F(HLE))) {
>                         u64 data;
> -                       if (!__kvm_get_msr(vcpu, MSR_IA32_TSX_CTRL, &data, true) &&
> +                       if (!kvm_get_msr(vcpu, MSR_IA32_TSX_CTRL, &data) &&
>                             (data & TSX_CTRL_CPUID_CLEAR))
>                                 *ebx &= ~(F(RTM) | F(HLE));
>                 }
> 
> 
> On VMX, MSR_IA32_TSX_CTRL will be added to the so called shared MSR array
> regardless of whether or not it is being advertised to userspace (this is
> a bug in its own right).  Using the host_initiated variant means KVM will
> incorrectly bypass VMX's ARCH_CAP_TSX_CTRL_MSR check, i.e. incorrectly
> clear the bits if userspace is being weird and stuffed MSR_IA32_TSX_CTRL
> without advertising it to the guest.

Argh, belatedly realized that MSR_IA32_TSX_CTRL needs to be swapped even
when ARCH_CAP_TSX_CTRL_MSR isn't exposed to the guest, but if and only if
if TSX is disabled in the host _and_ enabled in the guest.  So triggering
setup_msrs() on ARCH_CAP_TSX_CTRL_MSR is insufficient, but I believe we can
and should redo setup_msrs() during vmx_cpuid_update().  I'm pretty sure
that's needed for MSR_TSC_AUX+RDTSCP as well.  I suspect RDTSCP is broken
on 32-bit guests, but no has noticed because Linux only employs RDTSCP on
64-bit kernels, and 32-bit guests are exactly common in the first place.

I'll check the above to confirm and prep some patches if RDTSCP is indeed
busted.

> In short, the whole MSR_IA32_TSX_CTRL implementation seems messy and this
> is just papering over that mess.  The correct fix is to invoke setup_msrs()
> on writes to MSR_IA32_ARCH_CAPABILITIES, filtering MSR_IA32_TSX_CTRL out of
> shared MSRs when it's not advertised, and change kvm_cpuid() to use the
> unpriveleged variant.
> 
> TSC_CTRL aside, if we insist on pointing a gun at our foot at some point,
> this should be a dedicated flavor of MSR access, e.g. msr_data.kvm_initiated,
> so that it at least requires intentionally loading the gun.

next prev parent reply	other threads:[~2020-06-25 17:45 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-06-22 22:04 [PATCH 0/2] KVM: X86: A few fixes around ignore_msrs Peter Xu
2020-06-22 22:04 ` [PATCH 1/2] KVM: X86: Move ignore_msrs handling upper the stack Peter Xu
2020-06-25  6:15   ` Sean Christopherson
2020-06-25  8:09     ` Paolo Bonzini
2020-06-25 16:25       ` Sean Christopherson
2020-06-25 17:45         ` Sean Christopherson [this message]
2020-06-25 18:44         ` Paolo Bonzini
2020-06-26 15:56           ` Sean Christopherson
2020-06-26 17:37             ` Peter Xu
2020-06-26 17:46               ` Sean Christopherson
2020-06-26 18:07         ` Peter Xu
2020-06-26 18:18           ` Sean Christopherson
2020-06-26 19:11             ` Peter Xu
2020-06-27 14:24             ` Paolo Bonzini
2020-06-30 15:47               ` Sean Christopherson
2020-07-09 18:22                 ` Peter Xu
2020-07-09 18:24                   ` Paolo Bonzini
2020-07-09 18:34                     ` Peter Xu
2020-07-09 19:24                   ` Sean Christopherson
2020-07-09 21:09                     ` Peter Xu
2020-07-09 21:26                       ` Sean Christopherson
2020-07-09 21:50                         ` Peter Xu
2020-07-09 22:11                           ` Paolo Bonzini
2020-07-10  4:58                             ` Sean Christopherson
2020-06-22 22:04 ` [PATCH 2/2] KVM: X86: Do the same ignore_msrs check for feature msrs Peter Xu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200625174537.GE3437@linux.intel.com \
    --to=sean.j.christopherson@intel.com \
    --cc=kvm@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=pbonzini@redhat.com \
    --cc=peterx@redhat.com \
    --cc=vkuznets@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.