Re: [PATCH V3 4/4] KVM: selftests: Add perf_metrics and fixed counter 3 tests

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] A malicious or misconfigured guest can trigger a host-side WARN_ON_ONCE by forcing KVM to emulate an RDMSR or WRMSR to MSR_PERF_METRICS, leading to log spam or a host kernel panic.
--

commit 2e12d71150f3902b3e1f245bbcb48d6fe2235b4a
Author: Zide Chen <zide.chen@intel.com>

KVM: selftests: Add perf_metrics and fixed counter 3 tests

This commit adds a selftest to exercise IA32_PERF_METRICS support for Topdown
(TMA) Level 1 metrics. It checks for non-zero metrics derived from the
workload and extends the PMU selftest to cover Intel fixed counter 3 by
bumping MAX_NR_FIXED_COUNTERS to 4.

> diff --git a/tools/testing/selftests/kvm/x86/pmu_counters_test.c b/tools/testing/selftests/kvm/x86/pmu_counters_test.c
> index dc6afac3aa919..d4688a7d1e556 100644
> --- a/tools/testing/selftests/kvm/x86/pmu_counters_test.c
> +++ b/tools/testing/selftests/kvm/x86/pmu_counters_test.c
[ ... ]
> @@ -318,6 +322,56 @@ static void guest_test_arch_event(u8 idx)
>  				FIXED_PMC_GLOBAL_CTRL_ENABLE(i));
>  }
>  
> +static void guest_test_perf_metrics(void)
> +{
> +	int retiring, bad_spec, fe_bound, be_bound, sum;
> +	u64 global_ctrl, metrics;
> +
> +	if ((guest_get_pmu_version() < 2) ||	/* Does guest have GLOBAL_CTRL? */
> +	    !this_cpu_has(X86_FEATURE_PDCM) ||
> +	    !(rdmsr(MSR_IA32_PERF_CAPABILITIES) & PERF_CAP_PERF_METRICS))
> +		return;
> +
> +	wrmsr(MSR_CORE_PERF_GLOBAL_CTRL, 0);
> +	wrmsr(MSR_CORE_PERF_FIXED_CTR3, 0);
> +	wrmsr(MSR_PERF_METRICS, 0);

[Severity: High]
This is a pre-existing issue, but since this test now exercises
MSR_PERF_METRICS, is it possible for a guest to trigger a host-side
WARN_ON_ONCE by forcing KVM to emulate RDMSR or WRMSR to MSR_PERF_METRICS?

Looking at KVM's emulation path in arch/x86/kvm/vmx/pmu_intel.c,
intel_pmu_get_msr() and intel_pmu_set_msr() both contain a WARN_ON_ONCE:

intel_pmu_get_msr() {
    ...
    case MSR_PERF_METRICS:
        WARN_ON_ONCE(!msr_info->host_initiated);
        msr_info->data = pmu->perf_metrics;
        break;
}

If a malicious guest forces instruction emulation for RDMSR or WRMSR targeting
this MSR (for example, by using the KVM_FEP forced emulation prefix, or by
executing the instruction from a page that triggers an EPT violation on
fetch), the instruction is processed by KVM's software emulator.

The emulator calls kvm_emulate_msr_read() or kvm_emulate_msr_write(), which
explicitly set msr_info.host_initiated = false.

Could this trigger the WARN_ON_ONCE in intel_pmu_get_msr() or
intel_pmu_set_msr() and allow an unprivileged guest to spam the host kernel
log or panic the host if panic_on_warn is enabled?

> +
> +	/* Enable fixed ctr3 (TOPDOWN.SLOTS) and PERF_METRICS. */
> +	wrmsr(MSR_CORE_PERF_FIXED_CTR_CTRL, FIXED_PMC_CTRL(3, FIXED_PMC_KERNEL));
> +	global_ctrl = FIXED_PMC_GLOBAL_CTRL_ENABLE(3) |
> +		      PERF_METRICS_GLOBAL_CTRL_ENABLE;
> +
> +	GUEST_RUN_PAYLOAD(MSR_CORE_PERF_GLOBAL_CTRL, global_ctrl, "");
> +
> +	/* Check test results. */
> +	metrics = rdmsr(MSR_PERF_METRICS);

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260615230118.50718-1-zide.chen@intel.com?part=4