From mboxrd@z Thu Jan  1 00:00:00 1970
From: Xiao Guangrong <guangrong.xiao@linux.intel.com>
Subject: Re: [PATCH 0/9] KVM: MMU: fix and improve validation of mmio page
 fault
Date: Tue, 4 Aug 2015 19:04:48 +0800
Message-ID: <55C09C50.7040002@linux.intel.com>
References: <1438685961-8107-1-git-send-email-guangrong.xiao@linux.intel.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Cc: gleb@kernel.org, mtosatti@redhat.com, kvm@vger.kernel.org,
	linux-kernel@vger.kernel.org, Pavel Shirshov <ru.pchel@gmail.com>
To: pbonzini@redhat.com
Return-path: <linux-kernel-owner@vger.kernel.org>
In-Reply-To: <1438685961-8107-1-git-send-email-guangrong.xiao@linux.intel.com>
Sender: linux-kernel-owner@vger.kernel.org
List-Id: kvm.vger.kernel.org


CCed Pavel Shirshov <ru.pchel@gmail.com>

Sorry, git tool missed to CC mail to the person tagged with "Reported-by"
and "Tested-by". :(

On 08/04/2015 06:59 PM, Xiao Guangrong wrote:
> Current code validating mmio #PF is buggy, it was spotted by Pavel
> Shirshov, the bug is that qemu complained with "KVM: unknown exit,
> hardware reason 31" and KVM shown these info:
> [84245.284948] EPT: Misconfiguration.
> [84245.285056] EPT: GPA: 0xfeda848
> [84245.285154] ept_misconfig_inspect_spte: spte 0x5eaef50107 level 4
> [84245.285344] ept_misconfig_inspect_spte: spte 0x5f5fadc107 level 3
> [84245.285532] ept_misconfig_inspect_spte: spte 0x5141d18107 level 2
> [84245.285723] ept_misconfig_inspect_spte: spte 0x52e40dad77 level 1
>
> This is because we got a mmio #PF and the handler see the mmio spte
> becomes normal (points to the ram page)
>
> However, this is valid after introducing fast mmio spte invalidation which
> increases the generation-number instead of zapping mmio sptes, a example
> is as follows:
> 1. QEMU drops mmio region by adding a new memslot
> 2. invalidate all mmio sptes
> 3.
>
>          VCPU 0                        VCPU 1
>      access the invalid mmio spte
>
>                              access the region originally was MMIO before
>                              set the spte to the normal ram map
>
>      mmio #PF
>      check the spte and see it becomes normal ram mapping !!!
>
> The first patch simply fixes the bug by dropping the validation in mmio
> handler which is good for backport
>
> Later patches enable fully check reserved bits for shadow page table
> entries, since shadow page table and guest page table have the some
> format, this patches reuse the logic which checks reserved bits on
> guest pte to check sptes
>
> Xiao Guangrong (9):
>    KVM: MMU: fix validation of mmio page fault
>    KVM: MMU: move FNAME(is_rsvd_bits_set) to mmu.c
>    KVM: MMU: introduce rsvd_bits_validate
>    KVM: MMU: split reset_rsvds_bits_mask
>    KVM: MMU: split reset_rsvds_bits_mask_ept
>    KVM: MMU: introduce the framework to check reserved bits on sptes
>    KVM: MMU: introduce is_shadow_rsvd_bits_set()
>    KVM: MMU: fully check reserved bits for sptes
>    KVM: VMX: drop ept misconfig check
>
>   arch/x86/include/asm/kvm_host.h |   9 +-
>   arch/x86/kvm/mmu.c              | 284 ++++++++++++++++++++++++----------------
>   arch/x86/kvm/mmu.h              |   4 +-
>   arch/x86/kvm/paging_tmpl.h      |  13 +-
>   arch/x86/kvm/svm.c              |   1 +
>   arch/x86/kvm/vmx.c              |  74 +----------
>   arch/x86/kvm/x86.c              |   3 +-
>   7 files changed, 187 insertions(+), 201 deletions(-)
>